When Index Server is first installed, the catalog is set up with an Access Control List (ACL) that allows only system administrators and system services to access it. In part, this assures that if the catalog directory is contained within a virtual root, unauthorized users will not see the files in the catalog as part of their query. The protection on the catalog directory is also important to prevent unauthorized users (who might have access to the server by use of file-server shares) from seeing the contents of the catalog. Although the information in the catalog is in a form that would be difficult for someone without knowledge of the file formats to decipher, it is possible to read the content of files on the server by examining the catalog.
If an additional catalog directory is created manually, care should be taken to ensure that it and the files created in it have appropriate access controls. A catalog directory should allow access for administrators and for the System account. Index Server runs as a service, so System access is required.