The hit-highlighting component of the Indexing Service could allow unexpected access to the content of an IIS site

The hit-highlighting component of the Indexing Service may return indexed results from content on an Internet Information Services (IIS) site without enforcing the authentication scheme that is applied to the content.

To work around this problem, use one of the following methods.

Method 1: Uninstall the Indexing Service

If you do not need the Indexing Service, you should remove it. To do this, follow these steps.

Note When you remove the Indexing Service, you also remove the hit-highlighting component.

1. In Control Panel, click Add or Remove Programs.
2. Click Add/Remove Windows Components, and then click to clear the Indexing Service check box.

Method 2: Disable the hit-highlighting component

If you need the Indexing Service but do not need hit-highlighting, you should disable the hit-highlighting component. To do this, follow these steps, depending on the version of IIS that you are using.

• IIS 7.0
  
  To disable hit-highlighting in IIS 7.0 when the Indexing Service is installed, follow these steps:
  1. Start IIS Manager. To do this, click Start, click Run, type inetmgr, and then click OK.
  2. In the navigation pane, double-click ISAPI and CGI Restrictions.
  3. In the Status column, note the status for the Indexing Service item. If the status is Allowed, click Allowed, and then click Deny in the Tasks window.
• IIS 6.0
  
  To disable hit-highlighting in IIS 6.0 when the Indexing Service is installed, follow these steps:
  1. Start IIS Manager. To do this, click Start, click Run, type inetmgr, and then click OK.
  2. In the navigation pane, click Web Service Extensions.
  3. In the Status column, note the status for the Indexing Service item. If the status is Allowed, click the Indexing Service item, and then click Prohibit.
• IIS 5.1 and IIS 5.0
  
  To disable hit-highlighting in IIS 5.1 or in IIS 5.0 when the Indexing Service is installed, follow these steps:
  1. Install and then run the IIS Lockdown Tool. You can download version 2.1 of the IIS Lockdown Tool from the Microsoft Download Center.
     
     The following file is available for download from the Microsoft Download Center:
     
     Collapse this imageExpand this image

     
     Download the Iislockd.exe package now. (http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&displaylang=en)
  2. On the Select Server Template screen, click Other.
  3. Click Next, and then verify that the Web Service check box is selected.
  4. Click Next, and then verify that the Index Server Web Interface check box is selected.
  5. Follow the instructions on the screen to complete the wizard.
  Or, you can manually disable the Webhits.dll file by making it inaccessible to IIS. To do this, follow these steps:
  1. Stop the W3svc service. To do this, type the following command at a command prompt, and then press ENTER:
     net stop w3svc
  2. Move to the folder that contains Webhits.dll. To do this, type the following command, and then press ENTER:
     cd %WINDIR%\system32
  3. Type the following command, and then press ENTER:
     cacls webhits.dll /D Everyone
     If you are prompted to confirm, type Y, and then press ENTER.
  4. Start the W3svc service. To do this, type the following command at a command prompt:
     net start w3svc

Method 3: Verify the Indexing Service and hit-highlighting configuration

If you need both the Indexing Service and the hit-highlighting component, you should make sure that your .htw files require the same type of IIS authentication that your content requires. Additionally, you should make sure that the script mapping for .htw files has the Check that file exists option enabled. To verify the correct script-mapping settings, follow these steps, depending on the version of IIS that you are using.

• IIS 7.0
  1. Start IIS Manager. To do this, click Start, click Run, type inetmgr, and then click OK.
  2. In the navigation pane, double-click Handler Mappings.
  3. In the Handler Mappings table, find the mapping for .htw. Double-click the mapping.
  4. Click Request Restrictions.
  5. Click Invoke handler only if requests are mapped to, and then make sure that File is selected.
  6. Click OK two times.
• IIS 6.0, IIS 5.1 and IIS 5.0
  1. In the IIS Microsoft Management Console (MMC) snap-in, right-click the Web site, and then click Properties.
  2. Click the Home Directory tab, and then click Configuration.
  3. In the Application Configuration dialog box, click the mapping for .htw, and then click Edit.
  4. Make sure that the Check that file exists check box is selected, and then click OK.
     
     Note In IIS 6.0, this check box is named Verify that file exists.
  5. Verify that the IIS authentication settings for your content are the same as the authentication settings for your .htw files.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

The hit-highlighting component is a part of the Indexing Service that works with IIS to return indexed content from a Web site. When the hit-highlighting component accesses the URL to be indexed, the component does this by directly accessing the content for the URL and not by making a new request through IIS. Because of this, any IIS-specific authentication is not applied to the URL that is indexed by the hit-highlighting component.

A Web browser can request indexed content by making a request to an .htw file on the Web site and by specifying the URL to be indexed. If IIS authentication is desired for indexed content, authentication should be set on the .htw file and also on the actual content. Hit-highlighting includes a special, built-in .htw file that is named Null.htw. This is a virtual file and does not actually exist on the disk. Because this file does not exist, you cannot configure IIS to enforce authentication on this file. To prevent Null.htw from returning indexed content, you must configure the IIS script mapping for .htw so that the mapping uses the "Check that file exists" feature.

The following table summarizes the default availability of the hit-highlighting component in various versions of IIS. Acknowledgment: Joao Gouveia of Telecel-Vodafone and John Omernik contributed to this Microsoft Knowledge Base article.

For more information about IIS 5.0 hardening, visit the following Microsoft TechNet Web site: For more information about how to help secure a Web server, visit the following Microsoft Developer Network (MSDN) Web site: