DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 328832 - Last Review: March 5, 2008 - Revision: 6.5

This article was previously published under Q328832

On This Page

SYMPTOMS

The hit-highlighting component of the Indexing Service may return indexed results from content on an Internet Information Services (IIS) site without enforcing the authentication scheme that is applied to the content.

WORKAROUND

To work around this problem, use one of the following methods.

Method 1: Uninstall the Indexing Service

If you do not need the Indexing Service, you should remove it. To do this, follow these steps.

Note When you remove the Indexing Service, you also remove the hit-highlighting component.
  1. In Control Panel, click Add or Remove Programs.
  2. Click Add/Remove Windows Components, and then click to clear the Indexing Service check box.

Method 2: Disable the hit-highlighting component

If you need the Indexing Service but do not need hit-highlighting, you should disable the hit-highlighting component. To do this, follow these steps, depending on the version of IIS that you are using.
  • IIS 7.0

    To disable hit-highlighting in IIS 7.0 when the Indexing Service is installed, follow these steps:
    1. Start IIS Manager. To do this, click Start, click Run, type inetmgr, and then click OK.
    2. In the navigation pane, double-click ISAPI and CGI Restrictions.
    3. In the Status column, note the status for the Indexing Service item. If the status is Allowed, click Allowed, and then click Deny in the Tasks window.
  • IIS 6.0

    To disable hit-highlighting in IIS 6.0 when the Indexing Service is installed, follow these steps:
    1. Start IIS Manager. To do this, click Start, click Run, type inetmgr, and then click OK.
    2. In the navigation pane, click Web Service Extensions.
    3. In the Status column, note the status for the Indexing Service item. If the status is Allowed, click the Indexing Service item, and then click Prohibit.
  • IIS 5.1 and IIS 5.0

    To disable hit-highlighting in IIS 5.1 or in IIS 5.0 when the Indexing Service is installed, follow these steps:
    1. Install and then run the IIS Lockdown Tool. You can download version 2.1 of the IIS Lockdown Tool from the Microsoft Download Center.

      The following file is available for download from the Microsoft Download Center:
      Collapse this imageExpand this image
      Download
      Download the Iislockd.exe package now. (http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&displaylang=en)
    2. On the Select Server Template screen, click Other.
    3. Click Next, and then verify that the Web Service check box is selected.
    4. Click Next, and then verify that the Index Server Web Interface check box is selected.
    5. Follow the instructions on the screen to complete the wizard.
    Or, you can manually disable the Webhits.dll file by making it inaccessible to IIS. To do this, follow these steps:
    1. Stop the W3svc service. To do this, type the following command at a command prompt, and then press ENTER:
      net stop w3svc
    2. Move to the folder that contains Webhits.dll. To do this, type the following command, and then press ENTER:
      cd %WINDIR%\system32
    3. Type the following command, and then press ENTER:
      cacls webhits.dll /D Everyone
      If you are prompted to confirm, type Y, and then press ENTER.
    4. Start the W3svc service. To do this, type the following command at a command prompt:
      net start w3svc

Method 3: Verify the Indexing Service and hit-highlighting configuration

If you need both the Indexing Service and the hit-highlighting component, you should make sure that your .htw files require the same type of IIS authentication that your content requires. Additionally, you should make sure that the script mapping for .htw files has the Check that file exists option enabled. To verify the correct script-mapping settings, follow these steps, depending on the version of IIS that you are using.
  • IIS 7.0
    1. Start IIS Manager. To do this, click Start, click Run, type inetmgr, and then click OK.
    2. In the navigation pane, double-click Handler Mappings.
    3. In the Handler Mappings table, find the mapping for .htw. Double-click the mapping.
    4. Click Request Restrictions.
    5. Click Invoke handler only if requests are mapped to, and then make sure that File is selected.
    6. Click OK two times.
  • IIS 6.0, IIS 5.1 and IIS 5.0
    1. In the IIS Microsoft Management Console (MMC) snap-in, right-click the Web site, and then click Properties.
    2. Click the Home Directory tab, and then click Configuration.
    3. In the Application Configuration dialog box, click the mapping for .htw, and then click Edit.
    4. Make sure that the Check that file exists check box is selected, and then click OK.

      Note In IIS 6.0, this check box is named Verify that file exists.
    5. Verify that the IIS authentication settings for your content are the same as the authentication settings for your .htw files.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

The hit-highlighting component is a part of the Indexing Service that works with IIS to return indexed content from a Web site. When the hit-highlighting component accesses the URL to be indexed, the component does this by directly accessing the content for the URL and not by making a new request through IIS. Because of this, any IIS-specific authentication is not applied to the URL that is indexed by the hit-highlighting component.

A Web browser can request indexed content by making a request to an .htw file on the Web site and by specifying the URL to be indexed. If IIS authentication is desired for indexed content, authentication should be set on the .htw file and also on the actual content. Hit-highlighting includes a special, built-in .htw file that is named Null.htw. This is a virtual file and does not actually exist on the disk. Because this file does not exist, you cannot configure IIS to enforce authentication on this file. To prevent Null.htw from returning indexed content, you must configure the IIS script mapping for .htw so that the mapping uses the "Check that file exists" feature.

The following table summarizes the default availability of the hit-highlighting component in various versions of IIS.
Collapse this tableExpand this table
VersionIndexing ServiceHit-highlighting
IIS 7.0Not installedDisabled when the Indexing Service is installed
IIS 6.0InstalledInstalled but disabled
IIS 5.1Not installedNot installed
IIS 5.0InstalledInstalled and enabled
Acknowledgment: Joao Gouveia of Telecel-Vodafone and John Omernik contributed to this Microsoft Knowledge Base article.

MORE INFORMATION

For more information about IIS 5.0 hardening, visit the following Microsoft TechNet Web site:
http://technet.microsoft.com/en-us/library/cc750568.aspx (http://technet.microsoft.com/en-us/library/cc750568.aspx)
For more information about how to help secure a Web server, visit the following Microsoft Developer Network (MSDN) Web site:
http://msdn2.microsoft.com/En-US/library/aa302432.aspx (http://msdn2.microsoft.com/En-US/library/aa302432.aspx)

APPLIES TO
  • Microsoft Internet Information Services 7.0
  • Microsoft Internet Information Services 6.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Index Server 2.0
Keywords: 
kbexpertiseadvanced kbtshoot kbprb KB328832
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support