HOWTO: Regulate Network Access to the Windows NT Registry

ID: Q155363

The information in this article applies to:

Microsoft Windows NT, version 4.0
Microsoft Win32 Software Development Kit (SDK) for Windows NT, version 4.0

SUMMARY

This article describes new functionality in Windows NT 4.0 that provides a system administrator with the ability to secure remote registry access.

MORE INFORMATION

Windows NT supports accessing a remote registry via the Registry Editor and also through the RegConnectRegistry() Win32 API call. The default security on the registry allows for easy use and configuration by users in a network. In some cases, it may be useful to regulate who has remote access to the registry, in order to prevent potential security problems.

The security on the following registry key dictates which users/groups can access the registry remotely:

   HKEY_LOCAL_MACHINE\ 
    SYSTEM\ 
    CurrentControlSet\ 
    Control\ 
    SecurePipeServers\ 
    Winreg

If this key does not exist, remote access is not restricted, and only the underlying security on the individual keys control access.

In a default Windows NT workstation installation, this key does not exist. In a default Windows NT server installation, this key exists and grants administrators full control for remote registry operations.

The following optional subkey defines specific paths into the registry that are allowed access, regardless of the security on the winreg registry key:

   HKEY_LOCAL_MACHINE\ 
    SYSTEM\ 
    CurrentControlSet\ 
    Control\ 
    SecurePipeServers\ 
    Winreg\ 
    AllowedPaths\ 
    Machine (entry of type REG_MULTI_SZ)

The "AllowedPaths" registry key contains multiple strings, which represent registry entries that can be read by Everyone. This allows specific system functions, such as checking printer status, to work correctly regardless of how access is restricted via the winreg registry key. The default security on the "AllowedPaths" registry key only grants Administrators the ability to manage these paths.

Any changes to the above registry entries require a reboot in order to take effect.

Note that modifying the security and key contents can be performed using the registry editor utility (Regedt32.exe).

The following KB article illustrates how to programmatically access the Windows NT registry and apply security to a registry key:

   ARTICLE-ID: Q146906
   TITLE     : How to Secure Performance Data in Windows NT

Additional query words:

Keywords          : kbKernBase kbRegistry kbSecurity 
Issue type        : kbhowto

Last Reviewed: September 12, 1998