Paul Galvin's (old) SharePoint space [SharePoint

Just another site

Web Application Policy, Security Sites and Security Trimming — Know your configuration

(UPDATED 11/29 to explain how to access web application policy settings via the UI)

I had one of those "why is MOSS doing this to me????" moments today.  In the end, it’s all my fault.

We have an enterprise MOSS project going on and we want to secure "place holder" sites so that no user may access it or see it.  That’s easy:

  1. Go to the site.
  2. Break the security inheritance.
  3. Remove every user/group from site permissions.

The above should leave just the site collection administrator with permission to see the site.

If anyone else logs in, they should no longer see the site and it should be security-trimmed from all the usual places.

But … it was not.  At the same time, I suddenly realize that my "Joe User" standard user test account with no priv’s other than restricted read access has a "Site Actions" choice everywhere he goes.  I double check one thing and double check something else.  I pick up the phone to call a colleague, but put it down and check something else.  I go for a walk and try everything all over again.  I call a colleague and leave a message.  And then, finally, I find that at Ethan’s blog, his opening graph makes it quite simple:

MOSS 2007 has a new feature called Web Application Policies. These are security permissions that is tied to a Web Application. These security settings override any security setting that is set at the Site Collection or Site (Web) level for that user.

A quick visit to web application policies shows that "NT Authority\authenticated users" had been granted Full Read.  I removed them from the list and everything finally started working as expected.  I believe they were added in the first place by someone with the mistaken impression that that is best method to grant read access to everyone in the enterprise.  It does, but, to strain a quote, "It does not mean what you think it means."

Access web application policies this way:

  1. Go to Central Administration
  2. Select Application Management
  3. Select "Policy for Web Application"
  4. On that screen, make sure you pick the correct web application.  For me, it defaults to the web application of central admin which may not be the one you want.

When I had this problem, I searched for the following phrases and got surprisingly little in terms of direct help on this issue:

Site actions visible for all users

Site actions visible to all users

site actions are not security trimmed

secure a MOSS site

introduction to moss security

Technorati Tags:


4 responses to “Web Application Policy, Security Sites and Security Trimming — Know your configuration

  1. RichRockwell November 16, 2007 at 2:13 pm

    I had the same problem, and this fixed it.  I had seen NT Authority\\authenticated users in my web app policy, but thought it was supposed to be there because I didn\’t put it there.  Removing it fixed the problem.

  2. Nathalie May 14, 2008 at 11:51 am

    Thanks for posting this!  As you said, there\’s not a lot of information on this issue. That fixed my problem… Thanks!

  3. Miguel June 12, 2008 at 7:13 am

    That fixed my problem… Thanks!
    But probably it\’s better to change the rights user to "Deny to all – No access" instead of deleting from the list. That produces the same effect but it\’s easier to give back the rights to the users just in case of problems

  4. Unknown August 28, 2008 at 1:37 pm

    I see "NT
    AUTHORITY\\LOCAL SERVICE" granted Full Read on several existing Web Applications on several MOSS servers, even though all services and Application Pools were configured during installation to run as specified domain accounts. That sounds like it might be a bug somewhere?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: