Microsoft Windows Registry Guide, Second Edition

Setting Permissions for Keys

Registry security is similar to file system security except that you can set permissions for keys only, not values. Other than that, the dialog boxes look similar, the permissions are similar, and so on. If you don't understand basic security concepts, take a moment and review them in Help and Support Center before tinkering with permissions. I don't include the basic concepts in this chapter because I assume that you're an IT professional and already understand the basics of security.

If you have full control of or own a registry key, you can edit its permissions for users and groups in the key's ACL:

  1. In Regedit, click the key with the ACL that you want to edit.

  2. On the Edit menu, click Permissions. (See Figure 8-1.)

  3. In the Group Or User Names list, click the user or the group for whom you want to edit permissions, and then select the check box in the Allow or Deny column to allow or deny the following permissions:

    • Full Control.

      Grants the user or the group permission to open, edit, and take ownership of the key. This permission literally gives full control of the key.

    • Read.

      Grants the user or the group permission to read the key's contents but not to save changes made to it. Read this as read-only.

    • Special Permissions.

      Grants the user or the group a special combination of permissions. To grant special permissions, click Advanced. You learn more about this permission setting in the section “Assigning Special Permissions,” later in this chapter.

    Figure 8-1 This dialog box is almost identical to the dialog box for file system security.

Sometimes the check boxes in the Permissions For Name area are shaded. You can't change them. The reason is that the key inherits that permission from the parent key. You can prevent a key from inheriting permissions, and you learn how to do that later in this chapter in the section “Assigning Special Permissions.”

TIP

OK, you had your fun. You tinkered with your registry's security and satisfied your curiosity; but now what? You can easily restore the original permissions by applying the Setup Security template. You learn how to apply this template in the section “Modifying a Computer's Configuration,” later in this chapter.

Adding Users to ACLs

You can add users or groups to a key's existing ACL:

  1. In Regedit, click the key with the ACL that you want to edit.

  2. On the Edit menu, click Permissions, and then click Add.

  3. In the Select Users, Computers, Or Groups dialog box, click Locations, and then click the computer, the domain, or the organizational unit in which you want to look for the user or the group that you want to add to the key's ACL.

  4. In the Enter The Object Names To Select box, type the name of the user or the group that you want to add to the key's ACL, and then click OK.

  5. In the Permissions For Name list, configure the permissions that you want to give the user or the group by selecting the Allow or Deny check box.

TIP

In step 4, you type all or part of the user or the group name that you want to add to the key's ACL. If you don't know what the name is, you can search for it. First, if possible, narrow your search by choosing a location as I described in step 3. Then click Advanced, and click Find Now. Click the name of the user or the group that you want to add, and click OK. You can further narrow the results by clicking Object Types and then clearing the Built-In Security Principals check box.

The only real-world scenario I can think of for adding users to a key's ACL is allowing a group to access a computer's registry over the network, which you learn how to do in “Restricting Remote Registry Access,” later in this chapter. Otherwise, adding a user or a group to a key's ACL is sometimes useful as a quick fix when an application can't access the settings it needs when users run it. Generally speaking, adding users or groups to a key's ACL does little harm, but if you're not careful, you can open holes in the security of Windows so wide that users and hackers can walk through them. And if the edit you're making will be required on more than one computer or user, consider deploying it as a security template. (See “Deploying Security Templates,” later in this chapter.)

Removing Users from ACLs

Here's how to remove a user or a group from a key's ACL:

  1. In Regedit, click the key with the ACL that you want to edit.

  2. On the Edit menu, click Permissions.

  3. Click the user or the group that you want to remove, and click Remove.

CAUTION

Be wary of removing groups from keys' ACLs. Generally, the ACLs you see in Windows after installing it (Setup Security) are the bare minimum required for users to start and use the operating system. If you remove the Users or the Power Users group from a key, users in those groups can't read the key's values, and this is likely going to mangle the operating system or an application. If you dare remove the Administrators group from a key, you might not be able to manage the computer at all. Removing individual users from a key's ACL isn't necessarily a bad thing, however. Windows doesn't assign permissions to individual users, so those permissions might have gotten there by devious means. You should never remove users from their profile hives' ACLs, though. Doing so prevents them from accessing their own settings, of which they should have full control.

Assigning Special Permissions

Special permissions give you more granular control of a key's ACL than the basic Full Control and Read permissions. You can allow or deny users the ability to create subkeys, set values, read values, and so on. You can get very detailed. Here's how:

  1. In Regedit, click the key with the ACL that you want to edit.

  2. On the Edit menu, click Permissions.

  3. In the Group Or User Names list, click the user or the group for whom you want to edit permissions. Add the user or the group if necessary. Then click Advanced.

  4. Double-click the user or the group to whom you want to give special permissions. You see the Permission Entry For Name dialog box shown in Figure 8-2.

    Figure 8-2 Special permissions give you finer control of a user or group's permissions to use a key, but assigning special permissions is generally unnecessary.

  5. In the Apply Onto drop-down list, click one of the following:

    • This Key Only.

      Applies the permissions to the selected key only.

    • This Key And Subkeys.

      Applies the permissions to the selected key and all its subkeys. In other words, it applies them to the entire branch.

    • Subkeys Only.

      Applies the permissions to all the key's subkeys but not to the key itself.

  6. In the Permissions list, select the Allow or Deny check box for each permission that you want to allow or deny:

    • Full Control.

      All the following permissions.

    • Query Value.

      Read a value from the key.

    • Set Value.

      Set a value in the key.

    • Create Subkey.

      Create subkeys in the key.

    • Enumerate Subkeys.

      Identify the key's subkeys.

    • Notify.

      Receive notification events from the key.

    • Create Link.

      Create symbolic links in the key.

    • Delete.

      Delete the key or its values.

    • Write DAC.

      Write the key's discretionary access control list.

    • Write Owner.

      Change the key's owner.

    • Read Control.

      Read the key's discretionary access control list.

A word about inheritance is necessary here. With inheritance enabled, subkeys inherit the permissions of their parent keys. In other words, if a key gives a group full control, all the key's subkeys also give that group full control. In fact, when you view the subkeys' ACLs, the Allow check box next to Full Control is shaded for that group because you can't change inherited permissions. There are a couple of actions that you can take to configure inheritance. First, you can prevent a subkey from inheriting its parent key's permissions: in the Advanced Security Settings For Key dialog box, clear the Inheritable Permission check box. Second, you can replace the ACLs of a key's subkeys, effectively resetting an entire branch to match a key's ACL: select the Replace Permission Entries On All Child Objects With Entries Shown Here That Apply To Child Objects check box.

Категории