Blocking Access to SharePoint Web Services in an Extranet / External Publishing Scenario

This article discusses a method of blocking access to SharePoint web services from external connections.

To do this you will need a publishing server such as Microsoft ISA Server / Forefront TMG or 3rd party application, I would also strongly advise that if you haven’t planned for such a server then revise your design to include one (preferably 2 for clustering, HA etc..).

So assumptions at this stage are that SharePoint is installed and ready to be published. A further assumption is that you have already created a publishing rule on ISA for the SharePoint Web application you want to publish and it is correctly configured and publishing SharePoint successfully.

The next step is to create a new standard web publishing rule (not a SharePoint rule) and place this ABOVE the SharePoint publishing rule for the main site – remember in ISA the rules are based on ordering.

So basically at this point what we want to do it block access to the SharePoint /_layouts/_vti_bin folder.

Call the Publishing Rule some thing like ‘Extranet Web Service Block Rule’ use the same web listener as that you have published SharePoint with.


Select the Paths tab and remove any entries. Then add a new path as follows:


What this will do is redirect anyone trying to access the _vti_bin folder to the accessdenied.aspx page blocking anyone from connecting to the webservice asmx files.

It is more than likely that the rule will need tweaking for authentication to work correctly so be prepared to spend sometime testing this to get it right.

An excellent post I would recommended around SharePoint Extranet best practices and lockdown is Joel Oleson’s post here.

The purpose of this post is by no way as a step-by-step guide to publishing SharePoint via TMG / ISA but simply a guide to blocking web service access.

The consequences of blocking the web services will certainly impact on functionality of SharePoint externally and it usage and it is advised that such a change should be fully tested to make sure loss of functionality is not experienced by end users. Further tweaking to specific web services can be achieved using path mapping.


Pradeep said...


I do understand that the above will block the access to all the Sharepoint Web Services. How can we allow access to one particular Sharepoint Web Service (for example, _vti_bin/lists.asmx)? Can we provide access to this service for a particular user account? or for a particular application?

Any help would be greatly appreciated?

Thanks and Regards,
K. Pradeep

Paul Grimley said...

Hi Pradeep, if you put an allow rule in ISA / TMG above this to allow that specific page it will be caught before the deny rule and hence not be blocked. As regards user account I believe you should be able to yes.

Post a Comment