Recipe9.8.Restricting Access to the Registry


Recipe 9.8. Restricting Access to the Registry

Problem

You want to restrict access to a certain registry key or value. This may be necessary if you need to store sensitive data in the registry and want to prevent normal users from seeing it.

Solution

Using a graphical user interface

You must use regedt32.exe to set registry permissions on Windows 2000.


  1. Open the Registry Editor (regedit.exe).

  2. In the left pane, browse to the key on which you want to set permissions.

  3. Right-click the key and select Permissions.

  4. To add a new permission, click the Add button. This launches the Object Picker dialog box. Select the user or group you want to add permissions for and click OK. The default permission granted to this user or group is read access.

  5. To delete a permission, select the user or group you want to remove under Group or user names and click the Remove button. Click OK.

  6. To modify a permission, click the Advanced button. Select the permission you want to modify under Permission entries and click the Edit button. Check the boxes corresponding to the permissions you want to grant. Click OK until all dialog boxes are closed.

You can also configure registry permissions with group policy. In the left pane of the Group Policy Object Editor, navigate to \Windows Settings\Security Settings\Registry in either the Computer Configuration or the User Configuration section. Right-click on Registry and select Add Key. This allows you to select a target registry key and configure the permissions you wanted on that key.


Using a command-line interface

Use the subinacl command to grant access to a registry key. This grants full control for the specified user over a key:

> subinacl /verbose=1 /keyreg \\<ServerName>\<KeyPath> /grant=<UserOrGroup>

For example:

> subinacl /verbose=1 /keyreg \\fs01\HKEY_LOCAL_MACHINE\Software\Rallencorp  /grant=AMER\rallen

You can also revoke access to a key using the next command. The following command revokes members of the Users group from being able to access the specified registry key:

> subinacl /verbose=1 /keyreg \\<ServerName>\<KeyPath> /revoke=<UserOrGroup>

For example:

> subinacl /verbose=1 /keyreg \\.\HKEY_LOCAL_MACHINE\Software\Rallencorp  /revoke=Users

Lastly, you can view what users and groups have access on a registry key using the /display option with subinacl as shown here:

> subinacl /verbose=1 /keyreg \\<ServerName>\<KeyPath> /display

For example:

> subinacl /verbose=1 /keyreg \\fs01\HKEY_LOCAL_MACHINE\Software\Rallencorp /display

Discussion

Another useful feature of the permissions function in Registry Editor is Effective Permissions. With it, you can select a user or group and determine what rights it has over a key. And while you can't run this directly on a Windows 2000 system, you can use the remote connection capabilities of Registry Editor to connect to a Windows 2000 system to configure permissions and view effective permissions.



Windows Server Cookbook
Windows Server Cookbook for Windows Server 2003 and Windows 2000
ISBN: 0596006330
EAN: 2147483647
Year: 2006
Pages: 380
Authors: Robbie Allen

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net