Microsoft KB Archive/298372

= Permissions Mode Behavior Under Terminal Services =

Article ID: 298372

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

-



This article was previously published under Q298372



SUMMARY
When a user logs on to a terminal server, the link propagation protocol, Link State Algorithm (LSA), determines whether the terminal server is in Full Security or Relaxed Security mode. If the server is in Relaxed mode, LSA adds the TSUserSID attribute to the user's security token.

Because the settings of certain registry subfolders and file system folders provide near-power-user-level access to TsUserSID, any user on such a Relaxed mode server can make changes to those objects.

These permissions are necessary when a power user starts legacy programs that the power user should be able run successfully.



MORE INFORMATION
When a user places a terminal server in Relaxed Security mode, the following program compatibility measures are taken:   LSA adds TsUserSID to user's token when the user logs on. The TsUserSID settings, because they were initially set during the operating system installation from the Defltsv.inf file, allow the access that is noted in the following list.

Note: The following format is known as SDDL, which is documented in MSDN. Only the TsUserSID entry (the S-1-5-13 string) from that file is documented in the following list. [Registry Keys] &quot;MACHINE\Software&quot;,2,&quot;D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)&quot; &quot;MACHINE\SOFTWARE\Microsoft\Tracing&quot;,2,&quot;D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;S-1-5-13)&quot; &quot;MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths&quot;,2,&quot;D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)&quot; &quot;MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace&quot;,2,&quot;D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)&quot; &quot;MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks&quot;,2,&quot;D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)&quot; &quot;MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs&quot;,2,&quot;D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)&quot; &quot;MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall&quot;,2,&quot;D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)&quot; &quot;%SceInfProgramFiles%&quot;,2,&quot;D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;S-1-5-13)&quot; &quot;%SystemRoot%\help&quot;,2,&quot;D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGX;;;S-1-5-13)&quot;  When a user starts program that is non-Terminal Services-aware in a user context, the user receives an &quot;access denied&quot; error when the user attempts to open a restricted registry key. The reg-code attempts to open the same key again, with the maximum permissions that the user can have (which is typically read-only), and returns that handle to the program. Most legacy programs open a key with write/create privileges, but they only perform read actions, so legacy programs still run correctly.
 * The following keys need to be writable by TERMINAL_SERVER_USER for App-Compat
 * ProgramFiles
 * ProgramFiles
 * Directories with a legacy history being changed for security reasons

There is a global setting to enable or disable this behavior. The default is to provide this behavior when in the Relaxed Security mode. This behavior is controlled through the following key:

'''HKLM ,&quot;SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server&quot;

&quot;RegistryExtensionFlags&quot;, 0x1 [bit mask, 1st bit]'''

 When a non-Terminal Services-aware program, which is running in the user context, attempts to change or write a value under HKCR and HKLM\Software\Classes, the change is redirected to its own HKCU\Software\Classes; therefore, when necessary, a whole sub-branch is created under HKCU\Software\Classes.

There is a global setting to enable or disable this behavior. The default setting is available primarily for Relaxed Security mode. You can control this behavior through the following key:

'''HKLM ,&quot;SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server&quot;

&quot;RegistryExtensionFlags&quot;, 0x2 [bit mask, 2nd bit]'''



Keywords: kbinfo KB298372

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.