Limiting Remote Registry Access

In Windows NT 3.51 and earlier, any user could access the Registry on any machine over the network. From a security standpoint, this was much too liberal; NT 4.0 (and 3.51 with SP4 or SP5) defaults to allowing only members of the Administrators group to access the Registry remotely. This is considerably more secure than the original permissions.

However, this setting may not suit your environment. Sometimes allowing any member of the Administrators group access is still too permissive, since some high-value machines may warrant the added security of allowing only a single account or group to access their registries over the network. Conversely, you may want to proactively allow other users and groups to remotely connect to, and edit, Registry data on some machines.

Turning Off Remote Access Entirely

Windows 2000 introduces a new system service (the Remote Registry Service) that actually handles remote requests for Registry access. If you turn this service off, no incoming requests are accepted, period. By default, the service is started automatically at boot time, but if you disable it using the Computer Management snap-in (or stop it manually), no one can connect remotely and flip through your Registry.

Limiting Access to Authorized Users

In Windows 2000 and NT 4.0 , you can control which users, groups, and services may access the Registry on a particular machine by setting the ACL for a single Registry key, namely HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg. ...

Get Managing The Windows 2000 Registry now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.