Alternate access mappings and sharepoint security for extranet

Do you have access to log in as an administrator on your public sharepoint web site? This can be an security risk and can easily be avoided by having alternate access mapppings in sharepoint that only allows you to log in as an administrator from within your internal domain.

Do the following to enable alternate access mapping to secure your site from being tampered with. If we have an scenario where you have an public website called http://yourpublicwebsite.com that we want our public users to access and view but not our administrator to login to via thier windows domain accounts. The following is one way to do this and works as an check list for myself when performing the operation.


Extend existing web application with another iis web site

1. In Central administration > Application management > Sharepoint Web application Management Click Create or extend Web application and then click extend and existing Web application.
   
2. Choose the web application that you want to extend and specify the port, host header, url, zone and path of web site root.
   

Add alternate access mapping

1. In Central administration > Operations > Global Configuration: click Alternate access mappings.
   
2. Choose the Access Mapping collection for http://yourpublicwebsite.com. Click Change alternate access mapping collection on the Alternate Access Mapping Collection menu.
   
   
3. Add a new url called http://yourpublicwebsitefba.com and define its zone to Extranet and click save.

Authentication Providers

To mock forms based access to your public or extranet web site you can do the following. Build your own authentication provider called FbaMembershipProvider which only implements the functions that are needed for mcoking the behaviour (GetUser, ValidateUser, FindUsersByName, FindUsersByEmail). The provider is then shipped as an separate solution or in your Sharepoint app solution to be used by the web application. All this can be done quite easily outside of Sharepoint but to have it configured via Central administration this is what to do:

1. In Central Administration > Application Management > Authentication Providers add the FbaMembershipProvider to your extended web application. set authentication type to Forms, enable anonymous access and disable client integration.
   
2. In the web config file make the following additions to the system.web element:
   

<membership defaultprovider="FbaMembershipProvider">
<providers>
    <remove name="AspnetSqlmembershipProvider"></remove>
     <add name="FbamembershipProvider" type="YourAppAssembly.Security.FbaMembershipProvider, YourAppAssembly, Version=YourAppVersion, Culture=neutral, PublicKeyToken=YourPublicKeyToken">
</add>
</providers>
</membership>

When this is done you test the different urls and if everything works you should on the externa l site be able to browse anonymously and not being able to log in. On the internal url you will be able to log in and handle you administrative tasks.

A bit to much work for such an simple solution but Sharpeoint can sometimes be a bit cumbersome to configure.