Prohibiting Index Server does not prevent information leakage in IIS 6.0


I was expecting that prohibiting Index Service under Web Server Extensions
really prevents information leakage due to querying Indexing Service through
IIS 6.0. However, actually it does not.

Following is the step by step scenario:

1. Clean install Windows Server 2003
2. Install IIS 6.0
3. Install Indexing Service
4. Allow Indexing Service under Web Service Extensions
5. Default Web Site > Configure Server Extensions 2002

At this moment you can query files indexed by the Indexing Service using
SEARCH method. Here is an example:

SEARCH / HTTP/1.1
Host: localhost
Content-Type: text/xml
Connection: Keep-Alive
Content-Length: 143

<?xml version="1.0"?>
<D:searchrequest xmlns:D = "DAV:">
<D:sql>
SELECT "DAV:filename"
FROM SCOPE()
</D:sql>
</D:searchrequest>

The response should be in XML format including file names under the folder
which is watched by Web catalog of the Indexing Service.

6. Prohibit Indexing Service from Web Service Extensions. An alert will show
up and say:

If you prohibit Indexing Service, the following applications will be
prevented from running on your IIS Web server.
Frontpage Server Extensions
Frontpage Server Extensions 2002
Indexing Service

7. Now retry step 5. One expects that it should return either an error or
nothing at all. However, you get the exactly same response as you get in the
5th step.

You should stop Web catalog to actually stop indexing service through IIS
6.0 or remove Server Extensions.

Web Service Extensions panel is definitely misleading.


Omer Faruk Ozer
Researcher
National Research Institute of Electronics and Cryptology
P.O. Box 74, 41470 Gebze, KOCAELI, TURKEY

Phone : +90 262 648 16 21
Fax : +90 262 648 11 00
e-mail : faruk.ozer@xxxxxxxxxxxxxxxxxxxx



---------------------------------------------------------------------------
---------------------------------------------------------------------------

Relevant Pages

  • Re: Getting ready to pull my hair out with IIS 6.0 and FPSE
    ... that third folder under your IIS server. ... Windows 2003 Server does not install the indexing server. ... "prohibit" the indexing service under the Web Service Extension ... In the IIS console, under "Web Service Extension", "allow" the ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: Window Server 2003, SE adding FPSE
    ... The FP2002 extensions available for downloading are not meant to be installed on Windows 2003 / ... The extensions need should automatically be installed when you chose to install IIS, ... >> "prohibit" the indexing service under the Web Service Extension ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: Window Server 2003, SE adding FPSE
    ... that third folder under your IIS server. ... Windows 2003 Server does not install the indexing server. ... "prohibit" the indexing service under the Web Service Extension ... In the IIS console, under "Web Service Extension", "allow" the ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: Getting ready to pull my hair out with IIS 6.0 and FPSE
    ... indexing service installed, ... > that third folder under your IIS server. ... You have to install this as a component of IIS, ... > Mukilteo, WA USA ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: Window Server 2003, SE adding FPSE
    ... > that third folder under your IIS server. ... You have to install this as a component of IIS, ... > the indexing service so it can be uninstalled. ... > Mukilteo, WA USA ...
    (microsoft.public.frontpage.extensions.windowsnt)