Disable HTTP Methods for SharePoint site
Hi,
Our firewall is reporting that someone is trying to use HTTP OPTIONS Method to exploit our SharePoint server.
I want to know which HTTP methods are required by SharePoint 2010 so that i can disable other HTTP methods to increase security.
I am trying to follow recommendations from Open Web Application Security Project.
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
Regards, Muhammad Usman Azmat
Verbs such as OPTIONS will require authentication to be of any use. If you disable OPTIONS, you'll likely run into various issues using SharePoint, and here is an older example (that will likely apply even today):
http://blogs.msdn.com/b/vsofficedeveloper/archive/2008/10/03/sharepoint-cisco-css-switch-issue.aspx
At any rate, changing IIS settings at the Web Application IIS site level, with the exception of IIS Site Bindings where appropriate, is highly discouraged.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
Similar Messages
-
Need help finding the default payment method for supplier site in R12
I am using the following query to find out what the default payment method is for a supplier site.
select pv.vendor_id ,
pvs.vendor_site_id,
iepa.ext_payee_id,
ieppm.payment_method_code
from ap_supplier_sites_all pvs
,ap_suppliers pv
,iby_external_payees_all iepa
,iby_ext_party_pmt_mthds ieppm
where pv.pay_group_lookup_code = 'EMPLOYEE'
and pv.vendor_type_lookup_code = 'EMPLOYEE'
and pv.employee_id is not null
and pv.employee_id =92584--p_person_id
and pv.vendor_id= pvs.vendor_id
and pvs.vendor_site_code = 'HOME'
and pvs.pay_group_lookup_code <> 'ATTACHMENT'
and ((pv.end_date_active is null) or (pv.end_date_active >= sysdate))
and ((pvs.inactive_date is null) or (pvs.inactive_date>= sysdate))
and pvs.pay_site_flag = 'Y'
and pvs.vendor_site_id = iepa.supplier_site_id
and iepa.ext_payee_id = ieppm.ext_pmt_party_id
and ieppm.primary_flag = 'Y'
and pv.segment1 = '131678'
The problem is that I am returning two rows.
I have gone in to the application and changed the default payment method from 'Check' to 'Electronic' and I am able to see the change on one of the records, however I am unable to determine how I'm supposed to narrow it down to just this record. I am pulling what hair I have left out!
Please help.
ChrisHere is the generic query for some one who is faing problem like us.This query will return all the payment methods for all sites of a supplier
SELECT ieppm.payment_method_code,ieppm.inactive_date
FROM ap_supplier_sites_all assa,
ap_suppliers ass,
iby_external_payees_all iepa,
iby_ext_party_pmt_mthds ieppm
WHERE ass.vendor_id = assa.vendor_id
AND assa.pay_site_flag = 'Y'
AND assa.vendor_site_id = iepa.supplier_site_id
AND iepa.ext_payee_id = ieppm.ext_pmt_party_id
AND ass.segment1 = '10033' -- Supplier Number
AND( (ieppm.inactive_date IS NULL)or (ieppm.inactive_date > sysdate)) ; -
Create a site utilization report for SharePoint Site with these conditions
HI,
How do we create a site utilization report for a SharePoint 2007 site. I want to include the following conditions in the report
a) The list of users who are accessing the site
b) The list of users who have not accessed the site ( Can we do some filtration based on some conditions )
c) When was the last date the user has accessed the siteHi Kalpana,
Sorry for delay in reply. I don't think this can be possible from front end without involving SQL dbo users table. If you found any other alternate please share here.
You can get site collection / sub site user details via
SP user manager tool and for last access date - time you can use SharePoint object model. - ref : http://blogs.msdn.com/b/varun_malhotra/archive/2010/05/12/moss-2007-get-last-accessed-date-for-a-site.aspx
Let us know if this helps
Regards,
Pratik Vyas | SharePoint Consultant |
http://sharepointpratik.blogspot.com
Posting is provided AS IS with no warranties, and confers no rights
Please remember to click Mark As Answer if a post solves your problem or
Vote As Helpful if it was useful. -
Hello Friends,
I need the following information about my SharePoint site collection
1. Info about the list of users accessing the site
2. Info about users accessing which part of the site ex.: list, library, page or item
3. How many times a list/library/page is accessed like a hit count
I'm sure that these are possible via audit log reports and search schemas. It would be helpful if someone can point me towards right directionHi Chandrashekhar,
1. To get Info about the list of users accessing the site
- Download and install SharePoint User Manager
- https://5pm.codeplex.com/
2. To get
Info about users accessing which part of the site ex.: list, library, page or item
- Enable auditing in your site collection
- Configure audit settings for a site collection
3. To get How many times a list/library/page is accessed like a hit count
- http://yourSiteURL/_layouts/usage.aspx
- This will give you Web Analytics Summary Report including total hits on site.
- For a detailed hit counter report on site, open site settings > Under Site Actions category click Site Web Analytics Reports.
Please remember to click 'Mark
as Answer' if the reply answers your query or 'Upvote' if it helps you. -
Set alias URL for SharePoint site
Hi,
I want to set the SP site alias. my server name appearing http://dmfpqabudappcq2 and i want to change it to http://MySharePoint.
I check the central admin - AAM - Edit alias url. I have updated there.
Now, i am setting the new alias host in DNS. for this i have open the DNS - expands server name - Forward Lookup zone. When i go for right click then i can not see to add new alias and server IP there.
Can anyone please tell what i am missing here to complete the setting for SharePoint alias.
Any help is much appreciated.
Thanks,
RakeshI've never trusted changing a Web App's URL. I always advise adding a new AAM for http://intranet etc. alongside your already existing server name.
I would return the inital entry to as it was, then add a new AAM for your site.
Now if i understand you correctly you haven't added an A host record for the AAM address to DNS yet? This is described here:
http://technet.microsoft.com/en-us/library/cc779029%28v=ws.10%29.aspx
Once you have an A host record you should be able to 'ping' that address from a client computer. You should also be able to browse the site from a client computer (assuming there's a site collection created for that web application).
You will not however be able to browse it from your SharePoint server, this is because of the loop back check:
http://www.harbar.net/archive/2009/07/02/disableloopbackcheck-amp-sharepoint-what-every-admin-and-developer-should-know.aspx -
Disabling HTTP Methods: Put, Delete, Trace
Hello Everyone.
I am faced with the problem that I can not figure out how to disable the HTTP methods PUT, DELETE, TRACE.
We are running a Sun ONE App Server 7.0.0_05 install in a Linux environment.
What documentation exists that details the precedures on how to disabel the HTTP methods on the web server? Or if someone can point me in the right direction, I would greatly appreciate it.
Thank you.1) Why would TRACE and OPTION request specifying HTTP 1.0 vs. 1.1 yield such different results?
Web Server 6.0 only implements the TRACE and OPTIONS methods for HTTP/1.1, not HTTP/1.0. This is reasonable as TRACE and OPTIONS are part of the HTTP/1.1 protocol and not the HTTP/1.0 protocol.
In other words, TRACE is always disabled for HTTP/1.0 requests, even if you don't use the set-variable work around.
2) Is the OPTIONS command a legitimate test of whether this fix works? If it is, has anyone managed to have the command return an "Allow:" line MINUS the TRACE?
Nope, not in Web Server 6.0. OPTIONS will always list TRACE. (Note that in Web Server 6.1, TRACE is not as tightly integrated into the server core. As a result, OPTIONS will conditionally list TRACE in 6.1.)
3) Has anyone managed to generate a 501 error message after specifying TRACE / HTTP/1.1 instead of 1.0?
Nope, not in Web Server 6.0.
4) Does this fix really work?
I wouldn't call it a fix; it's a work around. However, it does effectively disable TRACE. The work around is a bit of a kludge, resulting in the odd 413 status code.
The real "fix" appears in Web Server 6.1 where you can disable TRACE simply by commenting out the Service method="TRACE" fn="service-trace" line in obj.conf. -
Disable HTTP Methods from Weblogic 8.1 SP6
Hi... I want to disable some HTTP Methods (such as DELETE, PUT, TRACE) from my Weblogic. I have a lot of deployed applications and I want to avoid request to dev team edit each web.xml file. Is there any way to disable them at weblogic level? Thanks in advance
Nodemanager listens over SSL in WLS 8.1 SP6, you cant change it to listen over plain.
Its possible only in later versions.
Make the Nodemanger run over SSL.
You might find this blog useful.
http://secure-zone.blogspot.com/2010/03/ssl-exceptions-in-admin-server-and-node.html
HTH,
Faisal -
HTTP Acceleration for internet sites
I am starting a pilot on Version 4.1.1a.10 and have 15 sites.
A small site w/ T1 has a majority of the bandwidth being consumed by....you guessed it HTTP web traffic! So, The question is
If I deploy an Core WAE in my DC at the inside of the "Surf" firewall, Will the user behind the Edge WAE in the branch really feel the benefits when browsing internet sites? Does this new Feature in 4.1 attempt to mitigate in some small way the need for caching servers? Connection reuse is a major component here but how well will this function on a HTTP site outside of the Data Canter?
Thanks in advance
Todd
Most of the discussion for HTTP acceleration has been for internal HTTP sites.So, My interpretation of that statement is yes a little bit. It will reduce the latency between the internet Access point and the customer LAN. but what about connection reuse for internet sites? If the remote site goes to Facebook every day ( for busness use lets say) will a core WAE optimize(reduce latency) and use DRE cacheing techniqes to improve performance to that site.
-
Cf8/9 - Best method for a site wide pop-up?
I'm curious what developers here use for a site wide pop-up? cfwindow looks like a good option because of the the modal option. I'm looking to pass in a few values to the pop-up window and call it from anywhere in my site. Does anyone have any examples of how they've implemented something like this?
Sounds no different than site wide images, stylesheets, function libraries, or other such things. Create a folder in the web root and put the template there. Then use absolute addressing when calling it.
-
Increasing MaxControls in Web.config for SharePoint Site
<SafeMode MaxControls="200" CallStack="false"
DirectFileDependencies="10"
We have reached Max User Controls of 200 on our SharePoint Masterpage and need to increase this in the web.config to account for the new controls we are adding. Just wondering if anyone has any experience in increasing this
number and at what point did you start seeing affect in the performance.
ThanksHi,
According to your post, my understanding is that you wanted to increase the maxcontrols in the web.config.
It is not recommended to modify the web.config to increase the maxcontrols number.
If you had changed the the number, it may occur some issues, such as the site would be unavaiable, no one could access the web application, you had to do a IIS reset to make the site run again.
It is recommended to split up your page into multiple smaller pages if you have more than 200 user controls.
If there is only few pages contain over 200 webcontrols, for one page, you can create a new page and move of a portion of components to the new one.
In this situation ,each page has less than 200 controls, if they are webpart pages, you just need to add a OOB webpart Page View web part
in one page to display the new page.
That’s how to separate control-overload page and display them with iframe(or iframe webpart) in one page.
More reference:
http://prasanjitmandal.blogspot.com/2013/05/fix-max-controls-issue-in-sharepoint.html
Thanks & Regards,
Jason
Jason Guo
TechNet Community Support -
Disable HTTP Methods on Sun One Web Server 6.1
I've been instructed by our auditors to disable the HTTP TRACE and TRACK methods in our web server. I can't find anything in the documentation on how to do this, although the following statments in the default object in obj.conf look like they might be involved:
Service method="(GET|HEAD)" type="magnus-internal/imagemap" fn="imagemap"
Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
Service method="TRACE" fn="service-trace"
Can anyone point me in the right direction here?
Thanks,Remove Comment out the line in obj.conf that contains the method "TRACE".
http://blogs.sun.com/meena/entry/disabling_trace_in_sun_java -
Disable desktop notifications for a site
With the new update, Google Music now sends desktop notifications.
Firefox asked me if I wanted to enable them, and I accepted, but now I find them very annoying.
How can I turn them off? I searched in the options but I didn't find anythingType about:config and filter for plugins.hide_infobar_for_outdated_plugin and double-left-click or right-click and toggle this to true
-
direct2d acceleration on FF4 causes really bad font rendering problems for my site.
Text goes on to of each other and behind pictures making it impossible to read for some parts. Disabling HW acceleration fixes the problem. Is there a script that I could use to disable it automatically for my site?In fact updating my graphics was the cause of the problem. With the old drivers there were no problems. It depends on the system. So far I've tested on 6 Windows PC's. on 2 of them it worked fine. My site should be 100% W3C compliant. It works fine on 3.6, Chrome, IE and Opera
-
Mobile Url for a site gives an error
when i try to access the mobile site of a SharePoint 2010 site it gives me the following error:
<input name="__EVENTARGUMENT" type="hidden" /> Error
Object reference not set to an instance of an object.
The mobile Url contains _layouts/mobile/mblwiki.aspx this site has wiki feature enabledHi Omar,
According to your description, my understanding is that the error occurred when you access the mobile URL for SharePoint site.
I recommend to append "?Mobile=1" to the end of the URL of the SharePoint site
to access the mobile view to see if the issue still occurs, such as
http://MyServer/MySite/default.aspx?Mobile=1.
If the error still occurs, I recommend to check if the mobile view is activated for SharePoint.
http://technet.microsoft.com/en-us/library/ff393832(v=office.14).aspx
More reference:
http://msdn.microsoft.com/en-us/library/office/ms462572(v=office.14).aspx
Best regards.
Thanks
Victoria Xia
TechNet Community Support -
We have plans to roll out a hybrid SharePoint with our profiles in the Cloud. Does anyone know if it is possible to disable the ability for users to create sites under their Profile site in the cloud? As it stands out of the box, it looks like every
user can create as many sites as they want under their Profile. There is a concern that users will "self-service" their own solutions without going through the proper channels of governance. Has anyone had to deal with this or have experience
on how to restrict this functionality? Thanks in advance! :)HI Ken,we can disable this by blocking the self service site creation option.By default its disabled.
To disable the "Self-Service Site creation" option, just follow the steps given below:
1. Go to the Central admin.
2. Go to the "Application Management" & Select the specific web application.
3. Now, you can see the "Self-Service Site Creation" option in the Ribbon Menu.
4. Click on that Menu item and Select the "Off" option in the pop-up window
http://expertsharepoint.blogspot.de/2014/06/your-personal-site-cannot-be-created.html
Anil Avula[Partner,MCP,MCSE,MCSA,MCTS,MCITP,MCSM] See Me At: http://expertsharepoint.blogspot.de/
Maybe you are looking for
-
My mac keeps automatically downloading weird files
every 30 seconds or so my mac will download files with extension names like 73982ad.html and other 5 digit number combos followed by "ad". Is this a virus? How do I make it stop? I delete the files as soon as I see them, but I'm worried it's somethin
-
BP creation to replicate in ECC
Hi Experts, I am working on bp replicatrion for crm to r/ 3 but while creating Bp in crm by tcode BP and selecting role sold t party, in the classification tab u201C The account group field is in grey mode. How to make this field active. Your help wi
-
Basic Visual Voicemail -- does it exist, and how do i use it?
I've learned from this verizon page ( Voice Mail Comparisons | Verizon Wireless ) that there is an included service called 'basic visual voicemail', and according to posts here and elsewhere it is supported on at least some Galaxy S3/4/5 series devic
-
Bad performance problem of Application
Hi guys, When I open my site by many user it will take lot of time to load than how can i solved multiuser problem i m using flex and hibernate than how can i solved performance problem. Thanks abhi
-
Query: Best practice SAN switch (network) access control rules?
Dear SAN experts, Are there generic SAN (MDS) switch access control rules that should always be applied within the SAN environment? I have a specific interest in network-based access control rules/CLI-commands with respect to traffic flowing through