Fixing Registry Security ACLs in Windows NT

Every key in the Registry has an ACL. Unfortunately, many of those ACLs are unnecessarily permissive. For example, by default the Everyone account has write access to several keys that allow untrusted users to execute arbitrary programs--never a good idea. You can significantly improve your NT security posture by paying careful attention to a few simple steps.


These steps aren’t necessary in Windows 2000 because Microsoft has changed its default Registry ACLs to be more restrictive. Furthermore, you can use the Security Configuration Manager to apply even more restrictive settings by applying a particular security template.

First, a brief digression: every authenticated user is automatically a member of the Everyone group. On machines running NT 4.0 SP3 or later, these users are also members of the Authenticated Users group. Everyone also includes anonymous and guest accounts, though, so in general it’s a wise idea to never grant Everyone:Full Control access to anything if you can prevent it.

On to the actual steps. First of all, apply the changes suggested earlier in the section Limiting Remote Registry Access. Once you’ve done so, make sure that Everyone has only Read access on HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths. This prevents an interloper from inserting her own allowed paths for anonymous access.

Next, follow Microsoft’s suggestions from knowledge base article Q126713 and tighten the permissions ...

Get Managing The Windows 2000 Registry now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.