Hit-highlighting does not rely on IIS authentication (328832)

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

CAUSE

Hit-highlighting with Webhits.dll only relies on the Microsoft Windows NT Access Control List (ACL) configuration. It does not rely on non-ACL based security mechanisms such as the following:

The Microsoft Internet Information Services (IIS) authentication configuration
IP address restrictions on files within the Webroot

MORE INFORMATION

Steps to reproduce the behavior

In IIS 5.0 Service Pack 2 (SP2), create a folder named Dir1 in the Web site root (for example, C:\Inetpub\WWWRoot).
Create a file named File1.txt in Dir1, put some text in the file, and then save the file.
Set the authentication on the Web root folder in IIS to Anonymous authentication.
Set access in IIS to the Dir1 folder to Basic authentication only.
Using Anonymous authentication, open /Dir1/File1.txt. You receive an "Access Denied" error message.
Using Anonymous authentication, open the following URL (where null.htw represents your hit-highlighting file):
```
/null.htw?CiWebhitsfile=/dir1/file1.txt&CiRestriction=none&CiHiliteType=full
```
This will be successful.

In this case, the user can see the File1.txt file even when the user cannot be authenticated by IIS and cannot otherwise retrieve the file.

Note For steps 3 and 4, you can use IP address restriction to restrict the file. Acknowledgment: Joao Gouveia of Telecel-Vodafone and John Omernik contributed to this Microsoft Knowledge Base article.