Controlling the Back-end with the Windows Registry

Because much of this chapter has been devoted to customizations related to installing the Windows Server 2003 operating system, it seems appropriate to end with a discussion of that component through which Windows operating systems can be customized to the greatest degree. That component is of course the Registry. The Windows Registry has been around since Windows 95. It is the database containing hardware, operating system, policy, file association, application, and user configuration.

Rather than going into a detailed account of the Registry's architecture, this section focuses on best practices for using the Registry to secure and maintain the newly installed Windows Server 2003 server.

The Registry Editor

In earlier versions of Windows, Registry editing was conducted through two different but similar tools: Regedit.exe and Regedt32.exe. Each tool could do some of the tasks involved in making Registry configuration changes, but one could not be used to the exclusion of the other. With Windows XP and Windows Server 2003, Microsoft has consolidated the features of the two tools into a single Registry Editor that has the look and feel of the old Regedit.exe but includes the security and remote access features of Regedt32.exe. Interestingly, both commands still exist in Windows Server 2003, but they each launch the same utility.

Protecting the Registry

It is important when a new Windows Server 2003 server is built to verify that it meets or exceeds the security policies for the company. Because the Registry is a critical component of a server's capacity to perform, securing the server's Registry should be a part of that process.

The default security for the Windows Server 2003 Registry has improved over earlier Windows operating systems. There are sections of the Registry that are even locked down for administrators. For example, the HKEY_LOCAL_MACHINE\SAM and HKEY_LOCAL_MACHINE\SECURITY keys allow only read and write DAC access to administrators.

Some best practices for protecting the Registry include the following:

• Audit the Registry. An audit log of changes made to the Registry can be a crucial tool in troubleshooting, as well as uncovering security breaches. Auditing can be enabled either through group policy or local security settings.

• Prevent Remote Access. In some cases, it might be wise to limit or prevent remote access to a server's Registry. To do this, simply change the permissions on the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ winreg .

• Include the Registry in backups . As part of a disaster recovery procedure, in addition to backing up files and folders, always back up a server's Registry. Using the built-in backup utility, NTBACKUP.EXE, the Registry can be backed up by simply including the System State Data option.

Maintaining the Registry

Though Windows Server 2003 automatically performs maintenance on the Registry, there are some tools and best practices related to the Registry that help improve performance:

• Manage the Registry size. In earlier Windows operating systems, administrators had the option to limit the size of the Registry. Because Windows Server 2003 manages the Registry in the computer cache rather than in paged, pooled memory, administrators no longer need to specify a Registry size. It is recommended, though, to provide an adequate amount of free space on the system partition. There should always be 25% free space at all times.

• Use the Windows Installer Cleanup Utility (MSICUU.EXE). This utility is installed with the Windows Server 2003 Support Tools. It can be used to remove Registry entries from applications installed with Windows Installer. This tool is useful in repairing a server's Registry after a failed or corrupted Windows Installer installation.

• Use Windows Installer Zapper (MSIZAP.EXE). This is the command-line version of MSICUU.EXE, which includes more features than the GUI version. For instance, MSIZAP can remove folders in addition to Registry entries. It can also be used to change access control list (ACL) permissions and remove rollback information.