Plan secure configurations for Search Server 2008 features

Search Server 2008

Updated: July 13, 2009

Applies To: Microsoft Search Server 2008


Topic Last Modified: 2009-08-04

Unless otherwise noted, the information in this article applies to both Microsoft Search Server 2008 and Microsoft Search Server 2008 Express.

Use this article to find recommendations for configuring and managing Microsoft Search Server 2008 features in a more secure manner. You will usually perform the recommended configurations in Central Administration, instead of in the network, operating system, Internet Information Services (IIS), or the Microsoft .NET Framework. The recommendations in this article are appropriate for the following security environments:

  • Internal team or department

  • External secure access

  • External anonymous access

For more information about these environments, see Choose the security environment (Search Server 2008).

The following table describes more secure recommendations for Search Server 2008 features.


Feature or area Description and recommendation


  • Do not use client-side automatic logon when you are using the Central Administration site.

  • Allow only front-end Web server computers to perform authentication of users. Do not enable end-user accounts or groups to authenticate against the database server computer.


Assign permissions to groups instead of individual accounts.

Permission levels

Assign users the least permissions that are required to complete their tasks.


Use access permissions to help secure the Central Administration site and let administrators connect to the site remotely, instead of enabling the Central Administration site for local computer use only. This removes the requirement that administrators log on locally to the computer that is hosting Central Administration. Configuring Terminal Services access to the computer creates a larger security risk than leaving the Central Administration Web site available for remote access.

Web Part storage and security

  • Ensure that you deploy only trusted code to your server farm. All code, XML, or ASP.NET code that you deploy should be from a trusted source, even if you intend to tighten security after deployment with defense-in-depth measures such as code access security.

  • Ensure that the SafeControl list in the Web.config file contains the set of controls and Web Parts that you want to enable.

  • Ensure that custom Web Parts that you plan to reinforce with defense-in-depth measures are installed into the bin directory of the Web application (where partial trust is turned on), with specific permissions for each assembly.

  • Consider removing the Content Editor Web Part from the SafeControl list. This prevents users from adding JavaScript into the page as a Web Part and using JavaScript that is hosted on external servers.

  • Ensure that appropriate people in your organization are granted the Design and Contribute permission levels in your site. In Search Server 2008 the default end-user site is the Search Center. A user who has the Contribute permission level can upload Active Server Page Extension (ASPX) pages to a library and add Web Parts. Users with the Design permission level, who can add Web Parts, can edit pages. This includes the home page on your site (Default.aspx).


  • The default content access account must not be a member of the Farm Administrators group; otherwise, the Search Server 2008 Search service indexes unpublished versions of documents.

  • Ensure that additional IFilters and word breakers that you deploy are trusted by the IT team.

  • By default, the search index file is accessible only by members of the Farm Administrators group. Ensure that this file cannot be accessed by users who do not belong to this group. The index file is, by default, located in the C:\Indexes\Office Server\Applications folder.

Self-service site creation

You can use the Self-Service Site Management page to let users automatically create and manage their own top-level Web sites. If the Search Server system is primarily intended for search and not collaboration, you should turn off self-service site creation. If you want to use the collaboration features that are available in Search Server 2008, consider the following points before you enable self-service site creation.

When you enable self-service site creation for a Web application, users can create their own top-level Web sites under a specific path (by default, the /sites path). When self-service site creation is enabled, an announcement is added to the top-level site at the root path of the Web application, and users who have permissions to view that announcement can link to the new site.

Whether you should enable self-service site creation depends on the environment:

  • Intranet environment Enable self-service site creation according to business need.

  • Secure collaboration environment Enable self-service site creation only for people or groups that have a business need for this feature.

  • External anonymous environment Do not enable self-service site creation on the Internet.