Because much of this chapter has been devoted to customizations related to installing the Windows Server 2003 operating system, it seems appropriate to end with a discussion of that component through which Windows operating systems can be customized to the greatest degree. That component is of course the Registry. The Windows Registry has been around since Windows 95. It is the database containing hardware, operating system, policy, file association, application, and user configuration. Rather than going into a detailed account of the Registry's architecture, this section focuses on best practices for using the Registry to secure and maintain the newly installed Windows Server 2003 server. The Registry EditorIn earlier versions of Windows, Registry editing was conducted through two different but similar tools: Regedit.exe and Regedt32.exe. Each tool could do some of the tasks involved in making Registry configuration changes, but one could not be used to the exclusion of the other. With Windows XP and Windows Server 2003, Microsoft has consolidated the features of the two tools into a single Registry Editor that has the look and feel of the old Regedit.exe but includes the security and remote access features of Regedt32.exe. Interestingly, both commands still exist in Windows Server 2003, but they each launch the same utility. Protecting the RegistryIt is important when a new Windows Server 2003 server is built to verify that it meets or exceeds the security policies for the company. Because the Registry is a critical component of a server's capacity to perform, securing the server's Registry should be a part of that process. The default security for the Windows Server 2003 Registry has improved over earlier Windows operating systems. There are sections of the Registry that are even locked down for administrators. For example, the HKEY_LOCAL_MACHINE\SAM and HKEY_LOCAL_MACHINE\SECURITY keys allow only read and write DAC access to administrators. Some best practices for protecting the Registry include the following:
Maintaining the RegistryThough Windows Server 2003 automatically performs maintenance on the Registry, there are some tools and best practices related to the Registry that help improve performance:
|