Windows Indexing Features
Applies To: Windows 7, Windows Server 2008 R2
Windows® 7 offers a number of improvements in indexing and index security. This section of the Guide describes the Windows Search index, the indexing process, and security and management:
Contents of the Windows Search Index
Indexing Encrypted Files
Security and Privacy
Indexing Outlook and Exchange
Indexing TIFF Image Documents
Group Policies for Indexing
Contents of the Windows Search Index
One index is maintained per computer so shared data stored on local drives is indexed only once. In addition, each user’s data is distinguishable by a unique user security identifier {SID}, so users have access only to their own content. System administrators can use Group Policy to prevent specific paths or file types from being indexed.
Windows Search indexes information as follows:
By default, Windows Search indexes each user’s e-mail and Documents and Settings folders (users can add custom locations like network shares). Indexing of shared folders can be turned off with Group Policy.
Windows Search does not index password-protected Office files.
Windows Search indexes e-mail and attachments in a secure environment. Indexing of attachments can be turned off with Group Policy.
The Windows Search index is updated automatically in the background when data is added, deleted, and modified.
For detailed information about how to use Group Policy with Windows Search, see the Group Policy for Windows Search, Browse, and Organize section.
Tip
Windows 7 does not support indexing network shares locally, nor does it support the UNC Add-in for Microsoft Networks that shipped in earlier versions of Windows Search or Windows Desktop Search. In order for content to be searchable, it must reside in a local index or on a machine with a recognizable index. For Windows XP and Windows Server 2003 machines, this should be Windows Search 4.0 (WS4), or for machines that are Windows Server 2008 or higher.
Indexing Encrypted Files
Windows Search 4.0 and higher fully supports indexing encrypted files on local file systems, enabling users to index and search the properties and contents of encrypted files. Users can manually configure Windows Search to include encrypted files, or administrators can configure this with Group Policy. Windows Search ensures that only users with the correct permissions can search the content of encrypted files by honoring ACLs and by restricting access to users with decryption permissions for the files. Additionally, Windows Search restricts access to encrypted files to local searches only; Windows Search does not return encrypted files in search results when the query is initiated remotely.
Warning
The indexing of encrypted files should not be enabled unless the search index itself is protected with full volume encryption. While encrypting the index file with EFS is possible, it is not recommended. See the Encrypting the Index.
Smart Cards and Encryption If you use smart card certificates to encrypt your files, Windows Search adds a cached copy of the certificate hash and its associated user SID to include with the encrypted content in the index. Therefore, you must retain the default setting for the Encrypting File System Properties under Local Security Policy within secpol.msc for Create caching-capable user key from smartcard.
Using Group Policy to activate encrypted file indexing with smartcard technology is not recommended unless, as a standard practice, smart cards are always inserted. The search indexer polls for certificate hash changes approximately every three minutes, and if the smart card isn’t present, some users’ files won’t get indexed for a lengthy period of time. Therefore, we recommend you retain the default ‘not configured’ setting on the Group Policy and let users manually activate encrypted file indexing, which prompts them for their smart cards.
For instructions, please see How to Include Encrypted Files in the Index.
Security and Privacy
Windows Search complies with the Windows Security model and is subject to frequent review. Microsoft Corporation has taken significant steps to help ensure the security of the index file. Windows Search runs as a system service; however, security trimming ensures users cannot access any data they do not have permission to see.
Index Security
Windows Search is designed to help ensure the security of the index files:
Windows Search does not make the computer’s content accessible to Microsoft or anyone else.
Windows Search installs the index files in the following location: %systemdrive%\ProgramData\Microsoft\Search\Data\
The index files have the following protection by default:
Access Control Lists (ACLs) that only allow the BUILTIN\Administrators and NT Authority\System users access to the index.
Index files are lightly obfuscated.
Note
If the obfuscation is removed, meaningful data from documents can be extracted. The data structures of the index files do not lend themselves to easy reconstruction of a complete document. However, someone with enough tenacity and time could reconstruct the text for the majority of a document.
In Windows 7, Windows Vista®, Windows XP, and Windows Server 2003/2008, users can query remote, recognizable Vista or Windows Search 4 indices only if (1) the data is shared and (2) the querying user has access to the shared data.
Each user can search only his or her own files and files in shared locations, based on the ACLs set on individual files.
Encrypting the Index
To encrypt the index file itself, we recommend that you encrypt the entire volume containing the index with BitLocker or another 3rd party full-volume encryption option. This provides strong protection against offline attacks; online attacks are still possible by users with administrator access. BitLocker Drive Encryption provides enhanced protection against data theft by encrypting data operating system and data volumes. In Windows 7, BitLocker Drive Encryption works on removable drives. We strongly recommend also BitLocking operating system volumes if you BitLock data volumes.
While the Encrypting File System (EFS) can also be used, it is not recommended. The Windows Search service runs under the LocalSystem account and needs access to the index files. As a result, EFS keys associated with the LocalSystem account must be used to encrypt the index files. Consequently, the index files are open to the following attacks:
Online: Any administrative user can gain access to the encrypted index files by simply impersonating the LocalSystem account. (Existing tools on the web make this a trivial task.)
Offline: The key that is used by the LocalSystem account to decrypt files is stored on the machine in an obfuscated state. Someone with physical access to the machine can use existing tools on the web to retrieve this key and access the encrypted index files.
Note
Users’ files are encrypted with EFS keys associated with individual users. These files do not have the risk detailed above as EFS keys are decrypted in a sequence that starts with a key derived from the user’s password.
You cannot encrypt the index files with any user’s certificate other than LocalSystem.
For more information about the type of protection provided by both EFS and BitLocker, see the Security Analysis document in the Data Encryption Toolkit for Mobile PCs.
For more information about BitLocker refer to Microsoft TechNet’s Windows BitLocker Drive Encryption Step-by-Step Guide.
Utilizing BitLocker to protect the Index files
BitLocker Drive Encryption provides enhanced protection against data theft by encrypting data operating system and data volumes. In Windows 7, BitLocker Drive Encryption works on removable drives.
This section explores how Windows Explorer, the Library Management dialog, and the Windows Search indexer work with BitLocker-protected Drives. For more information on how BitLocker works and how to configure it refer to the docs here:
Drives on a system can have the following states with respect to BitLocker:
BitLocker Off – Drive not encrypted for use with BitLocker.
BitLocker On – Drive encrypted for use with BitLocker.
BitLocker Locked – The encrypted drive is plugged into the computer but authentication mechanism to unlock the drive hasn’t been performed. The drive is visible but its contents are not.
Windows Explorer: In Windows 7, the Windows Explorer displays the BitLocker state of the drives on a system in the Details pane. The right-click context menus for BitLocker offer the following goptions:
Unlock Drive: selecting this option enables users to Unlock the BitLocker drive.
Manage BitLocker: selecting this option brings up the Control Panel Applet to Configure BitLocker on drives on a system.
Libraries: In Windows 7, users can add both locked and unlocked BitLocker drives as library locations. Users can right-click drives in the Library Management dialog and select Unlock BitLocked drives like they would do in Windows Explorer. Adding locations from already unlocked BitLocked drives is similar to adding locations from any other supported library location. Locking or unlocking BitLocker drives that are part of a Library location does not remove them from a library. Users will have to manually remove these locations using the Library Management dialog.
Search: Searching across BitLocked drives is similar to searching external drives or network locations. Search results from locked BitLocker drives are not displayed when the drive is locked. The locked BitLocker drive is considered offline as its contents cannot be viewed.
Indexing Options Control Panel: The Indexing Options Control Panel treats BitLocker drive states (Off, On, Locked) similar to external drive states (Available, Unavailable). The following table describes the mapping between the BitLocker drive states and the Indexing Control Panel states.
| BitLocker Drive State | Indexing Control Panel State |
|---|---|
Bitlocker Off |
Available |
BitLocker ON, drive unlocked |
Available |
BitLocker ON, drive locked |
Unavailable |
Indexing Outlook and Exchange
To keep a current index of all e-mail messages and attachments without excessively taxing the mail server, Windows Search can index Microsoft Office Outlook content in both cached local and online mode but is configured by default not to index online.
If you run in cached local mode with Microsoft Office Outlook 2003 or later, Windows Search indexes the e-mail messages and attachments stored locally on the user’s computer. Outlook receives new e-mail and other information from the Exchange Server and saves the data in a local mail store file, which Windows Search indexes. This type of indexing eliminates extra load on the Exchange Server and reduces the network bandwidth.
If you run in online mode with Exchange 2000 or later, Windows Search minimizes the impact on Exchange by reducing the number of Remote Procedure Calls (RPC) required to index e-mail messages and attachments. Also, because e-mail messages are indexed in native formats (HTML, RTF, and text), the server isn't required to convert mail types. Windows Search indexes public folders only when they are cached locally. Furthermore, you can use a Group Policy setting that throttles back the indexer when indexing in online mode.
Important
When running in online mode, you must configure Windows Search with Group Policy to index online Exchange folders. Unlike earlier versions of Windows Search or Windows Desktop Search, Windows 7 is configured by default not to index content on the Exchange server. Additionally, since Outlook does not use the local index to provide search results, users in online mode experience slower response times. Windows Search provides a faster experience when users search for their mail items within the Windows Search user interface directly.
For more information about Group Policy options for Windows Search, see the Group Policy for Windows Search, Browse, and Organize section. For more information about Group Policy options for Outlook, download the Outlook Resource Kit (ORK) for the version of Outlook you are using.
Note
The current version of the Lotus add-in for Windows Search was released on August 2007, and was developed for Windows XP (32-bit) and Lotus Notes 6.x-7.x. This version is not supported on later versions of Lotus Notes, such as Lotus Notes 8.0.
Indexing TIFF Image Documents
Windows 7 enables users to search for TIFF image documents based on textual content. This approach implies OCR (Optical Character Recognition) processing of TIFF image(s) and indexing of recognized text. TIFF indexing by content feature is not enabled by default as OCR processing of TIFF images takes significant processing time. You should enable this feature if you need to search contents of TIFF Image documents. All TIFF documents compliant with the TIFF 6.0 specification are supported. This covers most frequent compressions (LZW, JPG, CCITT etc.).
When the TIFF indexing by content feature is not enabled, the basic properties for the document are indexed, such as file name, size, and date modified.
For information on enabling TIFF indexing, see How to Enable TIFF Content Indexing.
Tip
Group Policy settings for the Windows TIFF IFilter enable the control of the language dictionary that the OCR process uses. To improve OCR processing speed, ensure that the OCR engine is aware of the languages used in the text that it is processing. By default, the Windows TIFF IFilter uses the default system language to determine which language dictionary to use during the OCR process. If the language in TIFF image documents differs from the system default language, the OCR search result set is degraded. For more information, see Set OCR languages from a code page in the Group Policy for Windows Search, Browse, and Organize section.
Search Quality Considerations
This feature is intended for use with textual documents, meaning that the search is more successful for documents that contain clearly identifiable text (such as black text on white background) and less successful for documents with mixed content (such as artistic text or text in pictures). Moreover, low quality images and mixed languages can have a negative impact on OCR processing and consequently on the search results’ quality.
Group Policies for Indexing
The Windows Search 4.0 Administrators guide documents most of the indexer-specific Group Policy settings available in Windows 7. New indexer specific Group Policies Windows 7 include the following:
More information on Group Policies can be found in Group Policy for Windows Search, Browse, and Organize.
See Also
Concepts
Windows Browse and Organize Features
Windows Search Features
Windows Indexing Features
Federated Search Features
Administrative How-to Guides
Group Policy for Windows Search, Browse, and Organize
Additional Resources for Windows Search, Browse, and Organization
Other Resources
https://support.microsoft.com/kb/936209
Microsoft TechNet FAQ on BitLocker
Microsoft TechNet Articles on BitLocker