Date: Tue, 23 Mar 1999 23:40:55 -0000
From: Mnemonix <mnemonix@GLOBALNET.CO.UK>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Index Server 2.0 and the Registry


When Microsoft's Index Server 2.0 is installed on NT 4 with 
Internet Information Server 4 it opens a new "AllowedPath" 
into the Windows NT Registry.

Administrators can control who can access the Windows NT 
Registry via the network by editing permissions on the 
Winreg key found under

HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg

By default, on NT Server 4, the permissions on this key are 
set to Administrators with Full Control. No-one else should 
have access (although it doesn't really work out like this in 
the end.) There are certain paths through the Registry that 
remote users, whether they are Administrators are not, may 
access. These are listed in the AllowedPaths subkey found 
under the Winreg key. These paths are to allow basic network 
operations such as printing etc to continue as normal.

Index Server 2.0 creates a new "AllowedPath":

HKLM\System\CurrentControlset\Control\ContentIndex\Catalogs

meaning that anyone with an local or domain account for that 
machine, including Guests, are able to discover the physical 
path to directories being indexed or if a directory found in a 
network share is being index they can learn the name of the 
machine on which the share resides and the name of the user 
account used to access that share on behalf of Index and 
Internet Information Server. Permissions on the above key and 
its sub-key give Everyone read access.

Note that regedit and regedt32 can not be used to access this 
information. Tools such as reg.exe or home-baked efforts must 
be used.

In most cases this issue represents a mild risk, but one worth 
noting and resolving by removing if this adversely affects you
and your security policy. 

Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix/