O'Reilly logo

Managing The Windows 2000 Registry by Paul Robichaux

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Fixing Registry Security ACLs in Windows NT

Every key in the Registry has an ACL. Unfortunately, many of those ACLs are unnecessarily permissive. For example, by default the Everyone account has write access to several keys that allow untrusted users to execute arbitrary programs--never a good idea. You can significantly improve your NT security posture by paying careful attention to a few simple steps.

Tip

These steps aren’t necessary in Windows 2000 because Microsoft has changed its default Registry ACLs to be more restrictive. Furthermore, you can use the Security Configuration Manager to apply even more restrictive settings by applying a particular security template.

First, a brief digression: every authenticated user is automatically a member of the Everyone group. On machines running NT 4.0 SP3 or later, these users are also members of the Authenticated Users group. Everyone also includes anonymous and guest accounts, though, so in general it’s a wise idea to never grant Everyone:Full Control access to anything if you can prevent it.

On to the actual steps. First of all, apply the changes suggested earlier in the section Limiting Remote Registry Access. Once you’ve done so, make sure that Everyone has only Read access on HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths. This prevents an interloper from inserting her own allowed paths for anonymous access.

Next, follow Microsoft’s suggestions from knowledge base article Q126713 and tighten the permissions ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required