Share via


Security considerations for search (Search Server 2008)

Applies To: Microsoft Search Server 2008

 

Topic Last Modified: 2008-10-02

Microsoft Search Server 2008 uses a technique, sometimes called security trimming, to ensure that users do not see content or links to content that they do not have permissions to view. However, when using either the Office SharePoint Server Search or Windows SharePoint Services Help Search service to perform search queries, certain conditions can exist in which users might see links to content that they do not have permission to access. While they will not be able to use the link on the search results page to view the content, the links that appear on the search results page might be accompanied by text that discloses information the users should not see. This article describes the conditions in which this can occur and how to avoid them.

Sharing data across Web parts

When sharing data between Web parts, to avoid the risk of disclosing information that users should not see in search results pages, we recommend that you do not use fine-grained permissions. Instead, set permissions only at the site or site collection level and do not share data with a Web part that is contained by a page that has different permissions than any of the data being shared.

Note

Permissions can be set at the site, list and library, or item levels.

If you must use fine grained permissions, do not share data between Web parts. If this cannot be avoided either, do not crawl this content. See the following section for information about excluding content from being crawled.

If you have already crawled the content, consider removing it from the index.

Exclude content from a crawl

Site owners and designers can exclude content from being crawled that may pose an information disclosure risk in any of the following ways:

  • Designers can add the <META NAME="ROBOTS" CONTENT="NOHTMLINDEX"/> element manually to all pages that they don't want the index server to crawl.

  • At the site level, use the Search Visibility page (accessed through the Site Settings page) to prevent the index server from crawling a particular site. You can optionally use this page to specify one of the following:

    • Do not index ASPX pages if this site contains fine-grained permissions

    • Always index all ASPX pages on this site

    • Never index any ASPX pages on this site

  • At a list or library level, use the following procedure to specify that content in a list or library does not appear in search results.

    Exclude content from a list or library from search results

    1. In the list or library that contains content that you do not want to appear in search results, on the Settings menu, click <Library type> Library Settings or List Settings.

    2. In the General Settings section, click Advanced Settings.

    3. In the Search section, select No and then click OK.