Date: Tue, 23 Mar 1999 23:40:55 -0000 From: Mnemonix To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Index Server 2.0 and the Registry When Microsoft's Index Server 2.0 is installed on NT 4 with Internet Information Server 4 it opens a new "AllowedPath" into the Windows NT Registry. Administrators can control who can access the Windows NT Registry via the network by editing permissions on the Winreg key found under HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg By default, on NT Server 4, the permissions on this key are set to Administrators with Full Control. No-one else should have access (although it doesn't really work out like this in the end.) There are certain paths through the Registry that remote users, whether they are Administrators are not, may access. These are listed in the AllowedPaths subkey found under the Winreg key. These paths are to allow basic network operations such as printing etc to continue as normal. Index Server 2.0 creates a new "AllowedPath": HKLM\System\CurrentControlset\Control\ContentIndex\Catalogs meaning that anyone with an local or domain account for that machine, including Guests, are able to discover the physical path to directories being indexed or if a directory found in a network share is being index they can learn the name of the machine on which the share resides and the name of the user account used to access that share on behalf of Index and Internet Information Server. Permissions on the above key and its sub-key give Everyone read access. Note that regedit and regedt32 can not be used to access this information. Tools such as reg.exe or home-baked efforts must be used. In most cases this issue represents a mild risk, but one worth noting and resolving by removing if this adversely affects you and your security policy. Cheers, David Litchfield http://www.infowar.co.uk/mnemonix/