Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Managing Windows Server 2012 Systems : Managing the Registry (part 7) - Securing the registry - Preventing access to the registry utilities, Applying permissions to registry keys

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
12/17/2014 3:32:25 AM

Securing the registry

The registry is a critical area of the operating system. It has some limited built-in security to reduce the risk of settings being inadvertently changed or deleted. Additionally, some areas of the registry are available only to certain users. For example, HKLM\SAM and HKLM\SECURITY are available only to the LocalSystem user. This security, in some cases, might not be enough, however, to prevent unauthorized access to the registry. Because of this, you might want to set tighter access controls than the default permissions, and you can do this from within the registry. You can also control remote access to the registry and configure access auditing.

Preventing access to the registry utilities

One of the best ways to protect the registry from unauthorized access is to make it so that users can’t access the registry in the first place. For a server, this means tightly controlling physical security and allowing only administrators the right to log on locally. For other systems or when it isn’t practical to prevent users from logging on locally to a server, you can configure the permissions on Regedit.exe and Reg.exe so that they are more secure. You could also remove Registry Editor and the REG command from a system, but this can introduce other problems and make managing the system more difficult, especially if you also prevent remote access to the registry.

To modify permissions on Registry Editor, access the %SystemRoot% folder, press and hold or right-click Regedit.exe, and then select Properties. In the Regedit Properties dialog box, tap or click the Security tab, as shown in Figure 10. Add and remove users and groups as necessary, and then set permissions as appropriate. Permissions work the same as with other types of files. You select an object and then allow or deny specific permissions.

Tighten controls on Registry Editor to limit access to it.
Figure 10. Tighten controls on Registry Editor to limit access to it.

To modify permissions on the REG command, access the %SystemRoot%\System32 folder, press and hold or right-click Reg.exe, and then select Properties. In the Reg Properties dialog box, tap or click the Security tab. As Figure 11 shows, this command, by default, can be used by users as well as administrators. Add and remove users and groups as necessary, and then set permissions as appropriate.

Note

I’m not forgetting about Regedt32. It’s only a link to Regedit.exe, so you don’t really need to set its access permissions. The permissions on Regedit.exe will apply regardless of whether users attempt to run Regedt32 or Regedit.exe.

Reg.exe is designed to be used by users as well as administrators and to be run from the command line; its permissions reflect this.
Figure 11. Reg.exe is designed to be used by users as well as administrators and to be run from the command line; its permissions reflect this.

Applying permissions to registry keys

Keys within the registry have access permissions as well. Rather than editing these permissions directly. Using the right security template locks down access to the registry for you, and you won’t have to worry about making inadvertent changes that will prevent systems from booting or applications from running.

That said, in some limited situations you might want to or have to change permissions on individual keys in the registry. To do this, start Registry Editor and then navigate to the key you want to work with. When you find the key, press and hold or right-click it, and select Permissions, or select the key, and then choose Permissions on the Edit menu. This displays a Permissions For dialog box similar to the one shown in Figure 12. Permissions work the same as for files. You can add and remove users and groups as necessary. You can select an object and then allow or deny specific permissions.

Use the Permissions For dialog box to set permissions on specific registry keys.
Figure 12. Use the Permissions For dialog box to set permissions on specific registry keys.

Many permissions are inherited from higher-level keys and are unavailable. To edit these permissions, you must access the Advanced Security Settings dialog box by tapping or clicking the Advanced button. As Figure 13 shows, the Advanced Security Settings dialog box shows the current owner of the selected key and allows you to reassign ownership. By default, when you reassign ownership, only the selected key is affected, but if you want the change to apply to all subkeys of the currently selected key, choose Replace Owner On Subcontainers And Objects.

Caution

Be sure you understand the implications of taking ownership of registry keys. Changing ownership could inadvertently prevent the operating system or other users from running applications, services, or application components.

Use the Advanced Security Settings dialog box to change the way permissions are inherited or set and to view auditing settings, ownership, and effective permissions.
Figure 13. Use the Advanced Security Settings dialog box to change the way permissions are inherited or set and to view auditing settings, ownership, and effective permissions.

The dialog box also has three tabs:

  • Permissions The Inherited From column in the Permissions tab shows where the permissions are inherited from. Usually, this is the root key for the key branch you are working with, such as CURRENT_USER. You can use the Add and Edit buttons in the Permissions tab to set access permissions for individual users and groups. Table 3 shows the individual permissions you can assign.

  • Auditing Allows you to configure auditing for the selected key. The actions you can audit are the same as the permissions listed in Table 3.

  • Effective Access Lets you see which permissions would be given to a particular user or group based on the current settings. This is helpful because permission changes you make in the Permissions tab aren’t applied until you tap or click OK or Apply.

Table 3. Registry permissions and their meanings

Permission

Meaning

Full Control

Allows user or group to perform any of the actions related to any other permission

Query Value

Allows querying the registry for a subkey value

Set Value

Allows creating new values or modifying existing values below the specified key

Create Subkey

Allows creating a new subkey below the specified key

Enumerate Subkeys

Allows getting a list of all subkeys of a particular key

Notify

Allows registering a callback function that is triggered when the select value changes

Create Link

Allows creating a link to a specified key

Delete

Allows deleting a key or value

Write DAC

Allows writing access controls on the specified key

Write Owner

Allows taking ownership of the specified key

Read Control

Allows reading the discretionary access control list (DACL) for the specified key

Other -----------------
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 11)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 10)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 9)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 8)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 7)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 6)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 5)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 4)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 3)
- Understanding Network Services and Active Directory Domain Controller Placement for Exchange Server 2013 (part 2)
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server