Don't allow users to log on as members of the Administrators group unless a specific individual has administrative duties.
You might also choose not to put REGEDT32.EXE on workstations, since you can easily administer any workstation from a remote computer. You can also place access controls in File Manager on REGEDT32.EXE, limiting the rights of users to start this program.
This section describes the following additional steps you can take to protect the Registry:
You can protect the Registry hive files for user profiles in the same way that you protect other files in Windows NT—by restricting access through File Manager. If the files are stored on an NTFS volume, you can use the commands on the Security menu in File Manager to assign permissions. For details about using these commands, see the online Help in File Manager.
Caution You should only change permissions for user profile hives. The permissions for other hives are maintained automatically by the system and should not be changed.
For information about safeguarding files with backups, see "Backing Up and Restoring Registry Hives," later in this chapter.
To determine who has access to specific Registry data, set permissions on the Registry keys to specify the users and groups that can access that key. This is sometimes called changing ACLs, in reference to the Access Control Lists that govern who has access to data. You can also add or remove names from the list of users or groups authorized to access the Registry keys.
You can assign access rights to Registry keys regardless of the type of file system on the partition where the Windows NT files are stored.
Caution
Changing the permissions to limit access to a Registry key can have severe consequences. If, for example, you set No Access permissions on a key that the Network Control Panel application needs for configuration, it will cause the application to fail.
At a minimum, ensure that Administrators and the System have full access to the key, to ensure that the system starts and that the Registry key can be repaired by an administrator.
If you change permissions on a Registry key, you should audit the key for failed access attempts. For details, see "Auditing Registry Activities," later in this chapter.
Because assigning permissions on specific keys can have drastic consequences, you should reserve this action for keys that you add to accommodate custom applications or other custom settings. After you change permissions on a Registry key, be sure to turn on auditing in User Manager, and then test the system extensively through a variety of activities while logged on under different user and administrative accounts.
In the Registry Editor, the commands on the Security menu for assigning permission and ownership of keys work the same as similar commands in File Manager for assigning access rights for files and directories. For details about these commands, see the online Help in Registry Editor. For a detailed discussion of permissions and ownership, see "Securing Directories and Files" in Chapter 4, "File Manager," in the Windows NT System Guide.
Type of access | Meaning |
Read | Allows users on the Permissions list to read the key's contents, but prevents changes from being saved. |
Full Control | Allows users on the Permissions list to access, edit, or take ownership of the selected key. |
Special Access | Allows users on the Permissions list some custom combination of access and edit rights for the selected key. For a description of the Special Access types, see "Auditing Registry Activities," later in this chapter. |
As a system administrator, you may need to take ownership of a key to protect access to that key. You take ownership of a Registry key by choosing the Owner command from the Security menu in Registry Editor, and then completing the Ownership dialog box. You can also add users or groups to the Permissions list by following the same procedure for managing lists of users and groups as appears throughout Windows NT.
You (or any user) can take ownership of any Registry key if you log onto the computer as a member of the Administrator group. However, if an Administrator takes ownership of a key without being assigned full control by its owner, the key cannot be given back to its original owner, and the event is audited.
Auditing Registry activities requires several separate activities:
For each of these activities, you must be logged on as a member of the Administrators group for the specific computer you are auditing. Auditing policies are set on a per-computer basis. Before you can audit activities in Registry keys, you must turn on security auditing for the computer.
Note At a minimum, you should check the Failure option for File And Object Access. Choosing the Success option for many items may produce an abundance of meaningless entries in the event log.
You may want to audit actions for a specific Registry key. For example, you might want to audit the following:
This command in Registry Editor is similar to the Auditing command in File Manager. For details about the Auditing dialog box, choose online Help in Registry Editor. For a discussion of general issues related to the Auditing command, see "Auditing Files and Directories" in Chapter 4, "File Manager," in the Windows NT System Guide.
Audit option | Audit events that attempt to |
Query Value | Open a key with Query Value access |
Set Value | Open a key with Set Value access |
Create Subkey | Open a key with Create Value access |
Enumerate Subkeys | Open a key with Enumerate Subkeys access (that is, events that try to find the subkeys of a key) |
Notify | Open a key with Notify access |
Create Link | Open a key with Create Link access |
Delete | Delete the key |
Write DAC | Determine who has access to the key |
Read Control | Find the owner of a key |
Note If you change permission for any Registry key, you should turn on Auditing in User Manager and specify the Failure attempts for File And Object Access to be audited. Then you can check the Security event log for details if any application isn't working because of changes in permissions.