Securing SharePoint’s People Picker for Extranet use - Onsighting Microsoft products and technologies - Site Home

About People Picker

One of the often used features of SharePoint (WSS 3.0 and MOSS 2007) is People Picker. This is the component responsible for providing a fancy user interface for finding users when provisioning access:

By default, which in this context means - “I did a full installation of MOSS 2007 with mostly default settings and didn’t pay particular attention to securing anything” – People Picker is not secure.

Main issue with People Picker is that it’s accessible for regular users of a given site. Thus by accessing /_layouts/aclinv.aspx">http://<portal>/_layouts/aclinv.aspx anyone with basic access to the site can list and view existing users of the system:

By typing 'a' as the user and hitting search one can review a list of accounts that match this search term. Obviously this isn't a big issue in intranets and similar closed systems where trust is already given for that particular user performing the search. For anonymous sites (public WCM-sites mostly) lockdown mode should resolve most issues related to /_layouts/ application pages. See this article for more details: http://technet.microsoft.com/en-us/library/cc263468.aspx#section6.

What additional approaches can you take to secure People Picker?

Modifying People Picker behavior with stsadm.exe

Stsadm.exe (with SP1) enables you to control People Picker with the following properties:

peoplepicker-activedirectorysearchtimeout
peoplepicker-distributionlistsearchdomains
peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode
peoplepicker-onlysearchwithinsitecollection
peoplepicker-searchadcustomfilter
peoplepicker-searchadcustomquery
peoplepicker-searchadforests
peoplepicker-serviceaccountdirectorypaths

These are well documented here: http://technet.microsoft.com/en-us/library/cc263318.aspx.

Deny access to /_layouts/aclinv.aspx

It would also be a good idea to deny access to /_layouts/aclinv.aspx. For some reason SharePoint doesn't have a built-in security authorization for this given application page like it has for settings.aspx. A proper approach would be to filter access to this given application page on the border firewall.

Alternatively, brewing your own HTTP Handler to filter out requests is also a viable option. See this article for more details: http://msdn.microsoft.com/en-us/library/bb457204.aspx

Modify /_layouts/aclinv.aspx

You should know that modifying anything underneath /_layouts/ probably breaks any support, so proceed with caution.

Modifying aclinv.aspx has its advantages too. This is the control from aclinv.aspx that renders People Picker:

<wssawc:PeopleEditor
    AllowEmpty=false
    ValidatorEnabled="true"
    id="userPicker"
    runat="server"
    ShowCreateButtonInActiveDirectoryAccountCreationMode=true
    SelectionSet="User,SecGroup,SPGroup"
/>

Several properties exist that can help in securing People Picker functionality:

ValidatorEnabled [true, false]: Set to false to disable validation of user accounts
Rows [#]: Set to 1 to prevent multiple user access
ShowButtons [true, false]: Set to false to disable the two functional buttons (check names and addressbook)
ValidateResolvedEntity [true, false]: Set to false to prevent validation of resolved entity
UrlZone [Custom, Intranet, Extranet, Internet, Default]: Specify with zone (AAM) to use for this control. Might be handy to set this to Intranet only

Hope this helps :)