Editing Access Rights to the Registry Keys

If have some previous experience working with Windows NT/2000, you'll certainly notice that many of the security features in Windows XP Professional will be quite familiar to you.

For example, similar to Windows NT/2000, Windows XP identifies users and groups using security identifiers (Security Ids, SIDs). Security identifiers are quite long, and are unique for each user (even for the user accounts in different systems). If you first delete the user account on the local computer or in the domain, and then create a new user account with the same login name, the system will generate a new security ID for that account. There's no possibility of having two identical security Ids. SIDs have the following format: S-1-XXXXX₁-YYYYY₂-….-RID, where: S-1—security ID, version 1; XXXXX—authority number, YYYYYn—subauthority numbers, RID—relative identifier (Relative ID). Notice that the Relative ID (RID) won't be unique for each computer.

As aforementioned, most of the user SIDs are unique. However, there are so-called well-known SIDs, whose values are constant for all systems. For example, such SIDs include the following users and groups:

• Everyone (S-1-1-0). The Everyone group will be discussed later in this chapter. For now, let us take notice of the fact that it automatically includes everyone who uses the computer, even users with anonymous guest accounts. The identifier authority value for this SID is 1 (World Authority), while its subauthority value is 0 (Null RID).

• Creator Owner (S-1-3-0). This is the Creator Owner user, serving as a placeholder in an inheritable Access Control Entry (ACE). When the ACE is inherited, the system replaces the SID for Creator Owner with the SID for the object's current owner. The identifier authority value for this SID is 3 (Creator Authority). It has only one subauthority value, 0 (Null RID).

On all computers running Windows NT/2000/XP, access to resources is controlled by Access Control Lists (ACLs) and SIDs. Like Windows NT/2000, Windows XP supports Access Control Lists (ACL) for the registry. You can use ACL to protect registry keys. Actually, ACL represents the database supporting information on access rights to individual operating system objects (in our case, the objects are registry keys).

Notice that in Windows NT/2000 only Regedt32.exe provided access to the ACL for the registry keys. The Regedit.exe version supplied with Windows NT/2000 didn't provide this capability. As compared to Windows NT/2000, Windows XP also provides an improvement in this area. The Regedit.exe version included with this new release now integrates its traditional strong points with the functionality that was earlier available only in Regedt32.exe, including, of course, access to the ACLs and auditing registry key access. Detailed, step-by-step instructions on setting access rights to the registry keys were provided in Chapter 3. In this chapter, we'll concentrate on practical tips rather than administrative operations.

First of all, we'll specify the registry keys that have to be secured in order to secure and protect the whole registry.

When you're working with Windows XP Professional as part of a workgroup or in a standalone environment, and you have administrator rights to your computer, you'll have access to all of the operating system's security features. If your Windows XP Professional-equipped computer is a part of a domain, your options will be determined by the policies set by the IT administrator.

Standard Access Rights in Windows XP

Standard security settings in Windows XP are defined by default access rights that are set for the following built-in local security groups:

• Administrators. Similarly to Windows 2000, members of the Administrators group have full control of the local computer. They can create or delete user accounts and modify permissions for users and resources. Notice that, by default, this group will include the first user account created when you perform a clean installation of the operating system. If you are performing an upgrade from an earlier Windows NT/2000 version, this group will include existing members of the Administrators group. If your Windows XP computer joins a domain, this group will also include the members of the domain Administrators group.

  Note

  It is strongly recommended that you limit the number of users who belong to the Administrators group, no matter what system you are running—Windows NT/2000 or Windows XP. The reason for this tip is straightforward—the greater the number of members in the Administrators group, the more vulnerable your system will be, because all these accounts (especially if they aren't properly protected with strong passwords) can potentially be used to gain unauthorized access to a computer.

• Power Users. Similarly to Windows 2000, this group has fewer rights than Administrators; but at the same time, they have wider access rights and permissions than the Users group. By default, members of this group have Read/Write permissions to other parts of the operating system in addition to their own user profiles. Security settings for this group are similar to the settings that existed in Windows NT 4.0 for the Users group. In Windows 2000 and Windows XP, Power Users can install applications that can later be run by all users, including the Users group. They perform limited sets of administrative tasks, including setting the system date and time, specifying the screen setting, installing printers and configuring power management. Members of this group can also run non-certified applications that will not run successfully under the Users. When computers running Windows NT 4.0 are upgraded to Windows XP, all users are added to the Power Users group.

• Users. As with Windows 2000, when you install a new copy of the Windows XP operating system (instead of upgrading from a previous version) on the NTFS partition, the standard settings of the security subsystem are configured so that the users from this group can't break the integrity of the operating system and installed applications. For example, users have Read/Write access only to their own user profiles, they can't modify registry settings that influence the whole configuration or change the operating system files. Users belonging to this group have no rights to install applications that can be used by others in this group (this is one of the measures used to protect against worms and Trojans). Microsoft also recommends that you include all end users into the Users group to protect your system integrity. Each application needed for everyday work must be installed by Administrators or Power Users. Members of the Users group can't install most legacy applications. Typically, only applications that are certified for Windows XP run successfully under the secure Users context. With regard to the applications certified for use with Windows 2000, users might need to have Power Users privileges; therefore, it is necessary to test all your applications at the privilege levels of the users who need to run them.

• Guests. Default Windows XP security settings deny access to the application and system event logs for the members of the Guests group. In all other aspects, members of the Guests group have the same access rights as members of the Users group. This allows occasional or one-time users to log on to a workstation's built-in Guest account and be granted limited abilities. Members of the Guests group can also shut down the system.

• Backup Operators. Members of this group can back up and restore files on the computer, regardless of the permissions that protect those files. They can also log on to the computer and shut it down, but they cannot change security settings.

• Replicators. Members of this group are allowed to replicate files across a domain.

• Network Configuration Operators. Members of this group have limited administrative privileges that allow them to configure networking features, such as IP address assignment.

• HelpServicesGroup. Members of this group can utilize helper applications to diagnose system problems. This account can be used by members of Microsoft Help and Support Services to access the computer from the network and to log on locally.

• Remote Desktop Users. Members of this group have the right to log on locally.

  As mentioned earlier, if your Windows XP Professional-based computer participates in a domain, your options will be determined by the security policies set by the domain administrator. Domain controllers contain local versions of all groups listed above and a number of additional server-specific built-in groups.

Default Access Rights to the Windows 2000 and Windows XP File System Objects and Registry Keys

Standard security settings are specified by Security Configuration Manager during the operating system installation when the GUI setup starts. If you perform a clean installation of Windows XP, the %SystemRoot%\inf\defltwk.inf security template will be used (notice that upgrades from Windows 9x platforms are treated as clean installs). If you are upgrading from Windows NT/2000, Security Configuration Manager will use the %SystemRoot%\inf\DWUp.inf security template.

Notice that security settings for the file system objects can be set only if you choose to install Windows 2000 or Windows XP on the NTFS partition, and are unavailable with the FAT or FAT32 file systems.

As was already discussed, for standalone computers or computers participating in a workgroup, users belonging to the Administrators group have unlimited access to all file system and registry objects. Users and Power Users have a more restricted set of access rights. Access rights to the file system objects assigned by default to the Users and Power Users groups are listed in Table 9.1. These standard access rights to the file system objects are assigned to Power Users and Users groups only if you install Windows 2000/XP fresh on the NTFS partition. If not mentioned specifically, access rights specified in the table are applicable to the directory, all subdirectories, and files.

Here: %SystemDir% is the %SystemRoot%\System32 folder, RX means "Read and Execute", and the *.* mark specifies all the files contained within current directory (but not other nested directories).

Windows XP includes a new root ACL, which is also implemented by Format and Convert commands. In addition to the previous releases, the Security Configuration Manager now secures the root directory during setup, if the current root security descriptor grants the Everyone group the Full Control permission. This provides increased security for non-Windows directories. The new Windows XP root ACL is as follows: Administrators, System: Full Control (Container Inherit, Object Inherit) Creator Owner: Full Control (Container Inherit, Object Inherit, Inherit Only) Everyone: Read/Execute (No Inheritance) Users: Read\Execute (Container Inherit, Object Inherit) Users: Create Directory (Container Inherit) Users: Add File (Container Inherit, Inherit Only)

Power Users can write new files into directories (the list is provided below), but can't modify files that were written to these directories during Windows 2000 installation. All members of the Power Users group inherit Modify access to all the files created in these directories by a member of their group.

• %SystemRoot%

• %SystemRoot%\Config

• %SystemRoot%\cursors

• %SystemRoot%\fonts

• %SystemRoot%\help

• %SystemRoot%\inf

• %SystemRoot%\media

• %SystemRoot%\system

• %SystemDir%

• %SystemDir%\OS2

• %SystemDir%\OS2\DLL

• %SystemDir%\RAS

• %SystemDir%\Viewers

Power Users can write new files to all the directories, subdirectories, and RX files that they have Modify access to (see Table 9.1). All other members of the Power Users group will have Read access to these files.

Table 9.2 lists Windows 2000/XP registry key permissions, assigned by default to members of the Users and Power Users groups. Access rights to individual registry objects are inherited by its child objects, except when the child object itself is listed in this table.

Here:

• HKLM = HKEY_LOCAL_MACHINE

• SW = Software

• MS = Microsoft

• CV = CurrentVersion

• CCS = CurrentControlSet

• W NT = Windows NT

File Sharing and Permissions in Windows XP

Like previous releases of Windows NT/2000, Windows XP enables you to share files with other users on your local system and across the network. However, Windows XP Home Edition and Windows XP Professional introduces new user interface known as Simple File Sharing (Fig. 9.3), and also includes a new Shared Documents feature, which we will consider here in detail.

Fig. 9.3: The Simple File Sharing user interface

The Simple File Sharing is enabled by default for computers running Windows XP Home Edition and for Windows XP Professional-based computers that participate in a workgroup. However, the interesting point is, if you start in the Safe mode, the classic ACL editor is displayed instead of Simple File Sharing. Also, if you join your Windows XP Professional-based computer to a domain, only the classic Windows 2000-style file sharing and security interface will be available.

However, you can disable the Simple File Sharing UI by simply starting the Folder Options applet in Control Panel, navigating to the View tab and clearing the Use Simple File Sharing (Recommended) checkbox.

The tip explaining how to disable Simple File Sharing was already provided in Chapter 4. Here, we are going to concentrate on the new security features introduced with Windows XP, including levels of access permissions, which, by the way, are poorly documented in the on-line Help system.

Windows XP allows for five different levels of permissions, and this configuration is not affected when you enable or disable the Simple File Sharing feature. Permission levels provided by Windows XP are listed below:

• Level 1: My Documents (Private). This is the most private and secure setting. This level is available only to a user who is logging on locally. The owner of the file or folder has read and write permission to the file or folder. Nobody else may read or write to the folder or the files in it. All subfolders that are contained within a folder that is marked as private remain private unless you change the parent folder permissions. If you are a Computer Administrator and you create a user password for your account by using the User Accounts Control Panel tool, you are prompted to make your files and folder private.

  Note

  The option to make a folder private (Level 1) is only available to a user account in its own My Documents folder. To configure a folder and all of the files in it to Level 1, rightclick the folder, then click Sharing and Security, then set the Make this Folder Private checkbox and click OK. When you make a folder private, it will have the following local NTFS permissions: Owner—Full Control, System—Full Control, the folder is not shared across the network.

• Level 2: Default sharing. Files stored in My Documents folders are at this level by default. Level 2 folders are available only to a user who logs on locally. The owner of the file or folder and local Computer Administrators have read and write permission, and no other user can read or write to the folder or the files in it. This is the default setting for all of the folders and files in each user's My Documents folder. To configure a folder and all of the files in it to Level 2, right-click the folder, go to the Sharing and Security tab, and ensure that both the Make this Folder Private and the Share this folder on the network check-boxes are cleared, and then click OK. When you configure the folder at Level 2, the following local NTFS permissions are set: Owner—Full Control, Administrators—Full Control, System—Full Control, the folder is not shared across the network.

• Level 3: Files in shared documents available to local users. To configure Level 3, simply copy a file or folder into the Shared Documents folder under My Computer. Level 3 folders are available only to a user who is logging on locally. When you configure a folder at Level 3, the files are shared with users who log on locally. Local Administrators will be able to read, write, and delete the files in such folders, while restricted users will be able only to read the files. The Power Users group is only available in Windows XP Professional. Remote users cannot access folders or files at Level 3. When you configure the folder to Level 3, the following local NTFS permissions will be set: Owner—Full Control, Administrators—Full Control, Power Users—Change, Restricted Users—Read, System—Full Control. The folder will not be shared across the network

• Level 4: Shared Files on the Network (Readable by Everyone) Level 4 folders are available both to the users who log on locally and to the users who log on via the network. Files are shared for everyone to read on the network. All local users, including the Guest account, can read the files, but they cannot modify the contents. Any user that can connect to your computer on the network is able to read and change your files. To configure a folder and all of the files in it to Level 4, right-click the folder, select Sharing and Security, click to select the Share this folder on the network checkbox, but don't set the Allow network users to change my files check box. When you configure the folder at Level 4, the following local NTFS permissions will be set: Owner—Full Control, Administrators—Full Control, System—Full Control, Everyone—Read. The folder will be shared across the network with the following network share permissions: Everyone—Read.

• Level 5: Shared Files on the Network (Readable and Writable by Everyone)—the most public and changeable (non-secure) setting. Level 5 folders are available both to the users who log on locally and to the users who log on via the networking. This level is recommended only for a closed protected network working. This level is recommended only for a closed protected network that has a firewall configured. All local users, including the Guest account, can read and modify the files as well. To configure a folder and all of the files in it to Level 5, right-click the folder, select Sharing and Security, then set the Share this folder on the network and Allow network users to change my files checkboxes. When you configure the folder at Level 5, the following local NTFS permissions will be set: Owner—Full Control, Administrators—Full Control, System—Full Control, Everyone—Change. The folder will be shared across the network, and the Everyone group will have Full Control access to it.

Levels of permissions provided by Windows XP are described in Table 9.3.

Advanced users note that NTFS permissions are not maintained on file move operations when you use Windows Explorer with Simple File Sharing enabled.

If you enable and disable Simple File Sharing, the permissions on files are not changed. The NTFS and share permissions do not change until you change the permissions in the interface. If you set the permissions with Simple File Sharing enabled, only Access Control Entries (ACEs) on files that are used for Simple File Sharing are affected. The following ACEs in the Access Control List (ACL) of the files or folders are affected by the Simple File Sharing interface:

• Owner

• Administrators

• Everyone

• System

Registry Setting to Show the Classic Security UI

When security settings are set in Windows XP, the following registry key is used (Fig. 9.4):

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa 

Fig. 9.4: The contents of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key

Find the forceguest value with the REG_DWORD data type. This value entry can take the values of 1 (force guests on) or 0 (force the guests off), which influences the behavior of the Sharing UI and ACL editor behavior.

The default value for the ForceGuest registry entry and its influence on the Sharing UI and ACL editor behavior.

The Most Important Windows NT/2000/XP Registry Keys that Need Protection

Microsoft officially recommends that system administrators restrict user access to certain subkeys under HKEY_LOCAL_MACHINE\SOFTWARE. The purpose of this restriction is to prevent unauthorized access to the software settings.

Microsoft also recommends that you restrict user access to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib key that stores the data, which governs the system performance. In Windows NT 4.0, the Everyone group by default has Read access to this key (it's recommended that you delete this group from the Perflib ACL). As shown in Fig. 9.5, this key can be accessed only by the operating system (System), the user who created the key (Creator owner), and system administrators and users who've logged on to the system interactively (Interactive).

Fig. 9.5: Restricting access to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib registry key

The Everyone group has restricted access rights (only Query Value, Enumerate Subkeys, Notify and Read Control) to other registry keys, including HKEY_CLASSES_ROOT root key and all its subkeys, and for the HKEY_USERS\.DEFAULT key. By protecting these keys, you protect important system settings from changes (for example, this will prevent users from changing the filename extension associations or specifying new security settings for Internet Explorer).

Furthermore, it's necessary to restrict the Everyone group access to keys such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS. The Everyone group only needs the rights to the following keys: Query Value, Enumerate Subkeys, Notify and Read Control. By setting these restrictions, you'll prevent unauthorized access to shared system resources and to using the ImagePath setting under the UPS key for starting undesirable software. Only the operating system (System) and members of the Administrators group need Full Control access to these keys.

Finally, pay close attention to the Run, RunOnce, and RunOnceEx registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. For example, the system runs all the programs listed under the RunOnceEx key only once, and then deletes the settings specifying the starting parameters for these programs. It's easy to see that these registry settings may allow users to run undesirable software on the local computer. Thus, Full Control access to this key should only be provided to the operating system (System) and members of the Administrators group.