The registry is a critical area of the operating system. It has
some limited built-in security to reduce the risk of settings being
inadvertently changed or deleted. Additionally, some areas of the
registry are available only to certain users. For example, HKLM\SAM
and HKLM\SECURITY are available only to the LocalSystem user. This
security, in some cases, might not be enough, however, to prevent
unauthorized access to the registry. Because of this, you might want
to set tighter access controls than the default permissions, and you
can do this from within the registry. You can also control remote
access to the registry and configure access auditing.
Preventing access to the registry utilities
One of the best ways to protect the registry from unauthorized
access is to make it so that users can’t access the registry in the
first place. For a server, this means tightly controlling physical security and allowing only administrators the
right to log on locally. For other systems or when it isn’t
practical to prevent users from logging on locally to a server, you
can configure the permissions on Regedit.exe and Reg.exe so that they are more secure. You could also
remove Registry Editor and the REG command from a system, but this
can introduce other problems and make managing the system more
difficult, especially if you also prevent remote access to the
registry.
To modify permissions on Registry Editor, access the %SystemRoot% folder,
press and hold or right-click Regedit.exe, and then select
Properties. In the Regedit Properties dialog box, tap or click the
Security tab, as shown in Figure 10. Add and
remove users and groups as necessary, and then set permissions as
appropriate. Permissions work the same as with other types of files.
You select an object and then allow or deny specific permissions.
To modify permissions on the REG command, access the %SystemRoot%\System32 folder,
press and hold or right-click Reg.exe, and then select Properties. In the Reg
Properties dialog box, tap or click the Security tab. As Figure 11 shows, this
command, by default, can be used by users as well as administrators.
Add and remove users and groups as necessary, and then set
permissions as appropriate.
Note
I’m not forgetting about Regedt32. It’s only a link to
Regedit.exe, so you don’t really need to set its access
permissions. The permissions on Regedit.exe will apply regardless
of whether users attempt to run Regedt32 or Regedit.exe.
Applying permissions to registry keys
Keys within the registry have access permissions as well. Rather than editing these
permissions directly.
Using the right security template locks down access to the
registry for you, and you won’t have to worry about
making inadvertent changes that will prevent systems from booting or
applications from running.
That said, in some limited situations you might want to or
have to change permissions on individual keys in the registry. To do
this, start Registry Editor and then navigate to the key you want to
work with. When you find the key, press and hold or right-click it,
and select Permissions, or select the key, and then choose
Permissions on the Edit menu. This displays a Permissions For dialog
box similar to the one shown in Figure 12. Permissions
work the same as for files. You can add and remove users and groups
as necessary. You can select an object and then allow or deny
specific permissions.
Many permissions are inherited from higher-level keys and are unavailable. To edit these permissions,
you must access the Advanced Security Settings dialog box by tapping
or clicking the Advanced button. As Figure 13 shows, the
Advanced Security Settings dialog box shows the current owner of the
selected key and allows you to reassign ownership. By default, when
you reassign ownership, only the selected key is affected, but if
you want the change to apply to all subkeys of the currently
selected key, choose Replace Owner On Subcontainers And
Objects.
Caution
Be sure you understand the implications of taking ownership
of registry keys. Changing ownership could
inadvertently prevent the operating system or other users from
running applications, services, or application components.
The dialog box also has three tabs:
-
Permissions The Inherited
From column in the Permissions tab shows where the permissions
are inherited from. Usually, this is the root key for the key
branch you are working with, such as CURRENT_USER. You can use
the Add and Edit buttons in the Permissions tab to set access
permissions for individual users and groups. Table 3 shows the
individual permissions you can assign.
-
Auditing Allows you to
configure auditing for the selected key. The actions you can
audit are the same as the permissions listed in Table 3.
-
Effective Access Lets you
see which permissions would be given to a particular user or
group based on the current settings. This is helpful because
permission changes you make in the Permissions tab aren’t
applied until you tap or click OK or Apply.
Table 3. Registry permissions and their meanings
|
Permission |
Meaning |
|
Full Control |
Allows user or group to perform any of the
actions related to any other permission |
|
Query Value |
Allows querying the registry for a subkey value |
|
Set Value |
Allows creating new values or modifying
existing values below the specified key |
|
Create Subkey |
Allows creating a new subkey below the
specified key |
|
Enumerate Subkeys |
Allows getting a list of all subkeys of a
particular key |
|
Notify |
Allows registering a callback function that is
triggered when the select value changes |
|
Create Link |
Allows creating a link to a specified
key |
|
Delete |
Allows deleting a key or value |
|
Write DAC |
Allows writing access controls on the specified
key |
|
Write Owner |
Allows taking ownership of the specified
key |
|
Read Control |
Allows reading the discretionary access control
list (DACL) for the specified key |
