Windows Search Pre-Installation Considerations

Applies To: Windows Server 2008

Before installing Windows® Search 4.0 (WS4), administrators must consider several factors, including the following:

  • International and Multilanguage Options

  • Security and Privacy

  • Group Policy Considerations

  • Searching Across the Enterprise

  • Network Performance

  • Outlook and Exchange

  • Terminal Servers

  • Add-ins and Extensions

In this section, we will look at these issues and discuss methods that you can use to ensure you have a successful and painless rollout.

International and Multilanguage Options

The user interface languages available from Windows® Search 4.0 differ by operating system. On Windows® Vista and Windows Server™ 2008, WS4 is available in 36 languages, and all language resources are available in the single standalone package (.msu). For Windows® XP and Windows Server™ 2003, there are 22 localized versions of WS4 with eight additional languages in Multilingual User Interface (MUI) packs which contain the English version of WS4. Users of the MUI pack can switch user interfaces according to their operating system language preference.

Language (lang CPRLang) Windows XP/Server 2003 Standalonex86 (32 bit) Windows XP/Server 2003 Standalonex64 (64 bit) Windows XP/Server 2003MUI Pack Vista SP1/Server 2008MSUx86 (32 bit) and x64 (64 bit)

Arabic (ar-SA ARA)

 

 

 

X

Brazilian Portuguese (pt-BR PTB)

X

 

X

X

Bulgarian (bg-BG BGR)

 

 

X

X

Chinese – Simplified (zh-CN CHS)

X

X

X

X

Chinese – Hong Kong (zh-HK CHH)

 

 

 

X

Chinese – Traditional (zh-TW CHT)

X

X

X

X

Croatian (hr-HR HRV)

 

 

X

X

Czech (cs-CZ CSY)

X

 

X

X

Danish (da-DK DAN)

X

 

X

X

Dutch (nl-NL NLD)

X

 

X

X

English (en-US ENU)

X

X

Pre-installed

X

Estonian (et-EE ETI)

 

 

X

X

Finnish (fi-FI FIN)

X

 

X

X

French (fr-FR FRA)

X

X

X

X

German (de-DE DEU)

X

X

X

X

Greek (el-GR ELL)

X

 

X

X

Hebrew (he-IL HEB)

 

 

 

X

Hungarian (hu-HU HUN)

X

 

X

X

Italian (it-IT ITA)

X

X

X

X

Japanese (ja-JP JPN)

X

X

X

X

Korean (ko-KR KOR)

X

X

X

X

Latvian (lv-LV LVI)

 

 

X

X

Lithuanian (lt-LT LTH)

 

 

X

X

Norwegian - Bokmal (nb-NO NOR)

X

 

X

X

Polish (pl-PL PLK)

X

 

X

X

Portuguese (pt-PT PTG)

X

 

X

X

Romanian (ro-RO ROM)

 

 

X

X

Russian (ru-RU RUS)

X

 

X

X

Serbian-Latin (sr-Latn-CS SRL)

 

 

 

X

Slovak (sk-SK SKY)

 

 

X

X

Slovenian (sl-SI SLV)

 

 

X

X

Spanish (es-ES ESN)

X

X

X

X

Swedish (sy-SE SVE)

X

X

X

X

Thai (th-TH THA)

 

 

X

X

Turkish (tr-TR TRK)

X

 

X

X

Ukrainian (uk-UA UKR)

 

 

 

X

You can use the English administrative template (.adm) file to create Group Policy objects (GPO) for non-English users. For settings that require you to enter text, such as the name of the intranet scope, enter the information in the appropriate language.

Security and Privacy

Windows Search complies with the Windows Security model and is subject to frequent review. Microsoft Corporation has taken significant steps to help ensure the security of the index file. Windows Search runs as a system service; however, security trimming ensures users cannot access any data they do not have permission to see.

Index Security

Windows Search is designed to help ensure the security of the index files:

  • Windows Search does not make the computer’s content accessible to Microsoft or anyone else.

  • Windows Search installs the index files in the following location:

    • Windows XP and Windows Server 2003: %systemdrive%\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\

    • Windows Vista and Windows Server 2008: %systemdrive%\ProgramData\Microsoft\Search\Data\

  • The index files have the following protection by default:

    • Access Control Lists (ACLs) that only allow the BUILTIN\Administrators and NT Authority\System users access to the index.

    • Index files are lightly obfuscated.

Note

If the obfuscation is removed, meaningful data from documents can be extracted. The data structures of the index files do not lend themselves to easy reconstruction of a complete document. However, someone with enough tenacity and time could reconstruct the text for the majority of a document.

  • In Windows Vista, Windows XP and Windows Server 2003/2008, users can query remote, recognizable Vista or WS4 indices only if (1) the data is shared and (2) the querying user has access to the shared data.

  • Each user can search only his or her own files and files in shared locations, based on the ACLs set on individual files.

Encrypting Your Index

To encrypt the index file itself, we recommend that you encrypt the entire volume containing the index with BitLocker or another 3rd party full-volume encryption option. This provides strong protection against offline attacks; online attacks are still possible by users with administrator access.

While the Encrypting File System (EFS) can also be used, it is not recommended. The Windows Search service runs under the LocalSystem account and needs access to the index files. As a result, a EFS keys associated with the LocalSystem account must be used to encrypt the index files.  Consequently, the index files will be open to the following attacks:

  • Online: Any administrative user can gain access to the encrypted index files by simply impersonating the LocalSystem account.  (Existing tools on the web make this a trivial task.)

  • Offline: The key that is used by the LocalSystem account to decrypt files is stored on the machine in an obfuscated state. Someone with physical access to the machine can use existing tools on the web to retrieve this key and access the encrypted index files. 

Note

Users files are encrypted with EFS keys associated with individual users. These files do not have this risk detailed above as EFS keys are decrypted in a sequence that starts with a key derived from the user’s password.

You cannot encrypt the index files with any user’s certificate other than LocalSystem.

For more information about the type of protection provided by both EFS and BitLocker, see the Security Analysis document in the Data Encryption Toolkit for Mobile PCs.

For more information about BitLocker refer to Microsoft TechCenter’s Windows BitLocker Drive Encryption Step-by-Step Guide.

Index Content

One index is maintained per computer so shared data stored on local drives is indexed only once. In addition, each user’s data is distinguishable by a unique user security identifier {SID}, so users have access only to their own content. System administrators can use Group Policy to prevent specific paths or file types from being indexed.

Windows Search indexes information as follows:

  • By default, Windows Search indexes each user’s e-mail, Documents and Settings folders, and shared drives or folders (although Windows XP and Windows Server 2003 users can add custom locations like network shares). Indexing of shared folders can be turned off with Group Policy.

  • Windows Search does not index sensitive information, such as password-protected Office files.

  • Windows Search indexes e-mail and attachments in a secure environment. Indexing of attachments can be turned off with Group Policy.

  • The Windows Search index is updated automatically in the background when data is added, deleted, and modified.

For detailed information about how to use Group Policy with Windows Search, see the Group Policy for Windows Search section.

Group Policy Considerations

With Windows Search Group Policies, you can control the access each user group has to enterprise data. Group policies can (1) define default Windows Search settings the user can change and (2) enforce settings the user cannot change. Group Policy is supported by Windows Vista, Windows XP, and Windows Server 2003 with Windows Search 4.

To plan effective policies, your organizational units should be logically structured in terms of their requirements for accessing information. For example, the accounting department may have access to financial data requiring more security than the order fulfillment data accessed by the shipping and receiving department. Your data and user groups should be logically organized to get the most advantage of Windows Search’s Group Policy settings.

As in most software deployments, the more time spent organizing and planning how best to meet the different requirements of your users, the better the outcome will be. For detailed information about how to use Group Policy with Windows Search, see the Group Policy for Windows Search section.

Searching Across the Enterprise

IT administrators can use Group Policy settings to specify additional search locations. In Windows Vista, administrators can use the Start Menu Group Policy for Instant Search to do the following:

  • Change the default Internet search provider.

  • Add an intranet search location to users' search scope.

In Windows XP or Windows Server 2003, administrators can use the WS4 Group Policy template to define a primary intranet search location and any number of secondary intranet search locations like Microsoft Office SharePoint Server™ or Windows SharePoint Services™. Administrators can also allow or prevent users from starting Web searches from Windows Search using the default search provider associated with the users' default web browser. Once these policies are applied, users can do the following:

  • Start an intranet search from the Windows Deskbar or the Windows Search results view.

  • Switch between search results from the desktop, the intranet, and the Web from the Windows Search results view.

Users can also query shared remote locations. WS4 can query a remote machine's index for content from shared folders. Vista has remote querying enabled by default. To enable remote querying on Windows XP, Windows Home Server, and Windows Server 2003/2008:

  1. From the All Locations menu in the Windows Search user interface, click Add Location.

  2. Browse to the remote location, or type the path to the remote location.

  3. Click OK.

The new location appears at the bottom of the All Locations menu list. After entering a search in the search bar, users can change the search scope to their newly added location. We recommend that administrators use the IPSec security protocol to protect data on the wire in these circumstances. For more information on this protocol, refer to the IPSec documentation on TechNet: (https://technet.microsoft.com/en-us/network/bb531150.aspx).

Note

Shared folders are automatically added to users’ indexed locations. This automatic inclusion can be controlled with WS4 Group Policy.

For more information about Group Policy options, see the Group Policy for Windows Search section.

Network Performance

Enabling users to index network shares may temporarily increase the network traffic to these locations. The greatest impact on servers is seen building the initial index, and less impact is seen during subsequent incremental updates. Windows Search uses back-off logic to mitigate network traffic, and Group Policy further controls what Windows Search can index. For example, you can set a policy that disables indexing network paths to high volume servers.

On Windows XP and Windows Server 2003, WS4 can index network shares, storing data in the local index. This functionality is enabled by the Add-in for Microsoft Networks that's included in the installation.

Windows Vista uses the Offline File Cache feature to achieve the same goal with less impact on network performance. WS4 indexes users’ Offline Files cache by default, so you can reduce network impact by having users take files offline for local indexing.

Before deploying Windows Search, IT administrators need to assess users' requirements for indexing network shares and to review the available Group Policy settings.

Outlook and Exchange

To keep a current index of all e-mail messages and attachments without excessively taxing the mail server, Windows Search 4.0 can index Microsoft Outlook content in both cached local and online mode but is configured by default not to index online.

If you run in cached local mode with Microsoft Office Outlook 2003 or later, WS4 indexes the e-mail messages and attachments stored locally on the user’s computer. Outlook receives new e-mail and other information from the Exchange server and saves the data in a local mail store file, which WS4 indexes. This type of indexing eliminates extra load on the Exchange server and reduces the network bandwidth.

If you run in online mode with Exchange 2000 or later, WS4 minimizes the impact on Exchange by reducing the number of Remote Procedure Calls (RPC) required to index e-mail messages and attachments. Also, because e-mail messages are indexed in native formats (HTML, RTF, and text), the server isn't required to convert mail types. WS4 indexes public folders only when they are cached locally. Furthermore, you can use a Group Policy setting that throttles back the indexer when indexing in online mode.

Important

When running in online mode, you must configure Windows Search 4.0 with Group Policy to index online Exchange folders. Unlike WDS 2.6.x, WS4 is configured by default not to index content on the Exchange server.
Additionally, since Outlook does not use the local index to provide search results, users in online mode experience slower response times. WS4 provides a faster experience when users search for their mail items within the Windows Search UI directly.

For more information about Group Policy options for Windows Search, see the Group Policy for Windows Search section. For more information about Group Policy options for Outlook, download the Outlook Resource Kit (ORK) for the version of Outlook you are using.

Terminal Servers

Windows Search can be installed on terminal servers. However, there are a couple of issues to be aware of when there are many users on the system simultaneously:

  • Indexer performance is reduced because it is backed off more often. For example, one user may be idle, but another user may generate a lot of CPU usage or I/O.

  • System performance may be affected, particularly in cases where users click the Index Now button.

You can use the Disable Indexer Backoff Group Policy for Windows Search setting to improve indexer performance during the initial indexing phase. We recommend that IT departments test these scenarios before deploying Windows Search.

Important

Windows Search does not support configuring the index file to be installed remotely. Therefore, true thin client installations are not supported.

Add-ins and Extensions

Windows Search can be extended with add-ins that allow indexing of new and proprietary file types and data sources. Some of these add-ins are developed by Microsoft and others are developed by third parties. Natively, Windows Search 4.0 indexes over 200 common file types on NTFS and FAT drives. Windows Search can also index digital cameras, card readers, thumb drives, and firewire drives as long as they identify themselves as removable drives.

For more information on default file types, file systems, and data sources supported by Windows Search, see the Extending Windows Search section of this guide. For a list of downloadable add-ins, visit the Windows Desktop Search: Personalize It page.

See Also

Concepts

Group Policy for Windows Search
Extending Windows Search
Windows Search 4.0 Troubleshooting Guide
Windows Search Version History

Other Resources

Encrypting File System Overview Web page
WDS Add-ins and Extensions (Personalize It)