Setting Keys Permissions

Previous page
Table of content
Next page

Setting Keys' Permissions

Registry security is similar to file system security except that you can set only keys' permissions, not values' permissions. Other than that, the dialog boxes look similar; the permissions are similar, and so on. If you don't understand basic security concepts, take a moment and review them in Help and Support Center before tinkering with permissions. I don't include the basic concepts in this chapter because I assume that you're an IT professional and already have this information under your belt.

If you have full control of or own a registry key, you can edit its permissions for users and groups in its ACL:

  1. In Regedit, click the key with the ACL you want to edit.

  2. On the Edit menu, click Permissions (see Figure 7-1).

    click to expand
    Figure 7-1: This dialog box is almost identical to the dialog box for file system security.

  3. In the Group Or User Names list, click the user or group for whom you want to edit permissions, and then select the check box in the Allow or Deny column to allow or deny the following permissions:

    • Full Control. Grants the user or group permission to open, edit, and take ownership of the key. It literally gives full control of it.

    • Read. Grants the user or group permission to read the key's contents but not save changes made to it. Read this as read-only.

    • Special Permissions. Grants the user or group a special combination of permissions. To grant special permissions, click Advanced. You learn more about this permission setting in the section titled "Assigning Special Permissions," later in this chapter.

Sometimes the check boxes in the Permissions For Name area are shaded. You can't change them. The reason is that the key inherits that permission from the parent key. You can prevent a key from inheriting permissions, and you learn how to do that later in this chapter in "Assigning Special Permissions."

Tip 

OK, you had your fun. You tinkered with your registry's security and satisfied your curiosity; but now what? You can easily restore the original permissions by applying the Setup Security template. You learn how to apply this template in the section "Modifying a Computer's Configuration," later in this chapter.

Adding Users to ACLs

You can add users or groups to a key's existing ACL:

  1. In Regedit, click the key with the ACL you want to edit.

  2. On the Edit menu, click Permissions, and then click Add.

  3. In the Select Users, Computers, Or Groups dialog box, click Locations, and then click the computer, domain, or organizational unit in which you want to look for the user or group you want to add to the key's ACL.

  4. In the Enter The Object Names To Select box, type the name of the user or group you want to add to the key's ACL, and then click OK.

  5. In the Permissions For Name list, configure the permissions you want to give the user or group by selecting the Allow or Deny check box.

The only real-world scenario I can think of for adding users to a key's ACL is allowing a group to access a computer's registry over the network, which you learn how to do in "Restricting Remote Registry Access," later in this chapter. Otherwise, adding a user or group to a key's ACL is sometimes useful as a quick fix when an application can't access the settings it needs when users run it. Generally speaking, adding users or groups to a key's ACL does little harm, but if you're not careful, you can open holes in the security of Windows XP so wide that users and hackers can walk through them. And if the edit you're making affects more than one computer or user, consider deploying it as a security template. (See "Deploying Security Templates," later in this chapter.)

Tip 

In step 4, you type all or part of the user or group name you want to add to the key's ACL. If you don't have a clue what the name is, you can search for it. First, if possible, narrow your search by choosing a location as I described in step 3. Then click Advanced, and click Find Now. Click the name of the user or group you want to add, and click OK. You can further narrow the results by clicking Object Types, and then clearing the Built-In Security Principals check box.

Removing Users from ACLs

Here's how to remove a user or group from a key's ACL:

  1. In Regedit, click the key with the ACL you want to edit.

  2. On the Edit menu, click Permissions.

  3. Click the user or group you want to remove, and click Remove.

Caution 

Be wary of removing groups from keys' ACLs. Generally, the ACLs you see in Windows XP after installing it (Setup Security) are the bare minimum required for users to start and use the operating system. If you remove the Users or Power Users group from a key, users in those groups can't read the key's values, and this is likely going to mangle the operating system or an application. If you dare remove the Administrators group from a key, you might not be able to manage the computer at all. Removing individual users from a key's ACL isn't necessarily a bad thing, however. Windows XP doesn't assign permissions to individual users, so those permissions got there by devious means. You should never remove users from their profile hives' ACLs, though. Doing so prevents them from accessing their own settings, of which they should have full control.

Assigning Special Permissions

Special permissions give you more granular control of a key's ACL than the basic Full Control and Read permissions. You can allow or deny users the ability to create subkeys, set values, read values, and so on. You can get very detailed. Here's how:

  1. In Regedit, click the key with the ACL you want to edit.

  2. On the Edit menu, click Permissions.

  3. In the Group Or User Names list, click the user or group for whom you want to edit permissions. Add the user or group if necessary. Then click Advanced.

  4. Double-click the user or group to whom you want to give special permissions. You see the Permission Entry For Name dialog box shown in Figure 7-2.

    click to expand
    Figure 7-2: Special permissions give you finer control of a user or group's permissions to use a key, but assigning special permissions is generally unnecessary.

  5. In the Apply Onto drop-down list, click one of the following:

    • This Key Only. Applies the permissions to the selected key only.

    • This Key And Subkeys. Applies the permissions to the selected key and all its subkeys. In other words, it applies them to the entire branch.

    • Subkeys Only. Applies the permissions to all the key's subkeys but not to the key itself.

  6. In the Permissions list, select the Allow or Deny check box for each permission you want to allow or deny:

    • Full Control. All the following permissions.

    • Query Value. Read a value from the key.

    • Set Value. Set a value in the key.

    • Create Subkey. Create subkeys in the key.

    • Enumerate Subkeys. Identify the key's subkeys.

    • Notify. Receive notification events from the key.

    • Create Link. Create symbolic links in the key.

    • Delete. Delete the key or its values.

    • Write DAC. Write the key's discretionary access control list.

    • Write Owner. Change the key's owner.

    • Read Control. Read the key's discretionary access control list.

A word about inheritance is necessary here. With inheritance enabled, subkeys inherit the permissions of their parent keys. In other words, if a key gives a group full control, all the key's subkeys also give that group full control. In fact, when you view the subkeys' ACLs, the Allow check box next to Full Control is shaded for that group because you can't change inherited permissions. There are a few things you can do to configure inheritance. First you can prevent a subkey from inheriting its parent key's permissions: In the Advanced Security Settings For Key dialog box, clear the Inherit From Parent The Permission Entries That Apply To Child Objects check box. Second you can replace the ACLs of a key's subkeys, effectively resetting an entire branch to match a key's ACL. Select the Replace Permission Entries On All Child Objects With Entries Shown Here That Apply To Child Objects check box.


Previous page
Table of content
Next page
Microsoft Windows XP Registry Guide
Microsoft Windows XP Registry Guide (Bpg-Other)
ISBN: 0735617880
EAN: 2147483647
Year: 2005
Pages: 185
Authors: Jerry Honeycutt
BUY ON AMAZON
Software Configuration Management
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Information Dashboard Design: The Effective Visual Communication of Data
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Microsoft WSH and VBScript Programming for the Absolute Beginner
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy