Recently, I've seen a bunch of announcements about new public-facing Internet sites being released out into the wild running on SharePoint. This is awesome because it's great to see people catching on to the web content management features in the product. I do need get something off my chest, though...
If you've got a public facing SharePoint site that allows anonymous access, ACTIVATE THE ViewFormPagesLockDown FEATURE!!!!!!!
This is especially true if you've spent any amount of time customizing the branding of your site.
Sezai has a good post on the Feature, and the TechNet documentation provides the details.
ViewFormsPagesLockDown is a MOSS-only Feature (not in WSS) that does a couple things:
1) Allows users to only view the Publishing pages in your site, not any of the form or view pages (DispForm.aspx, AllItems.aspx)
2) Disallows anonymous access to pages in the _layouts directory that inherit from LayoutsPageBase.
This Feature is active on the Publishing Portal site definition by default, but NOT on the Collaboration Portal site definition.
Without this Feature active on anonymous public sites, any and all users - including search engines like Live and Google - will be able to view (and crawl) SharePoint out-of-box pages which are tied to lists and webs that allow viewing by anonymous users. These users might not have the ability to do anything, but it most likely will not be what your organization would prefer of them to view. In some cases, you might not care, but keep reading...
If you want to see some interesting and scary stats on how many sites there are that have NOT got the ViewFormPagesLockDown Feature activated, check out this result-set from Live Search. Currently Live Search is returning 29,200 results, some being duplicates from the same site, but they are all links to sites that have the Publishing Feature installed, allow anonymous access, and have not activated the LockDown Feature. It's also a great result set to see some public-facing SharePoint, but that's not the point.
This is an easy fix! Activate the Feature! Please rest assured, though, that if this Feature is not active, and your site security is configured correctly, anonymous users should not be able to do anything in your site.
One thing to note for you MOSS devs out there, I found that the lock-down on _layouts was a bit of a problem because I sometimes like to put custom application pages in the _layouts directory which I want to be hit by anonymous users. To get around the lock-down, there's the UnsecuredLayoutsPageBase class you can use as the base class of your page, and there's always just the Page class as in a standard ASP.Net application page.