1.11. Blocked File Types
All files that users try to upload into SharePoint 2010 with the file extensions contained in the list on the Blocked File Types page will be blocked
automatically—they are prevented from being uploaded to the Web
application. You can modify the list of blocked file extensions to add
new extensions or remove any of the default extensions.
These blocked file types
are not only enforced when uploading documents, they are also enforced
on files that have file extension changes after they have been added to
the list of blocked file types. For example, .exe documents are blocked.
If you zip an .exe file, upload it with the .zip extension, and then
try to unzip it in the document library, you’ll find that the document
will not extract because SharePoint blocks all files containing an .exe
file extension—even if they are already in the library with a different
extension.
However, if the user has
wrapped the file in another file extension type that is allowed, the
file can be uploaded, even though it can’t be extracted. For example, if
a user adds an .mp3 file to a .zip file, the .zip file is allowed—it is
not blocked when it is uploaded so it is stored in SharePoint as a .zip
file containing an .mp3 file. To prevent these sorts of files from
being uploaded to a Web application,
you can use a content filtering engine such as Microsoft Forefront that
can detect blocked file types hidden in files with allowable
extensions.
1.12. User Permissions
There are three different
categories of permissions, each of which contains individual permissions
that are applied by default to every new Web application. Every site
collection and site created in that Web application will inherit these user permissions. The user
permissions are used when you create or edit the permissions of a site
group. You can remove any of the individual permissions by clearing the
check box next to it, which will prevent that permission from being used
in any site groups throughout the entire Web application. The following
three categories of permissions can be configured.
List permissions include the standard rights
of a user for viewing, adding, or deleting a list item. The site groups
you are in determine which list permission you get. A reader, for
example, would have permission only to view items, whereas a contributor
would also have permissions that would allow him to edit and delete
items. When a user is added to a group with contributor permissions, the
default Web application permissions for contributors would be applied.
Site
permissions deal with management rights in a site and include
permissions such as creating new groups or applying them to a site. This
is a good example of a case in which you might want to change the
permissions for a Web application: You might not want any person in your
Web application (including all of its sites) to have the ability to
change the theme for a site, because that would change the standardized
appearance. By removing the permission to apply a theme at the Web
application level, you are able to prevent everyone—including your site
administrator—from modifying the theme of the sites contained within the
Web application.
Personal
permissions are permissions that allow a user to add Web Parts that are
specific to them as an individual, such as Web Parts associated with
users’ My Sites. By removing permissions that allow individuals to add
their own Web Parts, you could create a uniform look for all the pages
and sites in the Web application, and users would be prevented from
personalizing or changing the pages and sites with their own private
content.
Note:
When you remove user rights from a Web application,
remember that the changes will also affect the administrators of the
site collection. You cannot choose to have the user permissions affect
only a select group of users in the Web application.
1.13. Web Part Security
A Web Part Page in
SharePoint is a page on which you can add Web Parts into the Web Part
zones that are located on the page. Most of the time, these Web Parts
serve a single purpose, such as a document library or an announcements
list. It is possible, however, to have Web Parts that connect to each
other to help manipulate the data returned by one or several Web Parts
viewed on the page. For instance, a user could select a customer name in
one Web Part and then have only information about that customer
displayed in the different Web Part. However, there is a performance
increase on your Web servers when generating these types of views, so
take that into consideration by planning and testing Web Part
connections. By default, users are allowed to create Web Part
connections on a page, and if you want to prevent them from doing so,
you must select the option to prevent users from creating connections on
the Web Part Security page.
Note:
Remember that by preventing Web
Part connections on the Web Part Security page, you will prevent all
associated sites within the selected Web application from having
connecting Web Parts.
The second option for
security in Web Part Pages provides for accessing the Online Web Part
Gallery. When a user wants to add a Web Part to a page, she is presented
with a default gallery view. However, she can also use the advanced
view to see all four of the available Web Part galleries if this option
is enabled.
The Online Web Part
Gallery includes Web Parts that provide MSN weather and stock news,
among others. Keep in mind that the performance of the page will be
affected when a user adds Web Parts, because the gallery must go to the
online sites to retrieve the list of available Web
Parts and then download the Web Part from the gallery to the user’s
computer. Furthermore, a Web Part can cause additional network traffic
itself if it provides information that is constantly updated, such as a
stock ticker. If you do not want your users to have access to these Web
Parts, then you should select the option that prevents users from
accessing the Online Web Part Gallery.
Note:
If you want to use the Online
Web Part Gallery but are unable to connect to the site, you might have
to configure the outgoing proxy server settings. You can do this from
within Central Administration by informing SharePoint which route to
take when accessing the Internet for the gallery using something like
Microsoft’s ISA server.
The final option on the Web Part Security page allows you to manage whether contributors for the site are able to add or edit scriptable Web Parts on the pages contained within the Web application.
The default setting is off for this option, but you can set it to allow
users to add or edit scriptable Web Parts on the Web Part Pages in the
Web application.