Maintain a secure site without disclosing information to unauthorized users. Being aware of authentication and access control issues is necessary. Even on sites that contain only widely available public information, being aware of safety helps to prevent compromising the server.

Restricted Catalog Access

When the Index Server is first installed, the catalogue is set up with an Access Control List (ACL) that allows only system administrators and system services to access it. This ensures that if the catalogue directory is contained within a virtual root, unauthorized users will not see the files in the catalogue in the context of their query. The protection on the catalogue directory is also necessary to prevent unauthorized users (who might have access to the server by use of file-server shares) from seeing the catalogue’s contents. Although the information in the record is in a form that would be difficult for someone without knowledge of the file formats to decipher, it is possible to read the content of files on the server by examining the catalogue.

If an additional catalogue directory is created manually, care should be taken to ensure that it and the files created in it have appropriate access controls. A catalogue directory should allow access for administrators and for the System account. Index Server runs as a service, so System access is required.

When documents are filtered, any access controls on a paper are kept in the catalogue and checked against client permissions when a query is processed.
If a client does not have access to a document, the document will not be included in any of the client’s query results; there will be no indication that the record exists.

Avoid the appearance of missing hits. A user should properly authenticate before processing a query.

To enforce access control properly, clients should be authenticated before sending a query to the server. The easiest way to ensure a client is authenticated is to put an access control on the form that issues a question. You can also place an access control list on the .idq, .htx, or .htw file used in a query.

Depending upon the configuration of IIS, one or more of the following authentication mechanisms can be used:

• Anonymous logon
• Basic authentication
• Windows NT Challenge/Response authentication

If the anonymous login is allowed, it will be used by default as long as all files accessed by the client are permitted to be accessed by the anonymous login account. Whenever an attempt is made to access a document for which access is denied to the anonymous user, an authentication dialogue will be presented, provided another authentication mechanism is available. Then, the client can provide authentication and gain access to files that would otherwise be denied.

Suppose you turn off clients’ access to some protected files by disabling authentication on a virtual directory (i.e. by setting Anonymous access only). In that case, you should also disable authentication for the .htx file. Otherwise, clients can see the contents of the protected files in the hit highlights returned after issuing a query.