Windows Explorer view does
have several inherent security holes and these holes do pose significant risk
to customers in the military or DOD environments. For example, if SharePoint
permissions only give a user read access to a file, often users are still able
to rename the file through the Windows Explorer view. In some cases users with
read access to certain files are even able to delete those files.
As well, Microsoft has
stated that when using claims based authentication with SAML security tokens
that the Windows Explorer view in SharePoint 2010 does not work: http://technet.microsoft.com/en-us/library/hh706161.aspx.
With SharePoint 2013, this
option is even more viable because
the web view now allows users to drag and drop files from their Windows desktop
into the web browser and have those files copied into the SharePoint library.
Below are the methods for preventing end users from accessing these Windows
Explorer view.
Method : 1
Administrators can disable
access to the Windows Explorer view by modifying the “User Permissions” on the
web application. This is done within Central Administration:
- Click Manage Web Applications and select your web application
- Click the User Permission button in the ribbon
- Find the “Use Remote Interfaces” permission in the list and uncheck it (this will also automatically uncheck the “Use Client Integration Features” permission as well)
This will disable the
“Open in Explorer” button in the SharePoint ribbon for all libraries in all
sites in the web application.
There is a problem with this method though - it also disables all access to open documents in SharePoint from the open dialog in MS Office applications. As well, access from SharePoint Designer and access from all client object model applications will be also be disabled. Please note that the Open Dialog, like the Windows Explorer view also does not fully respect SharePoint permissions. So, this method may or may not work for your environment.
There is a problem with this method though - it also disables all access to open documents in SharePoint from the open dialog in MS Office applications. As well, access from SharePoint Designer and access from all client object model applications will be also be disabled. Please note that the Open Dialog, like the Windows Explorer view also does not fully respect SharePoint permissions. So, this method may or may not work for your environment.
While opening this permission page which have url like http://Siteurl/_admin/vsmask.aspx?WebApplicationId=webappGUID&IsDlg=1
In body MS setted scroll = No , so need not to panic if you
are unable to find vertical scroll bar
Find “Use Remote Interfaces” in the page & uncheck the
checkbox
Method : 2
I have found that simply
removing the “Open in Explorer” button all together from the SharePoint ribbon
can be an effective way to prevent access through the Explorer view.
Following are the steps to
remove this button from Ribbon
·
Create an
empty SharePoint 2010 Solution, you may give your favorite name to it
·
Add a feature
by right clicking on the Features in Solution Explorer
·
Right click on
the Project and add a new item, choose empty element and name it
·
Open the
Elements.xml file from the newly added item
·
Copy &
paste the following XML into the Elements.xml file
<?xml version="1.0" encoding="utf-8"?>
<Elements xmlns="http://schemas.microsoft.com/sharepoint/">
<CustomAction Id="RemoveRibbonButton"
Location="CommandUI.Ribbon">
<CommandUIExtension>
<CommandUIDefinitions>
<CommandUIDefinition
Location="Ribbon.Library.Actions.OpenWithExplorer" />
</CommandUIDefinitions>
</CommandUIExtension>
</CustomAction>
</Elements>
Deploy the Solution and
observe that “Open with Explorer” button will be removed from the Ribbon.
This method is effective because you open Windows Explorer on your desktop and paste the URL to a SharePoint library Windows will automatically open a web browser and navigate to the SharePoint web view of the library. It does not actually open in Windows Explorer. This allows the open dialog in Windows to still navigate to a file in a SharePoint library and open it, but prevents users from effectively using the Explorer view.
This method of course may not be fool proof, meaning a malicious user may still find a way around it. However it would cover 95% of cases where end users are simply trying to open documents that they are permitted to access. As well, this method still allows users to open SharePoint documents from the Open dialog in MS Office applications, SharePoint Designer and client object model applications.
This method is effective because you open Windows Explorer on your desktop and paste the URL to a SharePoint library Windows will automatically open a web browser and navigate to the SharePoint web view of the library. It does not actually open in Windows Explorer. This allows the open dialog in Windows to still navigate to a file in a SharePoint library and open it, but prevents users from effectively using the Explorer view.
This method of course may not be fool proof, meaning a malicious user may still find a way around it. However it would cover 95% of cases where end users are simply trying to open documents that they are permitted to access. As well, this method still allows users to open SharePoint documents from the Open dialog in MS Office applications, SharePoint Designer and client object model applications.
Method : 3
A third method that is effective and allows you to
still maintain client object model access and access through the Microsoft
Office open dialog is the following procedure which modifies the permissions
required to access the Open in Explorer button. This procedure will result in
the “Open in Explorer” button in the SharePoint web interface to still be
visible and enabled, but to only be accessible by users that have the “ManageWeb” permission on the site. This
would allow you to configure SharePoint to allow site owners to have access to
the Windows Explorer interface, but not regular users that only have contribute
permissions. Follow these steps to accomplish this:
·
On the SharePoint 2010 server navigate to the folder \Common
Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\CONTROLTEMPLATES
·
Make a copy of the file DefaultTemplates.ascx
·
Open DefaultTemplates.ascx in Notepad:
·
Search for the following string ID=”OpenInExplorer”
·
Below that string change PermissionString=”UseClientIntegration” to
PermissionString=”ManageWeb”
·
You will find 2 instances of ID=”OpenInExplorer” – you’ll need to make
the change in both places
·
Save the file and issue an IIS Reset
You’ll then find that a user that
is a site owner can click on the “Open in Explorer” button and still access
SharePoint through the Explorer interface, but users that are not site owners
(or who do not have the Manage Web Site permission) can click on the button but
they’ll get an “Access Denied” message. This works even if a user tries to
create a shortcut to a URL and access the Explorer view from that shortcut, or
if they try to map a network drive to the SharePoint library URL - if
they don't have appropriate permissions they will receive an "access
denied"
Method : 4
This method probably more extreme method is to in
fact disable WebDAV itself on the IIS Web Server. To accomplish this follow
these steps:
·
Click the Windows "Start" button on your Web server, and
select "Administrative Tools." Click "Internet Information
Services Manager" to open the configuration utility. Or type inetmgr on run.
·
Click the Web server name in the left panel. A list of websites expands.
Click the website name you want to edit, and click "Web Services
Extensions" in the website directory.
- Select disable WebDAV on the top right side of
the screen
- A message that WebDAV is disabled should be
shown.
Remove
WebDAV handler mappings and modules
- Select the virtual directory in which the
WebDAV elements should be removed
- Double click the handler mappings icon
- Select WebDAV in the list and click remove at
the right site of the screen to remove it
- Select the virtual directory again
- This time double click the modules icon
- Select "WebDAV module" in the list
and click remove at the right site of the screen to remove it
Check
web.config
- Open the directory where Exact Synergy
Enterprise is installed and which is used by the virtual directory in
which you removed the WebDAV elements
- Open the web.config file
- Check at the end of the file is the lines as
shown in the picture below are added. If not, then add them manually
WebDAV (Web Distributed Authoring and Versioning)
WebDAV is a simple
extension to the HTTP protocol based on a public specification. It provides an
extended vocabulary that defines how basic file functions, such as copy, move,
delete, and create folder, are performed across HTTP.
Please note: I have not tested this last method myself so your mileage may be different. Ensure that if you go this route that you fully test the SharePoint server and determine if access to files through other mechanisms (MS Office Open dialog, SharePoint Designer, client object model applications) is also affected. As well, these instructions may vary slightly depending on your version of IIS.
No comments:
Post a Comment