Microsoft KB Archive/155363

{|
 * width="100%"|

HOWTO: Regulate Network Access to the Windows NT Registry

 * }

Q155363

-

The information in this article applies to:


 * Microsoft Windows NT Server version 4.0
 * Microsoft Windows NT Workstation version 4.0
 * Microsoft Win32 Software Development Kit (SDK) for Windows NT
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional

-

SUMMARY
This article describes new functionality in Windows NT 4.0 that provides a system administrator with the ability to secure remote registry access.

MORE INFORMATION
Windows NT supports accessing a remote registry via the Registry Editor and also through the RegConnectRegistry Win32 API call. The default security on the registry allows for easy use and configuration by users in a network. In some cases, it may be useful to regulate who has remote access to the registry, in order to prevent potential security problems.

The security on the following registry key dictates which users/groups can access the registry remotely:

  HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurePipeServers\ Winreg If this key does not exist, remote access is not restricted, and only the underlying security on the individual keys control access.

In a default Windows NT workstation installation, this key does not exist. In a default Windows NT server installation, this key exists and grants administrators full control for remote registry operations.

The following optional subkey defines specific paths into the registry that are allowed access, regardless of the security on the winreg registry key:

  HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurePipeServers\ Winreg\ AllowedPaths\ Machine (entry of type REG_MULTI_SZ) The "AllowedPaths" registry key contains multiple strings, which represent registry entries that can be read by Everyone. This allows specific system functions, such as checking printer status, to work correctly regardless of how access is restricted via the winreg registry key. The default security on the "AllowedPaths" registry key only grants Administrators the ability to manage these paths.

Any changes to the above registry entries require a reboot in order to take effect.

Note that modifying the security and key contents can be performed using the registry editor utility (Regedt32.exe).

The following KB article illustrates how to programmatically access the Windows NT registry and apply security to a registry key:

"Q146906 How to Secure Performance Data in Windows NT" Additional query words:

Keywords : kbKernBase kbOSWin2000 kbRegistry kbSecurity kbDSupport kbGrpKernBase

Issue type : kbhowto

Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400search kbwin2kAdvSer kbwin2kAdvSerSearch kbwin2kS kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbwin2kSSearch kbwin2kSearch kbwin2kProSearch kbwin2kPro