locked
MOSS 2007 retrieve user info with MS Access (security issue) RRS feed

  • Question

  • Within MS Access you can create a connection to a SharePoint site, from there you can view the table UserInfo.
    This way a authenticated user can pull all the user data out of SharePoint.
    Is it possible to disable this?

    For security reasons we can’t have this. 

    How to do it in Access
    - start access
    - create blank database
    - select external data -> More -> SharePoint list
    - fill in your URL to SharePoint
    - select UserInfo table



    • Edited by Michel--NL Thursday, November 3, 2011 1:04 PM
    Thursday, November 3, 2011 1:03 PM

Answers

  • Hello,

    One of the option I can think is to edit the web.config file for the SharePoint web application and making the required changes. You'll need to change the allow users section to add correct user/group (in Domain\User format) so that only those users can access the User Information List.

    You could add the following to the web.config under the </runtime> section (after end runtime tag).

     <location path="_catalogs/users">
        <system.web>
          <authorization>
            <deny users="?" />
            <allow users="SharePoint\Administrator" />
          </authorization>
        </system.web>
     </location>


    Please remember to click 'Mark as Answer' on the post that helps you or click 'Unmark as Answer' if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Regards,
    Nishant Shah
    Microsoft Online Community Support

    Thursday, November 10, 2011 11:48 AM
    Moderator
  • Hi,

    in addition to what Nishant said there is also the possibility to create a permission policy (application management->policy for webapplication->Manage Permision policy levels) to deny "Browse User Information - View information about users of the Web site" in the central administration but this will also remove the ability to grant permissions or to create groups and do some other stuff for all users that are assigned to this policy.

    If you don't want to break inheritance on your site you could simply create a new permission level in the sitecollection for which you want to disable it. The problem with this is that if a user/group gets "limited access" by breaking inheritance he will get the browse user information right because it is part of limited access role (could be a design oversight) which cannot be changed.

    Thursday, November 10, 2011 1:22 PM

All replies

  • Hello,

    One of the option I can think is to edit the web.config file for the SharePoint web application and making the required changes. You'll need to change the allow users section to add correct user/group (in Domain\User format) so that only those users can access the User Information List.

    You could add the following to the web.config under the </runtime> section (after end runtime tag).

     <location path="_catalogs/users">
        <system.web>
          <authorization>
            <deny users="?" />
            <allow users="SharePoint\Administrator" />
          </authorization>
        </system.web>
     </location>


    Please remember to click 'Mark as Answer' on the post that helps you or click 'Unmark as Answer' if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Regards,
    Nishant Shah
    Microsoft Online Community Support

    Thursday, November 10, 2011 11:48 AM
    Moderator
  • Hi,

    in addition to what Nishant said there is also the possibility to create a permission policy (application management->policy for webapplication->Manage Permision policy levels) to deny "Browse User Information - View information about users of the Web site" in the central administration but this will also remove the ability to grant permissions or to create groups and do some other stuff for all users that are assigned to this policy.

    If you don't want to break inheritance on your site you could simply create a new permission level in the sitecollection for which you want to disable it. The problem with this is that if a user/group gets "limited access" by breaking inheritance he will get the browse user information right because it is part of limited access role (could be a design oversight) which cannot be changed.

    Thursday, November 10, 2011 1:22 PM