Recipe 9.8. Restricting Access to the RegistryProblemYou want to restrict access to a certain registry key or value. This may be necessary if you need to store sensitive data in the registry and want to prevent normal users from seeing it. SolutionUsing a graphical user interface
Using a command-line interfaceUse the subinacl command to grant access to a registry key. This grants full control for the specified user over a key: > subinacl /verbose=1 /keyreg \\<ServerName>\<KeyPath> /grant=<UserOrGroup> For example: > subinacl /verbose=1 /keyreg \\fs01\HKEY_LOCAL_MACHINE\Software\Rallencorp /grant=AMER\rallen You can also revoke access to a key using the next command. The following command revokes members of the Users group from being able to access the specified registry key: > subinacl /verbose=1 /keyreg \\<ServerName>\<KeyPath> /revoke=<UserOrGroup> For example: > subinacl /verbose=1 /keyreg \\.\HKEY_LOCAL_MACHINE\Software\Rallencorp /revoke=Users Lastly, you can view what users and groups have access on a registry key using the /display option with subinacl as shown here: > subinacl /verbose=1 /keyreg \\<ServerName>\<KeyPath> /display For example: > subinacl /verbose=1 /keyreg \\fs01\HKEY_LOCAL_MACHINE\Software\Rallencorp /display DiscussionAnother useful feature of the permissions function in Registry Editor is Effective Permissions. With it, you can select a user or group and determine what rights it has over a key. And while you can't run this directly on a Windows 2000 system, you can use the remote connection capabilities of Registry Editor to connect to a Windows 2000 system to configure permissions and view effective permissions. |