Microsoft KB Archive/247528

{|
 * width="100%"|

HOWTO: Configure Windows Installer for Maximum Security

 * }

Q247528

-

The information in this article applies to:


 * Microsoft Windows Installer, versions 1.0, 1.1, 1.2

-

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY
This article describes the available system policies that can be configured to get the maximum security level for Windows Installer.

MORE INFORMATION
WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).

The following tables list user and machine policies that can be configured to get the maximum security level for the Windows Installer.

The following machine policies are configured under HKEY_LOCAL_MACHINE\Software\Polices\Microsoft\Windows\Installer.

The following user policies are configured under HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer.

An administrator can also use the Group Policy Editor (GPR) on Windows 2000 or the System Policy Editor on Windows 95, Windows 98, and Windows NT to configure the installation behavior of the Windows Installer. An administrator can configure the policies for all users of a computer, or all members of a group on the computer.

Also the LockPermissions table can be used to secure individual portions of your application in a locked-down environment. It can be used with the installation of files, registry keys, and created folders. If the folder, file, or registry key already exists, any access control lists (ACLs) are replaced by the entries in this table.

NOTE: Machine information should be stored in HKLM, which is secure if good practices are followed. User information should be located in HKCU. The Windows Installer normally runs in the user context. The special case is managed/elevated installations that can run as "local system". The user context generally cannot modify keys in HKLM.