We are in the process to implement NextLabs entitlement to block the SharePoint 2013 site collections. We found although sites have been blocked, users could directly browse to site system pages like _layouts/settings and the actions are available for those who has “full control” permissions. This is critical security hole and here is the configuration steps to disable this.
- Login to site as site collection administrator
- Click Site Settings-> Site Collection Administration -> NextLabs Entitlement Manager settings -> Select “Enable access control enforcement for Page resources”
This configuration will enable SharePoint Page Level Access Control allow users to control, via policy, who can access various SharePoint settings pages.
This will block the users to access the system pages. We are looking for some way we could apply this setting to selected site collection and automatically apply to new site collection created.