- Managing Registry Security
To manage registry security, the Regedit.exe version supplied with Windows XP and
products of the Windows Server 2003 family includes the Permissions command. Using
this command, you can edit registry-key permissions and set the rules for auditing
Note It should be noted that, in Windows NT/2000, these capabilities were only available
in Regedt32.exe. As you remember, Regedt32.exe had a special Security menu,
which allowed you to specify registry-key permissions and establish auditing rules.
Beginning with Windows XP, this functionality was delegated to Regedit.exe. Note
that registry key permissions can be set independently from the file-system type on
the disk partition containing the operating-system files.
This chapter provides only a brief overview of these functions and general instructions
for performing operations needed to protect the registry.
More detailed information on these topics will be provided in Chapter 9, which is
dedicated to registry protection.
As in previous Windows NT/2000 versions, Windows XP and products of the Windows
Server 2003 family possess the following capabilities for protecting the system and
All access to system resources can be controlled.
All operations that access system objects can be registered in the security log.
A password is required for accessing the system, and all access operations can be
Setting Registry-Key Permissions
The Permissions command opens the Permissions for the window
intended for viewing and setting registry-key permissions. The capability to set registry
key permissions doesn't depend on the file system used to format the partition that
contains the operating-system files.
Note Changing registry-key permissions can lead to serious consequences. For example,
if you set the No Access permission for the key required for configuring network
settings using the Control Panel applet, this applet won't work. Full Control
permissions for the registry should be assigned to the members of the
Administrators group and the operating system itself. This setting provides the
system administrator with the ability to restore the registry key after rebooting the
Since setting registry-key permissions can lead to serious consequences, reserve this
measure for the keys added in order to optimize software, or other examples of
customizing the system.
Note If you change permissions for the registry key, it is best also to audit the key access
(or, at least, to audit the failed attempts at accessing this key). A brief overview of
registry auditing will be provided later in this chapter.
The Permissions command follows the principles used by the Explorer commands to set
file and folder permissions on NTFS partitions. To set registry-key permissions, proceed
1. Before modifying registry-key permissions, back up the registry keys you are
going to modify.
2. Select the key for which you are going to set permissions, and then select the
3. The Permissions for window, allowing you to specify registry-key
permissions (Fig. 3.20) will open. Windows XP and Windows Server 2003
provide many enhancements, including security enhancements. However, the main
types of access permissions and basic principles for setting these permissions are
similar to the ones found in previous versions of Windows NT/2000. Select the
name of the user or group from the list at the top of this window, and then set the
required access level by selecting the option you need from the Permissions for
list provided below. Brief descriptions of the available access types
(Read, Full Control, and Special Permissions) are listed in Table 3.3. To set
permissions for a selected registry key, proceed as follows:
o From the list at the top of this window, select the user or group for which
you need to set registry-key permissions. If the user or group should have
read capabilities, but not those to modify the key, set the Allow checkbox
next to the Read option.
o If the user or group should be able to open the selected registry key for
editing ownership, set the Allow checkbox next to the Full Control option.
o To assign the user or group a special combination of permissions (special
permissions), click the Advanced button.
- Figure 3.20: The Permissions for window allows you to specify
Table 3.3: Registry-Key Permission Types
Read Users who have permission to access this key can view its
contents, but can't save any changes.
Full Control Users who have permission to access this key can open the key to
edit its contents, save the changes, and modify access levels for the
Special Users who have permission to access this key have individual
Permissions combinations of access rights for the selected key. A detailed
description of all these types and their combinations will be
provided later in this chapter.
4. Set the system audit for registry access (more detailed information on this topic
will be provided later in this chapter). Audit the system carefully over a period of
- time to make sure that new access rights have no negative influence on the
applications installed in your system.
Specifying Advanced Security Settings
To set special access types for a registry key, click the Advanced button in the registry-
key permissions dialog (see Fig. 3.20). The Advanced Security Settings for
window will open (Fig. 3.21).
Figure 3.21: The Permissions tab in the Advanced Security Settings for
If you are setting permissions for the registry subkey and want this subkey to inherit
permissions from its parent key, set the Allow inheritable permissions from parent to
propagate to this object and all child objects… checkbox.
If you are setting permissions for the parent key and want all of its subkeys to inherit the
permission from the selected key, set the Replace permission entries on all child
Double-click the name of the user or group for which you need to set special access (or
select the name and click the Edit button). The dialog shown in Fig. 3.22 will appear. In
the Permissions list, select Allow or Deny checkboxes next to the type of access that you
need to allow or deny for the selected user or group. The list of special-access options is
provided in Table 3.4. Note that the list doesn't differ from the similar list in Windows
NT 4.0 and Windows 2000.
- Figure 3.22: The Permission Entry window
Table 3.4: The Special Access Options
Query Value Allows the user to read values within the selected registry key
Set Value Allows the user to set values within the selected registry key
Create Subkey Allows the user to create subkeys within the selected registry key
Enumerate Allows the user to identify the subkeys within the selected registry
Notify Allows the user to audit this key
Create Link Allows the user to create symbolic links in the selected registry key
Delete Allows the user to delete the selected registry key
Write DAC Allows the user to access the key and create or modify its Access
Control List (ACL)
Write Owner Allows the user to take ownership of this registry key
Read Control Allows the user to view the security parameters set for the selected
Taking Registry Key Ownership
- As a system administrator, you may take ownership of any registry key and restrict
access to this key. Anyone who has logged in to the local system as a member of the
Administrators group may take ownership of any registry key. However, if you have
owner rights without full control access type, you won't be able to return this key to its
initial owner at a later time and the appropriate message will appear in the security log.
To take ownership of the registry key in Windows XP or any product of the Windows
Server 2003 family, proceed as follows:
1. Select the registry key for which you wish to take ownership.
2. Select the Permissions command from the Edit menu.
3. Click the Advanced button. The Advanced Security Settings for
window will open. Go to the Owner tab (Fig. 3.23).
Figure 3.23: The Owner tab of the Advanced Security Settings for
4. Select the new owner from the Change owner to list and click OK.
Note If you need to change the owner for all nested objects of this key as well, set the
Replace owner on subcontainers and objects checkbox. You can change the
registry-key owner only if you log in as an Administrator (or a member of the
Administrators group), or if the previous owner has explicitly assigned you owner
rights for this key.
- Auditing is the process used by Windows NT-based operating systems, including
Windows 2000/XP and products of the Windows Server 2003 family, for detecting and
logging security-related events. For example, any attempt to create or delete system
objects or any attempt to access these objects are security-related events. Note that, in
object-oriented operating systems, anything is considered an object, including files,
folders, and registry keys. All security-related events are registered in the security-log
file. Auditing is not activated in the system by default. So, if you need to audit security-
related events, you will need to activate the audit. After the system audit has been
activated, the operating system starts logging security-related events. You can view
information registered in the security log using Event Viewer. When initiating auditing,
you can specify the types of events to be registered in the security log, and the operating
system will create a record each time the specified event type occurs in the system. The
record written to the security log contains an event description, the name of the user who
performed the action corresponding to the event, and the event date/time information.
You can audit successful and failed attempts, and the security log will display both the
names of the users who performed successful attempts and the names of the users whose
Detailed information on this topic and tips on auditing registry access are provided in
Chapter 9, which is dedicated to registry protection.
To establish registry auditing, proceed as follows:
1. Activate the audit and set the audit policy for each event that requires auditing.
2. Specify users and groups whose access to the specified registry keys you wish to
3. Use the Event Viewer for viewing the audit results in the Security log.
To perform any of the actions mentioned above, you need to log in to the local system as
a member of the Administrators group. The audit policy is specified individually for each
computer. Before you can set the registry-auditing policy, you need to activate the audit
in the system. Regedit.exe will display an error message if you attempt to set registry
auditing without activating the audit in the system.
To set the auditing options for the registry, proceed as follows:
1. Select the key that you wish to audit.
2. Select the Permissions command from the Edit menu, and then click the
Advanced button. The Advanced Security Settings for window will
open. Go to the Auditing tab (Fig. 3.24).
- Figure 3.24: The Auditing tab of the Advanced Security Settings for
3. If you are setting the auditing options for this key for the first time, the Auditing
Entries list will be blank. Click the Add button below this list, select the users and
groups whose activity you need to audit, and add them to the list.
4. To audit the activity of a certain user or group, select the name of this user/group
from the Auditing Entries list, and click the Edit button. The dialog shown in
Fig. 3.25 will appear. In the Access list, set the Successful and/or Failed
checkboxes for the access types that require auditing.
- Figure 3.25: The Auditing Entry for window
The auditing options available to you are described in Table 3.5. Note that the set of
options hasn't changed from that in Windows NT/2000.
Table 3.5: Auditing Option Types for Registry Keys
Query Value Accessing the key with the right to query the value.
Set Value Opening the key with the right to set the value.
Create Opening the key with the right to create subkeys.
Enumerate Opening the key with the right to enumerate its subkeys. This option
Subkeys controls events that open the keys and attempts to get a list of the subkeys
contained within the key being opened.
Notify Accessing the key with the right to notify.
Create Link Opening the key with the right of creating symbolic links within this key.
Delete Deleting the key.
Write DAC Attempts to modify the list of users who have access to this key.
- Table 3.5: Auditing Option Types for Registry Keys
Read Control Reading owner-related information on this key.
Note To set registry-key auditing, you need to log in to the local system as an
Administrator or a member of the Administrators group. If the local computer is
connected to the network, then network-security policy may prevent you from
auditing the registry keys.
To view the auditing results, select the Programs | Administrative Tools | Computer
Management commands from the Start menu. Expand the console tree in the left pane
of the MMC window by selecting the System Tools | Event Viewer | Security Log
options. The right pane will display a list of security-related events. Viewing this list is
similar to viewing the security log in Windows NT 4.0 and Windows 2000.
Options included in other menus, such as Window and Help, are standard for most