Want to Use SharePoint as Your Public Web Site? Make Sure You Know What You Are Doing!

I keep getting asked about whether I recommend using SharePoint to serve public-facing web sites. Or rather, the questions seem to be something like, ‘We want to use SharePoint as a public web site, what should concern us?’

I’ll answer this briefly, and then elaborate: Sure, go ahead, but make sure you take the necessary precautions.

Before I elaborate, let me answer another question: Where did I get the high-res pictures from the SharePoint 2010 Sneak Peek videos that I included in the previous SharePoint 2010 Beta series issue?

The answer is: I got it from Microsoft. Basically, I went to sharepoint.microsoft.com, logged in with my Live ID when prompted, and then had full access to the entire site. No, I don’t mean the regular pages that most people see, I mean the full SharePoint site, lists, libraries, workflows, user lists, everything… Click for larger versions.

29.07.2009 14-02-06-0001 29.07.2009 14-02-00-0002

That includes the very secretive SharePoint 2010 Sneak Peek site as well.

30.07.2009 12-02-59-0007

You should think that the creators of SharePoint knew how to set it up, but alas, even basic security isn’t implemented.

By the way, I wonder what would happen if I uploaded something here:

28.07.2009 22-37-39-0010

Perhaps a policy stating that the SharePoint 2010 NDA is no longer in effect and all information should be published on a want-to-know basis. That page doesn’t even implement proper security, so most public facing SharePoint sites expose that page, no login required.

Oh, and I told Microsoft about this on July 29, 2009, and they had changed their login and permissions within a few hours. I spent that day browsing very interesting stuff, including the high-res screenshots from the SharePoint 2010 demo. I did snap about 50 other screenshots, by the way.

However, in the spirit of full disclosure, I think you should know.

Where am I getting with this? Well, putting a SharePoint server as the front line against the war of the world takes care and skill, and you’ll be exposing potential secret stuff if you don’t heed this warning.

This isn’t isolated to Microsoft, however. The WSSDemo site that Ian Morrish hosts has a long list of public facing web sites running on SharePoint. Stop by any one of them and substitute the Pages/default.aspx or Pages/[whatever] with _layouts/viewlsts.aspx and you’ll usually get the All Site Content of that server. That in itself may expose a lot of information. Add to the fact that you can use this to find pages that may not be properly secured, like the Import Policy page (_layouts/importpolicy.aspx) and an attacker can gain valuable insights into how to attack you, or even just download information you thought was not there.

Just try googling _layouts/importpolicy.aspx and you’ll find several sites that list the contents of the LAYOUTS folder, including custom application pages who may or may not be properly secured. I know, for example, of a certain employee of a large financial corporation who just recently applied for a job at a competing company, not knowing that his ‘secret’ job application is now public knowledge to anyone who can ‘guess’ the All Site Content URL of a certain site.

So, what’s my advice?

First, don’t listen to anyone who says that ‘SharePoint is secure out-of-the-box’. They are lying. Securing a SharePoint server requires great insight, regardless of whether it is public or internal.

Second, beat your developers over the head if they cannot answer the question: How are you securing your custom code? In fact, beat them repeatedly.

Third, if you’re using SharePoint as a front end, be very, very careful about what you put on that server. Having a contact form that stores entries in a list means your list may be exposed with a simple URL replacement hack.

Yes, there are some measures you can take to reduce the attack surface. A good architect or security person will know about these measures. Ask whoever is responsible for your shiny new public facing SharePoint site about what they are doing to secure the site, and don’t accept any ‘We are putting this stuff behind a firewall’ kind of explanation.


Found this article valuable? Want to show your appreciation? Here are some options:

a) Click on the banners anywhere on the site to visit my blog's sponsors. They are all hand-picked and are selected based on providing great products and services to the SharePoint community.

b) Donate Bitcoins! I love Bitcoins, and you can donate if you'd like by clicking the button below.

c) Spread the word! Below, you should find links to sharing this article on your favorite social media sites. I'm an attention junkie, so sharing is caring in my book!

Pin It

Published by

Bjørn Furuknap

I previously did SharePoint. These days, I try new things to see where I can find the passion. If you have great ideas, cool projects, or is in general an awesome person, get in touch and we might find out together.

One thought on “Want to Use SharePoint as Your Public Web Site? Make Sure You Know What You Are Doing!”

Leave a Reply

Your email address will not be published.