Manage Web Parts page and controls security (Windows SharePoint Services)

Applies To: Windows SharePoint Services 3.0


Topic Last Modified: 2007-10-31

Web Parts are user interface elements used in pages on SharePoint sites to present information pulled from multiple data sources. Administrators can create information dashboards on corporate portals and Web sites. A site owner or a site member with the appropriate permissions can create and customize Web Parts pages by using a browser to add, reconfigure, or remove Web Parts.

For more information about Web Parts, read the Web Parts in Windows SharePoint Services (\&clcid=0x40) section of the Windows SharePoint Services 3.0 SDK.

In Windows SharePoint Services 3.0, a Web Parts page is a collection of Web Parts that combines list data, timely information, or useful graphics into a dynamic Web page. The layout and content of a Web Parts page can be set for all users and optionally personalized for individual users.

The Web Part infrastructure in Windows SharePoint Services 3.0 exists on a layer above the ASP.NET 2.0 Web Part infrastructure. To effectively implement security on SharePoint sites, server administrators need to be familiar with security guidelines and best practices for ASP.NET 2.0. For more information, see Security Guidelines: ASP.NET 2.0 (\&clcid=0x40) in the MSDN Library Online.

Security for Web Parts pages and controls

Security for Web Parts pages and controls must be maintained through multiple means. Developers, site administrators, and server administrators need to work together to secure Web Parts and Web Parts pages. Developers should validate Web Part input to prevent server attacks. Server administrators need to configure Internet Information Services (IIS) and establish an appropriate authentication mechanism. Server administrators also configure and deploy Web Parts solutions to a Web server or Web farm. Once the solution is deployed, site administrators or server administrators use Windows SharePoint Services 3.0 to define the access levels and permissions to Web Parts pages. The following are the recommended security roles to secure Web Parts pages and Web Parts.

Role Category Applies to Description Recommended guidelines


Input Validation

Web Part code

Input validation refers to how your application filters, scrubs, or rejects input before additional processing. This includes verification that the input that your application receives is valid and safe.

Building Secure ASP.NET Pages and Controls ( (MSDN Library Online)

Walkthrough: Creating a Basic SharePoint Web Part ( (MSDN Library Online)

Server administrator



Authentication is the process where an entity validates the identity of another entity, typically through credentials, such as a user name and password.

Plan for authentication (Windows SharePoint Services)

Site administrator/ Server administrator


Site collections

Authorization is the process that provides access controls for Web sites, lists, folders, or items by determining which users can perform specific actions on a given object. The authorization process assumes that the user has already been authenticated.

Authorization and Authentication ( (MSDN Library Online)

Determine permission levels and groups to use (Windows SharePoint Services)

Enable access for end users (Windows SharePoint Services)

Server administrator

Configuration Management

.NET Framework configuration

Configuration management encompasses a broad range of settings that allow an administrator to manage the Web application and its environment. These settings are stored in XML configuration files, some of which control computer-wide settings, while others control application-specific configurations. You can define special security constraints in configuration files and computer-level code access security permissions.

"Code Access Security" in "Securing Your Web Server" ( (MSDN Library Online)

Microsoft Windows SharePoint Services and Code Access Security ( (MSDN Library Online)

Using Code Access Security with ASP.NET ( (MSDN Library Online)

The following are tasks for managing security on Web Parts pages and controls.

See Also


Configure and deploy secure Web Parts to your server (Windows SharePoint Services)
Manage Web Parts page authorization (Windows SharePoint Services)