Maintain a secure site without disclosing information to unauthorized users. Being aware of authentication and access control issues is necessary. Even on sites that contain only widely available public information, being aware of safety helps to prevent compromising the server.

Restricted Catalog Access

When Index Server first installed, the catalog is set up with an Access Control List (ACL) that allows only system administrators and system services to access it. In part, this assures that if the catalog directory contained within a virtual root, unauthorized users would not see the files in the catalog in the context of their query. The protection on the catalog directory is also necessary to prevent unauthorized users (who might have access to the server by use of file-server shares) from seeing the contents of the catalog. Although the information in the catalog is in a form that would be difficult for someone without knowledge of the file formats to decipher, it is possible to read the content of files on the server by examining the catalog.

If an additional catalog directory created manually, care should be taken to ensure that it, and the files created in it, have appropriate access controls. A catalog directory should allow access for administrators and for the System account. Index Server runs as a service, so System access is required.

When documents filtered, any access controls on a document are kept in the catalog and checked against client permissions when a query processed.
If a client does not have access to a document, the document will not be included in any of the client's query results; there will be no indication that the document exists.

Avoid the appearance of missing hits. A user should properly authenticate before processing a query.

To enforce access control properly, clients should be properly authenticated before they can send a query to the server. The easiest way to ensure that a client is authenticated is to put an access control on the form that issues a query. You can also put an access control list on the .idq, .htx, or .htw file used in a query.

Depending upon the configuration of IIS, one or more of the following authentication mechanisms can be used:

  • Anonymous logon
  • Basic authentication
  • Windows NT Challenge/Response authentication

If the anonymous login is allowed, it will be used by default as long as all files accessed by the client are permitted to be accessed by the anonymous login account. Whenever an attempt is made to gain access to a document for which access denied to the anonymous user, an authentication dialog will be presented, provided another authentication mechanism is available. Then, the client can provide authentication and thereby gain access to files that would otherwise deny.

If you turn off clients' access to some protected files by disabling authentication on a virtual directory (i.e. by setting Anonymous access only), you should also disable authentication for the .htx file. Otherwise, clients will be able to see the contents of the protected files in the hit highlights returned after issuing a query.