Restricting Remote Registry Access

Securing local access to the Windows XP registry is one thing; securing remote access is another. Windows XP gives members of the local Administrators and Backup Operators groups remote access to the registry. Because the Domain Admins group is a member of each computer's local Administrators group, all domain administrators can connect the registry of any computer that's joined to the domain. So far so good, and Windows XP limits remote access to the registry more than earlier versions of Windows.

There might be limited scenarios in which you want to open remote access to computers' registries. For example, in Active Directory, you might create an administrators group for each organizational unit and want to give it the ability to edit computers' registries if they belong to the organizational unit. To enable that group to remotely edit a computer's registry, add that group to the ACL of the key HKLM\SYSTEM\CurrentcontrolSet\Control \SecurePipeServers\winreg. The problem you're going to run into is that although adding a group to winreg allows remote access, each key's ACL still determines which keys the group can change. So to allow a remote user or group to change a setting on the computer, add that user or group to the local Users, Power Users, or Administrators group.

Caution 

Don't go nuts and open each computer's registry to security threats by willy-nilly adding groups to the winreg key's ACL. Doing so creates a hole large enough for many Trojan viruses to get their hooks into Windows XP and invites predators to hack away at your infrastructure. The best practice is to leave well enough alone, and limit remote registry access to domain administrators.



Microsoft Windows XP Registry Guide
Microsoft Windows XP Registry Guide (Bpg-Other)
ISBN: 0735617880
EAN: 2147483647
Year: 2005
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net