Windows Search 4.0 Policy and Security Overview
I wanted to create a quick post to highlight some of the key improvements in Policy and Security for Windows Search 4.0. We released Windows Search 4.0 for the desktop a few months back, to help get everyone up to speed on the versions, I wanted outline a brief timeline of the different versions we had:
- WDS 2.5 x and 2.6x: was really where Windows Search technologies started getting deployments with corporate customers. They provided a search experience that featured fast performance and rich previews, but also accounted for easy deployment and management and corporate class security.
- WDS 3.0 – 3.0: which also happens to be the same index in Windows Vista, moved WDS to a system level service, instead of just a user experience. As a result of this move, the platform became extensible for all developers to build on, and users saw a marked increase in stability and performance.
- Windows Vista: – Windows Vista builds on the desktop search functionality in WDS for Windows XP, but it also adds advanced functionality like deeper search integration throughout the desktop experience, file tagging, advanced views, and more.
- WDS 3.01: 2k7– is an incremental release to WDS 3.0. It is only available for Windows XP and the main difference between 3.0 and 3.01 is that there are some additional group policies available in 3.01.
- Office 2007 – Outlook 2007: both feature integrated search capabilities directly within the application experiences themselves. These search experiences are powered by Windows Search and do not work unless you have Windows Desktop Search 3.0 or higher or Windows Vista.
So that brings us to the most current version: Windows Search 4.0.
Windows search 4.0 is the next update for XP and Windows Vista, and has some dramatic improvements in performance, and IT management. They have re-addressed several key customer concerns, including support for indexing encrypted files. Moreover, performance and stability were key focus areas in this update. As you can see we have quite a few excellent enhancements to the tool.
We have added several new group policy settings and below is a list of some of the new settings:
| Machine policies |
| Prevent adding UNC locations to index From Control Panel Prevent automatically adding shared folders to the index Allow indexing of encrypted Files Disable indexer back-off Prevent clients From querying the index remotely Allow indexing of Delegate Mailboxes Prevent adding user-specified locations to the All Locations menu Enable throttling for online mail indexing |
| Per User Policies |
| Prevent adding UNC locations to index from control panel Prevent customizing indexed Locations in control Panel Prevent Indexing Certain Paths Default Indexed Paths Default Excluded Paths Enable Indexing of Delegate stores |
We have also taken into account a lot of the index security considerations. Windows Search 4.0 really does a great job around the privacy and security of the index. Here is a list of the main index security considerations:
- Access Control Lists (ACLs) honored
- Default content inclusions
- Email, Documents and Settings
- Shared folders
- Group Policy Control for scope inclusions / blocks
- Email Attachments
- Indexed in a sandbox
- Indexing can be disabled by group policy
- Excludes potentially sensitive data
- Internet cache
- Contents of IRM & password protected files
- Index file Protection by default
- ACLs allowing access to BUILTIN\Administrators and NT Authority\System users
- Obfuscated
- Search service runs under the LocalSystem context
- No personal information shared to MSFT
- Consider full volume encryption
- Recommend BitLocker or a 3rd party solution
- Supports indexing encrypted documents (EFS)
- Properties and content
- User & Group Policy control
- Consider full volume encryption on index files
- Access Control Lists (ACLs) honored
- Access restricted to Local search
- Smartcards
- Cached certificate hash and SID
- Requires caching-capable settings
- Consider allowing user control