Microsoft KB Archive/221766

= Registry Permissions Not Inherited Properly After Securing the Registry with C2Config =

Article ID: 221766

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Server 4.0 Standard Edition

-



This article was previously published under Q221766



SYMPTOMS
After securing the registry with C2Config, subkeys created in the HKEY_LOCAL_MACHINE\SOFTWARE, HKEY_LOCAL_MACHINE\SOFTWARE\Classes, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft, and HKEY_LOCAL_MACHINE\SOFTWARE\Secure keys do not inherit the expected permissions.



CAUSE
C2Config sets the inherited permissions separately from the object permissions. The permissions to be set are defined in the C2RegACL.inf file, and it does not include the permissions to be inherited by subkeys.



RESOLUTION
To resolve this problem you should add the permissions to be inherited to the C2RegACL.inf file.

Example:

Section of C2RegACL.inf before modifications:

[HKEY_LOCAL_MACHINE\SOFTWARE] BUILTIN\Administrators = FULL CREATOR OWNER = FULL SYSTEM = FULL Everyone = QV, SV, CS, ES, NT, DE, RC

Section of C2RegACL.inf after adding inherited permissions:

[HKEY_LOCAL_MACHINE\SOFTWARE] BUILTIN\Administrators = FULL BUILTIN\Administrators = INHERIT, FULL CREATOR OWNER = FULL CREATOR OWNER = INHERIT, FULL SYSTEM = FULL SYSTEM = INHERIT, FULL Everyone = QV, SV, CS, ES, NT, DE, RC Everyone = INHERIT, QV, SV, CS, ES, NT, DE, RC

Note the INHERIT entry in the permissions. This is the option that sets the permissions that will be inherited by subkeys.

Additional query words: SECURITY CONFIGURATION EDITOR

Keywords: kbprb KB221766

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.