Locking Down the Operating System


The Microsoft Windows 2000 and Microsoft Windows XP operating systems allow administrators to set permissions-restricted access to the registry. Restricting access to the registry allows administrators to maintain the configuration of the computer so users won’t create confusion for other users by installing, modifying, or removing applications without the knowledge or permission of other users.

Administrators can lock the registry by using the regedit.exe or regedt32.exe utilities available with Windows 2000 or Windows XP. Administrators can apply permissions-restricted access to the HKLM or HKCU nodes of the registry to block changes to these sections of the registry, thereby preventing users who do not have the correct permissions to the registry from adding or removing applications that require the writing or editing of registry entries.

Locking the registry has effects on all applications that store information in the registry, including Microsoft Office 2003 applications. Administrators who attempt to make changes to the configuration of the registry—either to registry settings, or permission changes to the various nodes or branches—should diligently test and evaluate their changes on a test computer prior to rolling them out to users. If you do not test registry changes, it is possible to encounter unexpected results when they are implemented.

If needed, it is possible to be more granular in your approach. Instead of locking down the entire node in the registry, it is possible to apply permission-restricted access to specific keys or subnodes of the registry, thereby opening some sections of the registry for writing, editing, or deletion.

If you wish to specifically lock the entire operating system (freeze a configuration), set the highest level nodes to permission-restricted access. If you want users to have the ability to add or remove specific applications, but not be able to make changes to the operating system, set permissions to the system nodes in the appropriate branches of the registry tree. For example, to lock the system-related nodes, set permissions to HKLM\System or HKCU\System, or both. Locking just these nodes does not lock down all of the possible operating system–related registry entries; however, it does cover the majority of entries available to users.

To remove any doubt of whether or not a section of the registry is locked down, lock the highest level node (HKLM and HKCU).

Because permission-restricted access to the registry is dependent on Windows NT authorization of an existing user account, locking down the system also implies maintaining user IDs, passwords, and maintaining user accounts on a regular basis.

Terminal Services

A locked-down configuration is implemented by default when Terminal Services is enabled on either Windows 2000 or Windows XP. Terminal Services is a term applied to operating systems providing remote multiuser access. These operating systems are available for use by more than one user simultaneously. Since these operating systems allow multiple users to log on to the system at the same time through remote communication links, it creates potential configuration control issues if all users are allowed to make changes to the configuration of the computer at any time. Therefore, a locked-down configuration is implemented by default for Terminal Services–enabled systems.

A Terminal Services installation locks down the two branches of the registry named HKEY_CURRENT_USER (HKCU) and HKEY_LOCAL_MACHINE (HKLM). These two branches of the registry must be locked to help prevent all users, except administrators, from making changes to the registry. Implementing this restrictive action helps to give control of the configuration of the operating system to the administrator.

The locking of registry branches forces more frequent monitoring of the system by administrators since users are not allowed to make configuration changes to the computer on their own. Administrators should review and make necessary changes to the system on a scheduled basis. If the administrator cannot perform the necessary review and maintenance of Terminal Services, they should consider revising some of the restrictions or allow one local user administrative access so he or she can manage the addition or removal of software depending on the needs of all users.




Microsoft Office 2003 Resource Kit 2003
Microsoft Office 2003 Editions Resource Kit (Pro-Resource Kit)
ISBN: 0735618801
EAN: 2147483647
Year: 2004
Pages: 196

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net