How To: Lock Down Identity Viewing for a Site
The people.aspx page in the _layouts directory shows all of the users that have access to a site. Even if no links to this page are provided in the application exposed to users, if they are experienced SharePoint developers or administrators they would know
the URL of this page and type the url directly into the browser. In shared environments between partners, such as the publishing site in the Partner Portal, leaking identities of users between partners to any authenticated user is undesirable. The information
within the shared site is not compromised and remains secured by the SharePoint security infrastructure. You can use the following procedure to restrict a user from viewing other users on the site through people.aspx:
Note: This procedure does not prevent users with full permissions from changing the page.
To secure the _layouts/people.aspx page
- Navigate to the root of your site collection.
- Click the Site Actions Tab. Point to Site Settings and click
People and Groups.
- In the Quick Launch, click All People.
- In the toolbar, click Settings. Click List Settings.
- In the General Settings section, click Advanced Settings.
- In the Read access section, select Only their own.
- In the Edit access section, select Only their own.Figure xx illustrates the correct User Information List settings.