Best Practices to make my internet facing portal secure

Question

Ok, so I finished developing my internet site. It uses a federation provider to authenticate public user. Now what I'm concern of, is the site security. I see that any logged in user can see the _layouts/viewlsts.aspx page. Even more, they can see data in the lists, and I don't want that to happen.

I searched a lot and find out that users can see even more page I was not aware of. For example http://site.url/_vti_bin/spdisco.aspx They can see some webservice sharepoint expose ect

Is there any article with best practices to make my site secure?

Answer 1

Waldek is right, you should definitively look into Liam in depth serie. In the meantime, nothing prevent you from implementing an http module like described over there : http://share1point.blogspot.com/2012/10/httpmodule-and-sharepoint-security.html

If you're not able to make distinction from all your authenticated users (eg: public and internal collaborators that will contribute on that site), you should work with extended web applications (or a separate authoring and production environment). The extended application (or isolated environment) will be the only one to receive all your security trimming or custom module like the one suggested.

Keep in mind that an http module will run for all requests so you definitively want to optimize any procedures over there.

Answer 2

Liam Cleary (SharePoint MVP) wrote a series of articles on this topic recently. Check out the Security section on his blog for more details: http://blog.helloitsliam.com/Lists/Categories/Category.aspx?CategoryId=11&Name=Security.