Is Windows Explorer file search feature a security risk?

[mikesw]

The local library has Windows XP Prof SP2 with all the patches (I presume). However,

when using an external USB hard drive of 40-80 Gigs, one can't search for a file on the drive

using Windows Explorer's file search feature since it has been disabled by the admin.

When I raised the issue of why I'm not allowed to search for files on my external drive, I've

been told that the 'search' feature is a security hole that allows one to worm their way into the

OS filesystem on drive C: which is currently not accessible by any non-admin type.

Thus, I'm relegated to looking for a file on a per-directory basis which takes forever.....

Does anyone know if the reason above is valid for Windows XP and that a security hole

exists? Was this the case at one time, but now has been fixed by a hotfix? What would

be the KB number?

[cluberti]

It's only a security risk if filesystem permissions let you do things on said filesystem you should otherwise not be allowed. However, there can be a perceived risk in that you can potentially search and discover files on disk that you do not have access to with your account. You most likely cannot do anything with these files, as their NTFS permissions will decide what you can and cannot do, but unless you've been explicitly denied the right to read certain locations on disk (and this is not a good idea on most places on the OS volume), it can look like a risk.

As to external drives, all bets are off when it comes to searching those - most are not formatted NTFS (so no built-in security for the filesystem), and those that are formatted NTFS can travel from machine to machine, meaning security can be bypassed at another machine not under the admin's control. That I can understand.