The
Permissions Manager for Registry keysThe
Permissions Manager for Registry keys| @echo ### Check permissions for parent key
hklm\Software\Test:
RegDACL hklm\Software\Test /l @echo ### Create a new Registry path:
@echo ### Check permissions for hklm\Software\Test\Demo\Child1:
@echo ### Set permissions for hklm\Software\Test\Demo:
@echo ### Check new permissions for hklm\Software\Test\Demo:
@echo ### Check permissions for hklm\Software\Test\Demo\Child1:
@echo ### Create a new Registry path:
@echo ### Check permissions for hklm\Software\Test\Demo\Child2:
@echo ### Check permissions for hklm\Software\Test\Demo\Child2\Grandchild2:
|
| 1
2 |
C:\Reg> Demo1
### Check permissions for parent key hklm\Software\Test: |
| 3 | C:\Reg> RegDACL hklm\Software\Test /l /e |
| 6
7 8 9 |
Access Control List for
Registry key
"hklm\Software\Test": (CI) ALLOW Full control SYSTEM (CI) ALLOW Full control Administrators |
| 10 | ### Create a new Registry path: |
| 11
12 |
C:\Reg> reg add hklm\Software\Test\Demo\Child1\a=1
The operation completed successfully. |
| 13 | ### Check permissions for hklm\Software\Test\Demo\Child1: |
| 14 | C:\Reg> RegDACL hklm\Software\Test\Demo\Child1 /l /e |
| 17
18 19 20 21 22 |
Access Control List for
Registry key
"hklm\Software\Test\Demo\Child1": (NI) ALLOW Full control SYSTEM (IO) ALLOW Full control SYSTEM (NI) ALLOW Full control Administrators (IO) ALLOW Full control Administrators |
| 23
24 25 26 |
Effective permissions for
Registry key
"hklm\Software\Test\Demo\Child1": Full control GROUP SYSTEM Full control GROUP Administrators |
| 27 | ### Set permissions for hklm\Software\Test\Demo: |
| 28 | C:\Reg> RegDACL hklm\Software\Test\Demo /sge:Q(ni) /sga:F(ci) /sgs:RWO(io) /sgi:r(ci-np) /sgn:qw(io-np) |
| 31
32 |
Setting Q(NI) permissions
for really "Everyone"
- adding new entry |
| 33
34 35 36 |
Setting F(CI) permissions
for predefined group "Administrators"
- removing existing entry - removing existing entry - adding new entry |
| 37
38 39 40 |
Setting RWO(IO) permissions
for predefined group "System"
- removing existing entry - removing existing entry - adding new entry |
| 41
42 |
Setting R(CI-NP) permissions
for predefined group "Interactive"
- adding new entry |
| 43
44 |
Setting QW(IO-NP) permissions
for predefined group "Network"
- adding new entry |
| 45 | ### Check new permissions for hklm\Software\Test\Demo: |
| 46 | C:\Reg> RegDACL hklm\Software\Test\Demo /l /e |
| 49
50 51 52 53 54 55 |
Access Control List for
Registry key
"hklm\Software\Test\Demo": (NI) ALLOW Q--------- Everyone (CI) ALLOW Full control Administrators (IO) ALLOW QW-EN--S-O SYSTEM (CI-NP) ALLOW Read INTERACTIVE (IO-NP) ALLOW QW-------- NETWORK |
| 56
57 58 59 60 |
Effective permissions for
Registry key
"hklm\Software\Test\Demo": Q--------- GROUP Everyone Full control GROUP Administrators Read GROUP INTERACTIVE |
| 61 | ### Check permissions for hklm\Software\Test\Demo\Child1: |
| 62 | C:\Reg> RegDACL hklm\Software\Test\Demo\Child1 /l |
| 65
66 67 68 69 70 |
Access Control List for
Registry key
"hklm\Software\Test\Demo\Child1": (NI) ALLOW Full control SYSTEM (IO) ALLOW Full control SYSTEM (NI) ALLOW Full control Administrators (IO) ALLOW Full control Administrators |
| 71 | !!! There was no change on the existing key !!! |
| 72 | ### neuen Pfad in der Registrierung anlegen: |
| 73
74 |
C:\Reg> reg add hklm\Software\Test\Demo\Child2\Grandchild2\a=1
The operation completed successfully. |
| 75 | ### Check permissions for hklm\Software\Test\Demo\Child2: |
| 76 | C:\Reg> RegDACL hklm\Software\Test\Demo\Child2 /l |
| 79
80 81 82 83 84 85 86 |
Access Control List for
Registry key
"hklm\Software\Test\Demo\Child2": (NI) ALLOW Full control Administrators (IO) ALLOW Full control Administrators (NI) ALLOW QW-EN--S-O SYSTEM (IO) ALLOW QW-EN--S-O SYSTEM (NI) ALLOW Read INTERACTIVE (NI) ALLOW QW-------- NETWORK |
| 87 | ### Check permissions for hklm\Software\Test\Demo\Child2\Grandchild2: |
| 88 | C:\Reg> RegDACL hklm\Software\Test\Demo\Child2\Grandchild2 /l |
| 91
92 93 94 95 96 |
Access Control List for
Registry key
"hklm\Software\Test\Demo\Child2\Grandchild2": (NI) ALLOW Full control Administrators (IO) ALLOW Full control Administrators (NI) ALLOW QW-EN--S-O SYSTEM (IO) ALLOW QW-EN--S-O SYSTEM |
| 97 | C:\Reg> |
| Lines 19 to 22 | When creating a new key with the command reg (from the Resource Kit) we can't assign permissions. The system inherits the DACL from its parent (lines 8 and 9) to the new key. Why it splits every entry into two identical new entries - (NI) for the new key itself and (IO) for its subkeys - is beyond our perceptive faculty and will probably remain Microsoft's secret forever. It is just another possibility to waste memory - remember, the Registry is loaded into RAM as long as Windows is running! - and they could not resist to use it. |
| Lines 51 to 60 | The permissions for System and Network are only valid for its descendants (IO), hence these groups do not have any ACEs with effective permissions for the key itself. |
| Lines 67 to 70 | As expected, the permissions for this key were not changed when the permissions for its parent were modified in lines 28 to 44. |
| Lines 81 to 86 | The permissions for this key were inherited from its parents permissions (lines 51 to 55). The entry for Everyone was not inheritable, hence it is missing in the child key. The inheritable entries for Administrators and System have been split again (see remarks for lines 19 to 22). According to the settings in the parent key (NP) inheritance options for the groups Interactiv and Network have been changed to "Not Inheritable" (NI) for the child keys. |
| Lines 93 to 96 | The permissions for this key were inherited from its parents permissions (lines 81 to 86). The entries for Administrators and System have not been changed. The ACEs for Interactiv and Network are not inheritable (NI) and thus are missing in the new key. |
Suggestion for securing hklm\Software\Microsoft\Windows
NT\CurrentVersion
After all this theory, what is RegDACL good for in practice? You probably
want to secure your Windows NT installations, according to the security
policy of your company. You probably already know that the default values
are set in such a way that any user can install trojans or cause the machine
to be unbootable.
Unfortunately, Microsoft does not provide much information for what
restrictions are possible to get a secure yet still usable machine. So
the only way is to use the "trial and error" method to find out what´s
possible and what´s not. From time to time there is some discussion
in the appropriate mailing lists about what access permissions are good
for specific Registry key. David
LeBlanc did a great job building a list for hklm\Software\Microsoft\Windows
NT\CurrentVersion, and other people supplemented it. The script SMWNCV.cmd
implements these suggestions. Take it as a basis for your own enhancements.
Use it on your own risk! Suggestions, modifications, and reports as well
as your own scripts for other subtrees of the Registry would be very appreciated
by email!