Mapping Default Permissions


Mapping Default Permissions

Understanding the registry's default permissions is useful if you're an IT professional deploying software. Knowing whether members of the Users group can change a particular setting helps you test applications prior to deployment and determine if the application works with default permissions. If you determine that an application does work properly with the default permissions, then it's ready to deploy. If you determine that an application doesn't work properly with the default permissions, you must either fix the program or change the offending key's permissions. The easiest way to do that, of course, is by using security templates.

First you must understand the three fundamental groups in Windows: Users, Power Users, and Administrators. Through these groups, Windows provides different levels of access depending on each group's needs:

  • Users.

    This group has the highest security because the default permissions given to it don't allow its members to change operating system data or other users' settings. Generally, users in this group can't change per-computer operating system and application settings. They can usually include programs certified for Windows that administrators deploy to their computers. Also, this group gives its members full control over everything in their user profiles, including their profile hives (HKCU). What frequently keeps IT professionals from assigning users to this group is that members can't usually run legacy applications. Rather than assign users to another group, deal with this problem by applying a compatible security template, which you learn how to do in the section titled “Deploying Security Templates,” later in this chapter.

  • Power Users.

    This group provides backward compatibility for running programs that aren't certified for Windows. The default permissions give this group the ability to change many per-computer operating system and program settings. Generally, if you have legacy applications that users can't run as members of the Users group and you're not going to use security templates, adding those users to the Power Users group allows the applications to run. However, this group does have enough permissions to install most applications; members can't change operating system files or install services. The permissions given to the Power Users group is somewhere in the middle of the Users and Administrators groups. It's similar to the Users group in Microsoft Windows NT 4.0. And no, members of this group can't add themselves to the Administrators group.

  • Administrators.

    This group provides full control of the entire computer. Its members can change all operating system and application files. They can change all settings in the registry. Also, they can take ownership of keys and change a key's ACL. IT professionals are often tempted to add users to this group to avoid having trouble deploying applications that are otherwise difficult to install or run. Don't. Because users in this group can install anything they like or change any setting they like, viruses are free to do their damage and users are free to subject their configurations to the inevitable bout of human error. To secure your enterprise's desktops and reduce downtime, reserve this group for actual administrators. Even if you're an administrator, use your computer as a power user for the same reasons. Instead, when you need to perform an administrative task, use a secondary logon to start a program as Administrator: hold down the SHIFT key while you right-click the program's shortcut, click Run As, and then type the account name and password that you want to use to run the program.

Table 8-1 describes the registry's default permissions after a fresh installation of Windows. (These permissions don't apply to Windows Server 2003 domain controllers.) Keep in mind that the resulting permissions are different if you upgrade from an earlier version of Windows to Windows XP or Windows Server 2003. I got these permissions from the security template that you use to restore Windows to out of box security. I've focused on the Users and Power Users groups because these are the primary issue. In most of these cases, the Administrators group has full control, as do the Creator Owner and System built-in accounts. In most cases–but not all–each key's permissions replace all subkeys' permissions. This is through the magic of inheritance, which you learned about in the preceding section.

When you see the word Special in the Power Users column, it means the group has special permissions on that key (and subkeys in most cases), and that permissions is usually the ability to modify values. The Power Users group doesn't ever get the Full Control, Create Link, Change Permissions, or Take Ownership permission for any key in the registry, though. The interesting thing about this table is that Windows gives the Users group Read permission and the Power Users group special permissions for all of HKLM\SOFTWARE. The remaining entries in the table are exceptions to this rule that limit access to specific keys in HKLM\SOFTWARE.

Table 8-1 Default Windows Installation Registry Permissions

Branch

Users

Power Users

hklm\software

Read

Special

hklm\software\classes

Read

Special

hklm\software\classes\.hlp

Read

Read

hklm\software\classes\helpfile

Read

Read

hklm\software\microsoft\ads\providers\ldap\extensions

Read

Read

hklm\software\microsoft\ads\providers\nds

Read

Read

hklm\software\microsoft\ads\providers\nwcompat

Read

Read

hklm\software\microsoft\ads\providers\winnt

Read

Read

hklm\software\microsoft\command processor

Read

Read

hklm\software\microsoft\cryptography

Read

Read

hklm\software\microsoft\cryptography\calais

None

None

hklm\software\microsoft\driver signing

Read

Read

hklm\software\microsoft\enterprisecertificates

Read

Read

hklm\software\microsoft\msdtc

None

None

hklm\software\microsoft\netdde

None

None

hklm\software\microsoft\non-driver signing

Read

Read

hklm\software\microsoft\ole

Read

Read

hklm\software\microsoft\protected storage system provider

None

None

hklm\software\microsoft\rpc

Read

Read

hklm\software\microsoft\secure

Read

Read

hklm\software\microsoft\systemcertificates

Read

Read

hklm\software\microsoft\upnp device host

Read

None

hklm\software\microsoft\windows nt\currentversion\accessibility

Read

Read

hklm\software\microsoft\windows nt\currentversion\aedebug

Read

Read

hklm\software\microsoft\windows nt\currentversion\asr\commands

Read

Read

hklm\software\microsoft\windows nt\currentversion\classes

Read

Read

hklm\software\microsoft\windows nt\currentversion\drivers32

Read

Read

hklm\software\microsoft\windows nt\currentversion\efs

Read

Read

hklm\software\microsoft\windows nt\currentversion\font drivers

Read

Read

hklm\software\microsoft\windows nt\currentversion\fontmapper

Read

Read

hklm\software\microsoft\windows nt\currentversion\image file execution options

Read

Read

hklm\software\microsoft\windows nt\currentversion\inifilemapping

Read

Read

hklm\software\microsoft\windows nt\currentversion\perflib

None

None

hklm\software\microsoft\windows nt\currentversion\perflib\009

None

None

hklm\software\microsoft\windows nt\currentversion\profilelist

Read

Read

hklm\software\microsoft\windows nt\currentversion\secedit

Read

Read

hklm\software\microsoft\windows nt\currentversion\setup\recoveryconsole

Read

Read

hklm\software\microsoft\windows nt\currentversion\svchost

Read

Read

hklm\software\microsoft\windows nt\currentversion\terminal server\install\software\microsoft\windows\currentversion\runonce

Read

Read

hklm\software\microsoft\windows nt\currentversion\time zones

Read

Read

hklm\software\microsoft\windows nt\currentversion\windows

Read

Read

hklm\software\microsoft\windows nt\currentversion\winlogon

Read

Read

hklm\software\microsoft\windows\currentversion\explorer\user shell folders

Read

Read

hklm\software\microsoft\windows\currentversion\group policy

None

None

hklm\software\microsoft\windows\currentversion\installer

None

None

hklm\software\microsoft\windows\currentversion\policies

None

None

hklm\software\microsoft\windows\currentversion\reliability

Read

Read

hklm\software\microsoft\windows\currentversion\runonce

Read

Read

hklm\software\microsoft\windows\currentversion\runonceex

Read

Read

hklm\software\microsoft\windows\currentversion\telephony

Read

Special

hklm\software\policies

Read

Read

hklm\system

Read

Read

hklm\system\clone

None

None

hklm\system\controlset001

None

None

hklm\system\controlset001\services\dhcp\configurations

Read

Read

hklm\system\controlset001\services\dhcp\parameters

Read

Read

hklm\system\controlset001\services\dhcp\parameters\options

Read

Read

hklm\system\controlset001\services\dnscache\parameters

Read

Read

hklm\system\controlset001\services\mrxdav\encrypteddirectories

None

None

hklm\system\controlset001\services\netbt\parameters

Read

Read

hklm\system\controlset001\services\netbt\parameters\interfaces

Read

Read

hklm\system\controlset001\services\tcpip\linkage

Read

Read

hklm\system\controlset001\services\tcpip\parameters

Read

Read

hklm\system\controlset001\services\tcpip\parameters\adapters

Read

Read

hklm\system\controlset001\services\tcpip\parameters\interfaces

Read

Read

hklm\system\controlset002

None

None

hklm\system\controlset003

None

None

hklm\system\controlset004

None

None

hklm\system\controlset005

None

None

hklm\system\controlset006

None

None

hklm\system\controlset007

None

None

hklm\system\controlset008

None

None

hklm\system\controlset009

None

None

hklm\system\controlset010

None

None

hklm\system\currentcontrolset\control\class

None

None

hklm\system\currentcontrolset\control\keyboard layout

Read

Read

hklm\system\currentcontrolset\control\keyboard layouts

Read

Read

hklm\system\currentcontrolset\control\network

Read

Read

hklm\system\currentcontrolset\control\securepipeservers\winreg

None

None

hklm\system\currentcontrolset\control\session manager\executive

None

Special

hklm\system\currentcontrolset\control\timezoneinformation

None

Special

hklm\system\currentcontrolset\control\wmi\security

None

None

hklm\system\currentcontrolset\enum

None

None

hklm\system\currentcontrolset\hardware profiles

None

None

hklm\system\currentcontrolset\services\appmgmt\security

None

None

hklm\system\currentcontrolset\services\clipsrv\security

None

None

hklm\system\currentcontrolset\services\cryptsvc\security

None

None

hklm\system\currentcontrolset\services\dnscache

Read

Read

hklm\system\currentcontrolset\services\ersvc\security

None

None

hklm\system\currentcontrolset\services\eventlog\security

None

None

hklm\system\currentcontrolset\services\irenum\security

None

None

hklm\system\currentcontrolset\services\netbt

Read

Read

hklm\system\currentcontrolset\services\netdde\security

None

None

hklm\system\currentcontrolset\services\netddedsdm\security

None

None

hklm\system\currentcontrolset\services\remoteaccess

Read

Read

hklm\system\currentcontrolset\services\rpcss\security

None

None

hklm\system\currentcontrolset\services\samss\security

None

None

hklm\system\currentcontrolset\services\scarddrv\security

None

None

hklm\system\currentcontrolset\services\scardsvr\security

None

None

hklm\system\currentcontrolset\services\stisvc\security

None

None

hklm\system\currentcontrolset\services\sysmonlog\log queries

None

None

hklm\system\currentcontrolset\services\tapisrv\security

None

None

hklm\system\currentcontrolset\services\tcpip

Read

Read

hklm\system\currentcontrolset\services\w32time\security

None

None

hklm\system\currentcontrolset\services\wmi\security

None

None

hku\.default

Read

Read

hku\.default\software\microsoft\netdde

None

None

hku\.default\software\microsoft\protected storage system provider

None

None

hku\.default\software\microsoft\systemcertificates\root\protectedroots

None

None

Figuring out which keys an application uses is part science but mostly art. Sometimes I simply open the program's binary file in a text editor and look for strings that look like keys. Most often, I use a tool such as Winternals Registry Monitor (Regmon), which you learn how to use in Chapter 10, “Finding Registry Settings,” to monitor registry activity while I run the program I'm putting through its paces. Then I record the different keys that the program references and check to see whether the Users or Power Users groups have the required permissions for those keys. Last, well-behaved applications report errors when they can't read or write a value in the registry. I wouldn't count on this behavior, however, because ill-behaved programs just bounce along happily even after encountering a registry error.



Microsoft Windows Registry Guide
Microsoft Windows Registry Guide, Second Edition
ISBN: 0735622183
EAN: 2147483647
Year: 2003
Pages: 186

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net