How To Regulate Network Access to the Windows NT Registry

 Last reviewed: January 11, 1997
Article ID: Q155363
The information in this article applies to:
  • Microsoft Windows NT, version 4.0
  • Microsoft Win32 Software Development Kit (SDK) for Windows NT, version 4.0

SUMMARY

This article describes new functionality in Windows NT 4.0 that provides a system administrator with the ability to secure remote registry access.

MORE INFORMATION

Windows NT supports accessing a remote registry via the Registry Editor and also through the RegConnectRegistry() Win32 API call. The default security on the registry allows for easy use and configuration by users in a network. In some cases, it may be useful to regulate who has remote access to the registry, in order to prevent potential security problems.

The security on the following registry key dictates which users/groups can access the registry remotely: 

   HKEY_LOCAL_MACHINE\
    SYSTEM\
    CurrentControlSet\
    Control\
    SecurePipeServers\
    Winreg
If this key does not exist, remote access is not restricted, and only the underlying security on the individual keys control access.

In a default Windows NT workstation installation, this key does not exist. In a default Windows NT server installation, this key exists and grants administrators full control for remote registry operations, in addition to granting Everyone Create Subkey and Set Value access (special access).

The following optional subkey defines specific paths into the registry that are allowed access, regardless of the security on the winreg registry key: 

   HKEY_LOCAL_MACHINE\
    SYSTEM\
    CurrentControlSet\
    Control\
    SecurePipeServers\
    Winreg\
    AllowedPaths\
    Machine (entry of type REG_MULTI_SZ)
The "AllowedPaths" registry key contains multiple strings, which represent registry entries that can be read by Everyone. This allows specific system functions, such as checking printer status, to work correctly regardless of how access is restricted via the winreg registry key. The default security on the "AllowedPaths" registry key only grants Administrators the ability to manage these paths.

Any changes to the above registry entries require a reboot in order to take effect.

Note that modifying the security and key contents can be performed using the registry editor utility (Regedt32.exe).

The following KB article illustrates how to programmatically access the Windows NT registry and apply security to a registry key: 

   ARTICLE-ID: Q146906
   TITLE     : How to Secure Performance Data in Windows NT

KBCategory: kbprg kbhowto
KBSubcategory: BseSecurity BseRegistry BseMisc
Additional reference words: 4.00 kbdss perform performance



THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: January 11, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.