COMMAND

    Index Server 2.0 and the Registry

SYSTEMS AFFECTED

    Index Server 2.0

PROBLEM

    Mnemonix found following.   When Microsoft's Index  Server 2.0  is
    installed on NT  4 with Internet  Information Server 4  it opens a
    new "AllowedPath"  into the  Windows NT  Registry.  Administrators
    can control who can access the Windows NT Registry via the network
    by editing permissions on the Winreg key found under

        HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg

    By default, on NT Server 4, the permissions on this key are set to
    Administrators with Full Control.  No-one else should have  access
    (although it doesn't really work out like this in the end.)  There
    are certain paths through the Registry that remote users,  whether
    they are  Administrators are  not, may  access.   These are listed
    in the  AllowedPaths subkey  found under  the Winreg  key.   These
    paths are to allow basic  network operations such as printing  etc
    to  continue  as   normal.   Index  Server   2.0  creates  a   new
    "AllowedPath":

        HKLM\System\CurrentControlset\Control\ContentIndex\Catalogs

    meaning  that  anyone  with  an  local  or domain account for that
    machine, including Guests, are able to discover the physical  path
    to directories being indexed or if a directory found in a  network
    share is being  index they can  learn the name  of the machine  on
    which the share resides and the  name of the user account used  to
    access  that  share  on  behalf  of Index and Internet Information
    Server.   Permissions  on  the  above  key  and  its  sub-key give
    Everyone read access.  Note  that regedit and regedt32 can  not be
    used  to  access  this  information.  Tools  such  as  reg.exe  or
    home-baked efforts must be used.

SOLUTION

    In most  cases this  issue represents  a mild  risk, but one worth
    noting and  resolving by  removing if  this adversely  affects you
    and your security policy.