How to Restrict Access to the Registry from
a Remote Computer
The information in this article applies to:
Microsoft
Windows 2000 Server
Microsoft
Windows 2000 Advanced Server
Microsoft
Windows 2000 Professional
Microsoft
Windows 2000 Datacenter Server
Microsoft
Windows NT Workstation 3.51
Microsoft
Windows NT Workstation 4.0
Microsoft
Windows NT Server 3.51
Microsoft
Windows NT Server 4.0
This article was previously published under
Q153183
IMPORTANT:
This article contains information about modifying the registry. Before you
modify the registry, make sure to back it up and make sure that you
understand how to restore the registry if a problem occurs.
www.tartoos.com
SUMMARY
Registry Editor supports remote access to
the Windows Registry; however, you can also restrict this access.
MORE INFORMATION
By default on a Windows NT 3.51 system any
user can access the registry when connecting over the network. On a
Windows NT 4.0 system and later, by default only members of the
Administrators group can access the registry over the Network.
NOTE: Some services need access to the registry to function
correctly. For example, if you add this key to a 3.51 system that is
running Directory Replication, it is necessary to grant the Replicator
account access to the registry as described later in this article.
Restricting Network Access to the Registrywww.tartoos.com
WARNING:
If you use Registry Editor incorrectly, you may cause serious problems
that may require you to reinstall your operating system. Microsoft cannot
guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.
NOTE: In Windows 2000 and later, only Administrators and Backup
Operators have default network access to the registry. This section may
not apply in certain instances. To restrict network access to the
registry, follow the steps listed below to create the following Registry
key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
Description: REG_SZ
Value: Registry Server
The Security permissions set on this key
define what Users or Groups can connect to the system for remote Registry
access. The default Windows installation defines this key and sets the
Access Control List to restrict remote registry access as follows:
Administrators have Full Control
The default configuration for Windows
permits only Administrators remote access to the Registry. Changes to this
key to allow users remote registry access require a system reboot to take
effect.
To create the registry key to restrict access to the registry:
1.
Start Registry Editor (Regedt32.exe) and go to the
following subkey:
www.tartoos.com
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
2.
On the Edit menu, click Add Key.
3.
Enter the following values:
Key Name: SecurePipeServers
Class: REG_SZ
4.
Go to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers
5.
On the Edit menu, click Add Key.
6.
Enter the following values:
Key Name: winreg
Class: REG_SZ
7.
Go to the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
8.
On the Edit menu, click Add Value.
9.
Enter the following values:
Value Name: Description
Data Type: REG_SZ
String: Registry Server
10.
Go to the following subkey.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
11.
Select "winreg". Click Security and then click
Permissions. Add users or groups to which you want to grant access.
12.
Exit Registry Editor and restart Windows.
13.
If you at a later stage want to change the list of users
that can access the registry, repeat steps 10-12.
Bypassing the Access Restrictionwww.tartoos.com
Some services need remote access to the
registry to function correctly. For example, the Directory Replicator
service and the Spooler service when connecting to a printer over the
network require access to the remote registry.
You can either add the account name that the service is running under to
the access list of the "winreg" key, or you can configure Windows to
bypass the access restriction to certain keys by listing them in the
Machine or Users value under the AllowedPaths key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
Value: Machine
Value Type: REG_MULTI_SZ - Multi string
Default Data:
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\Windows
NT\CurrentVersion
System\CurrentControlSet\Services\Replicator
Valid Range: A valid path to a location in the
registry.
Description: Allow machines access to listed locations
in the
registry provided that no explicit access
restrictions exists for that location.
Value: Users
Value Type: REG_MULTI_SZ - Multi string
Default Data: (None)
Valid Range: A valid path to a location in the
registry.
Description: Allow Users access to listed locations in
the
registry provided that no explicit access
restrictions exists for that location.
Changed slightly in Windows 2000 and later:
Value: Machine
Value Type: REG_MULTI_SZ - Multi string
Default Data:
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Print\Printers
system\CurrentControlSet\control\Server
Applications
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\Windows
NT\CurrentVersion
Value: Users - Does not exist by default.
|
