Restricting access to contents in “_vti_bin” for both authenticated as well as anonymous users

Question

As per a new security standard implemented by my organization I need to restrict access to the /_layouts/15/_vti_bin/lists.asmx for both authenticated as well as anonymous users.

I am thinking of restricting "everything" that is inside the folder _vti_bin. If I do that, will there be any problem in normal functioning of SharePoint 2013? I have few custom webparts that uses REST webservice but none of them use lists.asmx.

Note: Due to some reason I couldn't use the method "<location>...</location> " in web.config as recomended by Microsoft. So I am using the approach mentioned in this SE post (the one marked as answer).

Answer 1

This simply isn't supported. SharePoint needs to be able to make those calls as well, e.g. PowerPivot (call is translated from NT AUTHORITY\ANONYMOUS to the target caller). You will just need to communicate this to your security folks.

Answer 2

did you tried adding authorization rule in web.config file. eg. for specific sitecollection

<location path="sub-site/_vti_bin">
  <system.web>
    <authorization>
       <deny users= "?" />
       <allow users = ”*” />
    </authorization>
  </system.web>
</location>

refer below link for further details : http://thuansoldier.net/?p=4267