Chapter 8: Configuring Windows Security

Chapter 8

Configuring Windows Security

Security is not the most interesting registry-related topic, nor is it the most popular. It is one of the most important topics facing IT today, however.

There are hundreds of facets of security, but this chapter focuses on just one: the registry. You can change a key's access control list (ACL). You can audit keys. You can also take ownership of keys. You can't do any of these things with individual values, though, like you can with individual files. Power users generally won't care much about registry security, but IT professionals often have no choice.

Just because you can edit keys' ACLs doesn't mean you should, however. Changing your registry's security is not a good idea unless you have a specific reason to do so. At best, you will make a change that's irrelevant, but at worst, you could prevent Microsoft Windows XP and Windows Server 2003 (Windows) from working properly. So why am I including registry security in this book at all? There are cases in which IT professionals must change the registry's default permissions to deploy software. That is a totally different story than tinkering with your registry's security out of curiosity. For example, you might have an application that users can run only when they log on to the operating system as a member of the Administrators group. Ouch. In a corporate environment, you don't want to dump all your users in this group. The solution is to deploy Windows with custom permissions so that users can run those programs as a member of the Power Users or Users group. This is the most common scenario, and it's the primary focus of this chapter.

You have two methods of deploying custom permissions. First, you can do it manually. For the sake of completeness, I show you how to change a key's permissions in Registry Editor (Regedit). Second, you can build a security template, complete with custom registry permissions, and then apply that template to a computer manually. You wouldn't run around from desktop to desktop applying the template, though; you'd apply that template to your disk images before deployment. The second method is by using Group Policy. You create a Group Policy Object (GPO) and then import a security template into it to create a security policy for your network. Windows automatically applies the custom permissions in your template to the computer and user if that GPO is in scope. I don't talk about Group Policy a lot in this book, but the last section in Chapter 7, “Using Registry-Based Policy,” points out a lot of good, free resources for learning more about it.

Windows XP Service Pack 2 (SP2) and Windows Server 2003 Service Pack 1 (SP1) provide a number of new security features. For example, the Windows Security Center helps users configure security for maximum protection. Windows Firewall prevents unwanted access to computers so that using the Internet and opening e-mail attachments are safer. This chapter doesn't discuss those features in detail; instead, it describes how to use the registry to customize these features. For more information about the security features in Windows XP SP2, see http://www.microsoft.com/windowsxp/sp2/default.mspx. For more information about the security features in Windows Server 2003, see http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/default.mspx.