Microsoft KB Archive/328832

= Hit-highlighting does not rely on IIS authentication =

Article ID: 328832

Article Last Modified on 6/5/2007

-

APPLIES TO


 * Microsoft Index Server 2.0

-



This article was previously published under Q328832



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
Hit-highlighting may return documents that an anonymous user may not have access to if the user knows the hit-highlighting URL.



CAUSE
Hit-highlighting with Webhits.dll only relies on the Microsoft Windows NT Access Control List (ACL) configuration. It does not rely on non-ACL based security mechanisms such as the following:
 * The Microsoft Internet Information Services (IIS) authentication configuration
 * NTLM authentication
 * Basic authentication
 * IP address restrictions on files within the Webroot



STATUS
This behavior is by design.



MORE INFORMATION
Acknowledgment: Joao Gouveia of Telecel-Vodafone and John Omernik contributed to this Microsoft Knowledge Base article.

Additional query words: webhits web hits

Keywords: kbprb KB328832

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.