Web Application Policy, Security Sites and Security Trimming — Know your configuration

(UPDATED 11/29 to explain how to access web application policy settings via the UI)

I had one of those "why is MOSS doing this to me????" moments today.  In the end, it’s all my fault.

We have an enterprise MOSS project going on and we want to secure "place holder" sites so that no user may access it or see it.  That’s easy:

  1. Go to the site.
  2. Break the security inheritance.
  3. Remove every user/group from site permissions.

The above should leave just the site collection administrator with permission to see the site.

If anyone else logs in, they should no longer see the site and it should be security-trimmed from all the usual places.

But … it was not.  At the same time, I suddenly realize that my "Joe User" standard user test account with no priv’s other than restricted read access has a "Site Actions" choice everywhere he goes.  I double check one thing and double check something else.  I pick up the phone to call a colleague, but put it down and check something else.  I go for a walk and try everything all over again.  I call a colleague and leave a message.  And then, finally, I find that at Ethan’s blog, his opening graph makes it quite simple:

MOSS 2007 has a new feature called Web Application Policies. These are security permissions that is tied to a Web Application. These security settings override any security setting that is set at the Site Collection or Site (Web) level for that user.

A quick visit to web application policies shows that "NT Authority\authenticated users" had been granted Full Read.  I removed them from the list and everything finally started working as expected.  I believe they were added in the first place by someone with the mistaken impression that that is best method to grant read access to everyone in the enterprise.  It does, but, to strain a quote, "It does not mean what you think it means."

Access web application policies this way:

  1. Go to Central Administration
  2. Select Application Management
  3. Select "Policy for Web Application"
  4. On that screen, make sure you pick the correct web application.  For me, it defaults to the web application of central admin which may not be the one you want.

When I had this problem, I searched for the following phrases and got surprisingly little in terms of direct help on this issue:

Site actions visible for all users

Site actions visible to all users

site actions are not security trimmed

secure a MOSS site

introduction to moss security

Technorati Tags:

4 thoughts on “Web Application Policy, Security Sites and Security Trimming — Know your configuration

  1. Perry

    I see "NT
    " granted Full Read on several existing Web Applications on several MOSS servers, even though all services and Application Pools were configured during installation to run as specified domain accounts. That sounds like it might be a bug somewhere?

  2. Miguel
    That fixed my problem… Thanks!
    But probably it’s better to change the rights user to "Deny to all – No access" instead of deleting from the list. That produces the same effect but it’s easier to give back the rights to the users just in case of problems
  3. Nathalie Gosdinski
    Thanks for posting this!  As you said, there’s not a lot of information on this issue. That fixed my problem… Thanks!
  4. RichRockwell wrote:
    I had the same problem, and this fixed it.  I had seen NT Authority\authenticated users in my web app policy, but thought it was supposed to be there because I didn’t put it there.  Removing it fixed the problem.

Leave a Reply

Your email address will not be published. Required fields are marked *