Maintaining Registry Security

Do not allow a user to log on as a member of the Administrators group unless that individual has specific administrative duties.

You can also opt not to put Regedt32.exe on workstations, because you can easily administer any workstation from a remote computer. And you can place access controls on Regedt32.exe in Windows NT Explorer, which limits the rights of users to start this program.

This section describes the additional steps you can take to protect the Registry:

Protecting Registry Files for User Profiles

You can protect the user profiles in the Registry in the same way that you protect other files in Windows NT—by restricting access through Windows NT Explorer. If the files are stored on an NTFS volume, you can use the security features of Windows NT Explorer to assign permissions for the Registry files or Registry editors. From the File menu, click Properties, then click the Security tab. For details about using these commands, see the Windows NT Explorer Help.

Caution You should change permissions for user profiles only. The permissions for other Registry keys are maintained automatically by the system and should not be changed.

For information about safeguarding files with backups, see "Backing Up and Restoring Registry Hives," later in this chapter.

Assigning Access Rights to Registry Keys

To determine who has access to specific Registry data, set permissions on the Registry keys to specify the users and groups that can have access to that key. (This is sometimes called changing ACLs, in reference to the access control lists that govern who has access to data.) You can also add names to or remove names from the list of users or groups authorized to access the Registry keys.

You can assign access rights to Registry keys regardless of the type of file system on the partition where the Windows NT files are stored.

Caution Changing the permissions to limit access to a Registry key can have severe consequences. If, for example, you set No Access permissions on a key needed for configuration by the Network option in Control Panel, the application will fail.

At a minimum, give Administrators and the System full access to the key, thus ensuring that the system starts and that the Registry key can be repaired by an administrator.

If you change permissions on a Registry key, you should audit that key for failed access attempts. For details, see "Auditing Registry Activities," later in this chapter.

Because assigning permissions on specific keys can have serious consequences, you should reserve this action for keys that you add to accommodate custom applications or other custom settings. After you change permissions on a Registry key, be sure to turn on auditing in User Manager, and then test the system extensively through a variety of activities while logged on under different user and administrative accounts.

In Regedt32, the commands on the Security menu for assigning permission and ownership of keys work in the same way as similar commands for NTFS partitions in Windows NT Explorer for assigning access rights for files and directories. For details about these commands, see help for the Registry editor.

To assign permissions on a key

1. Make a backup copy of the Registry key before making changes.

2. Select the key for which you want to assign access permission. Then, from the Security menu, click Permissions.

3. In the Registry Key Permissions dialog box, assign an access level to the selected key by selecting an option in the Type of Access box as described in the following table, and then click OK.

Type of access

Meaning

Read

Allows users on the Permissions list to read the key's contents, but prevents changes from being saved.

Full Control

Allows users on the Permissions list to access, edit, or take ownership of the selected key.

Special Access

Allows users on the Permissions list some custom combination of access and edit permission for the selected key. For a description of the Special Access types, see "Auditing Registry Activities," later in this chapter.


4. Turn on auditing in User Manager (in Windows NT Workstation) or User Manager for Domains (in Windows NT Server), and then test the system extensively to ensure that the new access control does not interfere with system or application operations.

As a system administrator, you might need to take ownership of a key to protect access to that key. To take ownership of a Registry key, click Owner on the Security menu, then complete the Ownership dialog box. You add users or groups to the Permissions list by following the same procedure for managing lists of users and groups as you use throughout Windows NT.

You (or any user) can take ownership of any Registry key if you log on to the computer as a member of the Administrator group. However, if an Administrator takes ownership of a key without being assigned full control by its owner, the key cannot be given back to its original owner, and the event is audited.

Auditing Registry Activities

To audit Registry activities, you must complete these separate activities:

For each of these activities, you must be logged on as a member of the Administrators group for the specific computer you are auditing. Auditing policies are set on a per-computer basis. Before you can audit activities in Registry keys, you must turn on security auditing for the computer.

To turn on auditing

1. In User Manager or User Manager for Domains, from the Policies menu, click Audit. Select the Audit These Events option to turn on auditing.

2. Select Success and Failure options for each type of event to be audited, then click OK.

Note

At a minimum, you should select the Failure option for File And Object Access. Selecting Success for many items can produce a large number of meaningless entries in the event log.

You can audit actions for a specific Registry key. For example, you can audit:

To audit user actions for a selected Registry key

1. From the Security menu in Registry Editor, click Auditing, then complete the dialog box.

This command in Registry Editor is similar to the Auditing command in Windows NT Explorer.

2. Select the Success or Failure option for the following activities:

Audit option

Audits events that attempt to

Query Value

Open a key with Query Value access.

Set Value

Open a key with Set Value access.

Create Subkey

Open a key with Create Value access.

Enumerate Subkeys

Open a key with Enumerate Subkeys access (that is, events that try to find the subkeys of a key).

Notify

Open a key with Notify access.

Create Link

Open a key with Create Link access.

Delete

Delete the key.

Write DAC

Determine who has access to the key.

Read Control

Find the owner of a key.


To view the results of auditing

· Run Event Viewer, select the computer that you are interested in, then click Security on the Log menu.

Note

If you change permissions for any Registry key, you should turn on Auditing in User Manager and specify the Failure auditing option for File And Object Access. Then, if any application is not working because of changes in permissions, you can check the Security event log for details.