Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
The hit-highlighting component of the Indexing Service could allow unexpected access to the content of an IIS site
Article ID: 328832 - View products that this article applies to.
This article was previously published under Q328832
The hit-highlighting component of the Indexing Service may return indexed results from content on an Internet Information Services (IIS) site without enforcing the authentication scheme that is applied to the content.
To work around this problem, use one of the following methods.
Method 1: Uninstall the Indexing ServiceIf you do not need the Indexing Service, you should remove it. To do this, follow these steps.
Note When you remove the Indexing Service, you also remove the hit-highlighting component.
Method 2: Disable the hit-highlighting componentIf you need the Indexing Service but do not need hit-highlighting, you should disable the hit-highlighting component. To do this, follow these steps, depending on the version of IIS that you are using.
Method 3: Verify the Indexing Service and hit-highlighting configurationIf you need both the Indexing Service and the hit-highlighting component, you should make sure that your .htw files require the same type of IIS authentication that your content requires. Additionally, you should make sure that the script mapping for .htw files has the Check that file exists option enabled. To verify the correct script-mapping settings, follow these steps, depending on the version of IIS that you are using.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
The hit-highlighting component is a part of the Indexing Service that works with IIS to return indexed content from a Web site. When the hit-highlighting component accesses the URL to be indexed, the component does this by directly accessing the content for the URL and not by making a new request through IIS. Because of this, any IIS-specific authentication is not applied to the URL that is indexed by the hit-highlighting component.
A Web browser can request indexed content by making a request to an .htw file on the Web site and by specifying the URL to be indexed. If IIS authentication is desired for indexed content, authentication should be set on the .htw file and also on the actual content. Hit-highlighting includes a special, built-in .htw file that is named Null.htw. This is a virtual file and does not actually exist on the disk. Because this file does not exist, you cannot configure IIS to enforce authentication on this file. To prevent Null.htw from returning indexed content, you must configure the IIS script mapping for .htw so that the mapping uses the "Check that file exists" feature.
The following table summarizes the default availability of the hit-highlighting component in various versions of IIS.
Acknowledgment: Joao Gouveia of Telecel-Vodafone and John Omernik contributed to this Microsoft Knowledge Base article.
Collapse this tableExpand this table
For more information about IIS 5.0 hardening, visit the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/cc750568.aspxFor more information about how to help secure a Web server, visit the following Microsoft Developer Network (MSDN) Web site:
Article ID: 328832 - Last Review: March 5, 2008 - Revision: 6.5