Controlling Remote Performance Monitor Access to Windows NT Servers

ID: Q164018

The information in this article applies to:

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information on how to do this, view the "Restoring the Registry" online Help topic in Regedit.exe or the "Restoring a Registry Key" online Help topic in Regedt32.exe.

SUMMARY

Depending on the networking environment, administrators may want to extend or deny remote access to the performance data of their computers running Windows NT Server 3.51 or 4.0. The default permissions are different in Windows NT 3.51 and Windows NT 4.0, and the methods for granting or restricting access are also different. The information below details these defaults and methods.


MORE INFORMATION

To remotely view performance data on a computer running Windows NT Server, follow these steps:

  1. On a computer running either Windows NT Workstation or Server, run Performance Monitor.


  2. On the Edit menu, click Add to Chart.

    -or-

    On the toolbar, click the button with the plus (+) on it.


After entering \\<ComputerName> in the Add to Chart dialog box, you are either denied access in some way or allowed to add counters from the remote computer to the local performance chart.

Default Behavior on Windows NT Server 3.51 Computers

Prior to Windows NT 3.51, any user (Guest, User, Administrator) who could make a connection to IPC$ on a server could also use Performance Monitor to remotely view the server's performance data.

By default, the Everyone group has READ access in the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
\009

NOTE: The above registry key is one path; it has been wrapped for readability.

READ access is all that is required to read the performance data, so Everyone could access the data remotely.

Restricting Remote Access to Performance Data on Windows NT Server 3.51

Computers

To restrict access on a computer running Windows 3.51 Server, follow these steps:

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" online Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" online Help topics in Regedt32.exe. Note that you should back up the registry before you edit it.
  1. Run Registry Editor (Regedt32.exe).


  2. From the HKEY_LOCAL_MACHINE subtree, go to the following key:

    \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib


  3. Select the Perflib key.


  4. On the Security menu, click Permissions.


  5. Select Everyone and click Remove.

    NOTE: Check to make sure that Administrator and System have Full Control access to Perflib and its subkey, 009.

    NOTE: 009 is the language ID for the English version of Windows NT.


  6. Add a value called CheckSystemProfileRight to the Perflib key. The value type is REG_DWORD and should be set to 1.

    NOTE: In Windows NT 3.51 and 4.0, if the CheckSystemProfileRight value under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\ key has been defined and given a value of 1, Read access to this key is necessary to retrieve the performance data. If this value is not defined or is defined and set to zero, the ACL will NOT be checked (to provide Windows NT 3.5 compatible behavior).


  7. Click OK and quit Registry Editor.


  8. If the Windows NT system partition is NTFS, use Explorer or File Manager to check the security on the following files:
    %windir%\system32\PERFCxxx.DAT
    %windir%\system32\PERFHxxx.DAT
    NOTE: xxx is the basic language ID for the system. For example, 009 is the ID for the English version.

    These files contain performance data. If you want to restrict remote access to this data, remove Everyone (or other appropriate groups) from the access list for these files.

    NOTE: Read access to both Perfc009.dat and Perfh009.dat is required to monitor performance data. BOTH files must have the correct ACL.


  9. Shut down and restart Windows NT 3.51.


Users who attempt to remotely access performance data with Performance Monitor should now receive the following message:
Insufficient privilege to access performance data

Default Behavior on Windows NT Server 4.0 Computers

In Windows NT 4.0, guests (if the Guest account is enabled) and administrators are supposed to be able to access performance data remotely. However, security on the following registry key is restricted to administrators:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers
\Winreg

NOTE: The above registry key is one path; it has been wrapped for readability.

Without read access to this key, no one will be able to access performance data on this server. Prior to Service Pack 3.0 for Windows NT Server 4.0, neither guests nor users are able to access performance data. Adding read access to the Winreg key for the Guests, Domain Guests, Users, Domain Users, or Everyone group will grant the desired user(s) access to performance data. Anyone attempting to view remote performance data without this permission will receive the following error message:
Computer name not found


This message would normally mean that the client had network connectivity problems or perhaps a NetBIOS name resolution problem. In this case, it is the equivalent of "Insufficient privilege to access performance data."

Restricting Remote Access to Performance Data on Windows NT SERVER 4.0 Computers

Follow steps 1 through 6 above to restrict access to Windows NT 4.0 performance data. After step 6, perform the following step:

- Before closing the registry, locate this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers
\winreg

NOTE: The above registry key is one path; it has been wrapped for readability.

Check the security permissions for this key. If there, remove the Everyone group (and other appropriate groups) from the permissions list. However, be sure that administrators and system retain Full Control of this key.

After securing the permissions on this key, complete steps 7 through 9 from above. Now, no one except administrators should be able to remotely access the server's performance data using Performance Monitor.

Additional query words: perfmon 


Keywords          : ntsecurity NTSrv 
Version           : WinNT:3.51,4.0
Platform          : winnt 
Issue type        : kbinfo

Last Reviewed: February 9, 1999