Restrict to _vti_bin folder in all subsites for external SharePoint Sites

Question

Hi as per company security compliance anonymous users should not access _vti_bin folder and services inside this folder.

• we have an external SharePoint site accessible for anonymous users. if I restrict access _vti_bin is impact to Site? or its allowed to anonymous users is any impact to security of site?

We enable the feature ViewFormPagesLockDown and also modify the Web.config file with the following XML element: but we have many sub sites and below configuration only applicable to certain site path only for example if I have subsite /en/news/_vti_bin/spsdisco.aspx below configuration not work.

Answer 1

_vti_bin is required to execute certain queries, which run under the user context (or anonymous). Locking this down isn't required as the code itself implements security.

This is lack of understanding of SharePoint on the security team's part.