Normal accounts & reg edit

  • Thread starter Thread starter Jason
  • Start date Start date
J

Jason

Hey all,

I was wondering with all this security that is being talked about, can
anyone tell me if a normal account could type in regedit or regedit32 from a
run line without it prompting to enter the admin password?

If this comes up, maybe, that should be a needed security feature..
 
Yes, but of course you will only be able to modify your own HKCU hive (and
virtualized Class IDs)
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"Jason" <[email protected]> a écrit dans le message de (e-mail address removed)...
| Hey all,
|
| I was wondering with all this security that is being talked about, can
| anyone tell me if a normal account could type in regedit or regedit32 from
a
| run line without it prompting to enter the admin password?
|
| If this comes up, maybe, that should be a needed security feature..
|
|
 
Thanks for the info. However, my concern is having normal users in the
registry editors. IMO, normal users have no reason to be going into the
registry. If an administrator wishes to have access to it, it should prompt
for the Admin password like it does to run MSConfig.
 
Jason said:
Thanks for the info. However, my concern is having normal users in the
registry editors. IMO, normal users have no reason to be going into the
registry. If an administrator wishes to have access to it, it should prompt
for the Admin password like it does to run MSConfig.
Click to expand...

The ability to disable the running of REGEDIT already exists as a
Windows policy. (“Prevent Access to Registry Editing Tools”,
http://support.microsoft.com/kb/831787/) The users do have rights to
modify their own profile's area of the registry, whether we as
administrators feel like we make it easy on them to do so or not.

So I wouldn't get too bent over whether REGEDIT.EXE will prompt normal
users for the Administrator password (even if the user just wants to
edit something the user actually has rights to edit). I think the
existing "DisableRegistryTools" probably goes as far as anything
should in providing a false sense of security that users can't get
into registry trouble without REGEDIT.

Alan Adams
 
"Jason" said:
Thanks for the info. However, my concern is having normal users in the
registry editors. IMO, normal users have no reason to be going into the
registry. If an administrator wishes to have access to it, it should prompt
for the Admin password like it does to run MSConfig.
Click to expand...

As has already been pointed out by others, you can certainly deploy a policy
that prevents your users from having access to the registry editing tools, but
the users do actually have a need to access their own registry hives, so you
need to leave the registry ACLs on their own HKCU hive open to them.

And if they're allowed to change registry settings through other programs, are
you really achieving much by preventing them from directly editing the
registry? I can think of a couple of benefits of disabling their access to
regedit:

1. Stops people from downloading and installing .REG files that might
otherwise cause damage. Of course, that means that it also prevents them from
downloading and installing .REG files that come as part of their local
installation of a program...
2. Stops users from tinkering with things they do not understand. But then,
they'll tinker with other things they do not understand, anyway, so perhaps
you just have to come up with creative ways of persuading them to hold out
their hands for you to slap every time they do this.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
 
All good, and valid, comments so far.
I might add that we should not judge the advisability of limited
accounts having access to reg editing based on how per-user
settings are (partially, limply - at least by the third-party ISV
community) used today. Imagine if the HKCU were very actively
used for app (and OS) per-user perference/history/etc persistence.

Roger
 
Back
Top