Results 1 to 4 of 4

Thread: Protect the registry from anonymous access?

  1. #1
    Join Date
    Apr 2002

    Question Protect the registry from anonymous access?

    This one is the one I don't get. I run a w2k prof.

    I got confused at this point
    Select winreg, click the Security menu, and then click Permissions.
    It told me to add a registry value and it was already there. The other thing was that the only way I could access what they (M$) told me is from a file and winreg is in a registry key. Im confused, I don't get on how I can apply that feature. Thx in advance.

    Protect the registry from anonymous access

    The default permissions do not restrict remote access to the registry. Only administrators should have remote access to the registry, because the Windows 2000 registry editing tools support remote access by default. To restrict network access to the registry:

    Add the following key to the registry:


    Value Name

    Select winreg, click the Security menu, and then click Permissions.
    Set the Administrators permission to Full Control, make sure no other users or groups are listed, and then click OK.
    The security permissions (ACLs) set on this key define which users or groups can connect to the system for remote registry access. In addition, the AllowedPaths subkey contains a list of keys to which members of the Everyone group have access, notwithstanding the ACLs on the winreg key. This allows specific system functions, such as checking printer status, to work correctly regardless of how access is restricted via the winreg registry key. The default security on the AllowedPaths registry key grants only Administrators the ability to manage these paths. The AllowedPaths key, and its proper use, is documented in Microsoft Knowledge Base article Q155363.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    On NT, Win2K and XP you can also put ACL's on registry keys. The winreg value lets you restrict who can remotely access your registry.

    NB use regedt32.exe instead off regedit.exe. The first will allow you to edit the ACL of the keys/values.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Unless I am mistaken, in Win2k you can do it directly from your control panel (whereas in NT you had to do it in the registry). The way I have seen discussed is a way to tighten access to the registry, but when I have heard discussions of preventing anonymous access to the registry, I have always taken that to mean access through null sessions (ick, yes it can be possible). There are a couple of things you need to be sure of, first:

    1) Control Panel -> Administrative Tools -> Services, Remote Registry --> set to disable

    2) Control Panel -> Administrative Tools -> Local Security Policy (your domain could override this if you log into one, in which case you will have to talk to the domain admin)

    Local Policies -> User Rights Assignment -> Deny Access to the computer from the network (make sure anonymous logon is there)

    Local Policies -> Security Options -> Additional Restrictions for anonymous connections ->
    No access without explicit permissions

    It is my understanding that this should restrict anonymous access (null logon) to your registry.

    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Join Date
    Apr 2002
    Thank You very much to both of you, I learned something new and can fix one of my mistakes.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts