nt4.index.server.2.0.txt

1999-08-17T00:00:00
ID PACKETSTORM:12158
Type packetstorm
Reporter Mnemonix
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Tue, 23 Mar 1999 23:40:55 -0000  
From: Mnemonix <mnemonix@GLOBALNET.CO.UK>  
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM  
Subject: Index Server 2.0 and the Registry  
  
  
When Microsoft's Index Server 2.0 is installed on NT 4 with   
Internet Information Server 4 it opens a new "AllowedPath"   
into the Windows NT Registry.  
  
Administrators can control who can access the Windows NT   
Registry via the network by editing permissions on the   
Winreg key found under  
  
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg  
  
By default, on NT Server 4, the permissions on this key are   
set to Administrators with Full Control. No-one else should   
have access (although it doesn't really work out like this in   
the end.) There are certain paths through the Registry that   
remote users, whether they are Administrators are not, may   
access. These are listed in the AllowedPaths subkey found   
under the Winreg key. These paths are to allow basic network   
operations such as printing etc to continue as normal.  
  
Index Server 2.0 creates a new "AllowedPath":  
  
HKLM\System\CurrentControlset\Control\ContentIndex\Catalogs  
  
meaning that anyone with an local or domain account for that   
machine, including Guests, are able to discover the physical   
path to directories being indexed or if a directory found in a   
network share is being index they can learn the name of the   
machine on which the share resides and the name of the user   
account used to access that share on behalf of Index and   
Internet Information Server. Permissions on the above key and   
its sub-key give Everyone read access.  
  
Note that regedit and regedt32 can not be used to access this   
information. Tools such as reg.exe or home-baked efforts must   
be used.  
  
In most cases this issue represents a mild risk, but one worth   
noting and resolving by removing if this adversely affects you  
and your security policy.   
  
Cheers,  
David Litchfield  
http://www.infowar.co.uk/mnemonix/  
  
`