Restricting Remote Registry Access

Securing local access to the Windows registry is one thing; securing remote access is another. Windows gives members of the local Administrators and Backup Operators groups remote access to the registry. Because the Domain Admins group is a member of each computer's local Administrators group, all domain administrators can connect the registry of any computer that's joined to the domain. Also, Windows now limits remote access to the registry more than earlier versions of Windows.

There might be limited scenarios in which you want to open remote access to computers' registries. For example, in Active Directory, you might create an administrators group for each organizational unit and want to give it the ability to edit computers' registries if they belong to the organizational unit. To enable that group to remotely edit a computer's registry, add that group to the ACL of the key HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg. The problem you're going to run into is that although adding a group to winreg allows remote access, each key's ACL still determines which keys the group can change. So to allow a remote user or group to change a setting on the computer, add that user or group to the local Users, Power Users, or Administrators group.

CAUTION
Don't open each computer's registry to security threats by haphazardly adding groups to the winreg key's ACL. Doing so creates a hole large enough for many Trojan viruses to infect Windows and invites predators to hack away at your infrastructure. The best practice is to limit remote registry access to domain administrators.