How to Restrict Access to NT Registry from a Remote Computer

ID: Q153183

The information in this article applies to:
  • Microsoft Windows NT Workstation versions 3.51, 4.0
  • Microsoft Windows NT Server versions 3.51, 4.0
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server


SUMMARY

Registry Editor supports remote access to the Windows NT Registry. On Windows NT 3.51 with Service pack 4 or Windows NT version 4.0 you can restrict this access.


MORE INFORMATION

By default on a Windows NT 3.51 system any user can access the registry when connecting over the network. On a Windows NT 4.0 system, by default only members of the Administrators group can access the registry over the Network.

NOTE: Some services need access to the registry to function correctly. For example, if you add this key to a 3.51 system that is running Directory Replication, it is necessary to grant the Replicator account access to the registry as described later in this article.

Restricting Network Access to the Registry

NOTE: In Windows 2000, only Administrators and Backup Operators have default network access to the registry. This section may not apply in certain instances. To restrict network access to the registry, follow the steps listed below to create the following Registry key: 

   <B>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ 
   winreg</B>

   Description: REG_SZ
   Value:       Registry Server

The Security permissions set on this key define what Users or Groups can connect to the system for remote Registry access. The default Windows NT Server 4.0 installation defines this key and sets the Access Control List to restrict remote registry access as follows: 

   Administrators have Full Control

The default configuration for Windows NT Server 4.0 permits only Administrators remote access to the Registry. Changes to this key to allow users remote registry access require a system reboot to take effect.

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

To create the registry key to restrict access to the registry:
  1. Start Registry Editor (Regedt32.exe) and go to the following subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control


  2. On the Edit menu, click Add Key.


  3. Enter the following values:

    Key Name: SecurePipeServers
    Class: REG_SZ


  4. Go to the following subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers


  5. On the Edit menu, click Add Key.


  6. Enter the following values:

    Key Name: winreg
    Class: REG_SZ


  7. Go to the following subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg


  8. On the Edit menu, click Add Value.


  9. Enter the following values:

    Value Name: Description
    Data Type: REG_SZ
    String: Registry Server


  10. Go to the following subkey.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurePipeServers\winreg


  11. Select "winreg". Click Security and then click Permissions. Add users or groups to which you want to grant access.


  12. Exit Registry Editor and restart Windows NT.


  13. If you at a later stage want to change the list of users that can access the registry, repeat steps 10-12.


Bypassing the Access Restriction

Some services need remote access to the registry to function correctly. For example, the Directory Replicator service and the Spooler service when connecting to a printer over the network require access to the remote registry.

You can either add the account name that the service is running under to the access list of the "winreg" key, or you can configure Windows NT 4.0 to bypass the access restriction to certain keys by listing them in the Machine or Users value under the AllowedPaths key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ winreg\AllowedPaths

   Value:        Machine
   Value Type:   REG_MULTI_SZ - Multi string
   Default Data: System\CurrentControlSet\Control\ProductOptions
                 System\CurrentControlSet\Control\Print\Printers
                 System\CurrentControlSet\Services\Eventlog
                 Software\Microsoft\Windows NT\CurrentVersion
                 System\CurrentControlSet\Services\Replicator

   Valid Range:  A valid path to a location in the registry.
   Description:  Allow machines access to listed locations in the
                 registry provided that no explictic access
                 restrictions exists for that location.

   Value:        Users
   Value Type:   REG_MULTI_SZ - Multi string
   Default Data: (None)
   Valid Range:  A valid path to a location in the registry.
   Description:  Allow Users access to listed locations in the
                 registry provided that no explictic access
                 restrictions exists for that location.
Changed slightly in Windows 2000: 

   Value:        Machine
   Value Type:   REG_MULTI_SZ - Multi string
   Default Data: System\CurrentControlSet\Control\ProductOptions
                 System\CurrentControlSet\Control\Print\Printers
                 system\CurrentControlSet\control\Server Applications
                 System\CurrentControlSet\Services\Eventlog
                 Software\Microsoft\Windows NT\CurrentVersion
                 
   Value:  Users - Does not exist in either Windows 2000 or Windows NT by default.

Additional query words: prodnt

Keywords : kbnetwork ntregistry NTSrvWkst
Version : WINDOWS:2000; winnt:3.51,4.0
Platform : WINDOWS winnt
Issue type :


Last Reviewed: January 31, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.