Securing access to network registry

[keven]

Hello, I was reading article 153183. It says as long as
Hkeylocalmachine\system\currentcontrolset\control\securepip
oeservers\winreg is limited to just backup operators and
administrators remote users can't open the remote
registry. I find as just a domain user I can get read
access to HKEY_CLASSROOT and HKEY_USERS. Is there a way
to stop this for non administrators.

Thanks Keven

 

[Cherry Qian]

Hi Keven,

Thank you for the posting.

I understand you performed the steps in knowledge base article 153183 and
then when you log on as just a domain user you can get read access to
HKEY_CLASSROOT and HKEY_USERS.

This is normal because your domain user account is in the administrators
group. To test whether the restriction is effective, you can have other
domain user log on your computer and they should not be able to access the
registry keys because they are not in the administrators group.

If you want, you can also remove your domain user account from the
administrators group to pervent it from accessing the registry keys.
Anyone in the administrators group can have access to the registry keys.
Only those who are not in the administrators group will be prevented from
accessing the registry keys.

Hope the above information and suggestion helps and answers your question.
If anything is unclear, please let me know.


Sincerely,

Cherry Qian
MCSE2000, MCSA2000, MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.

 

[Keven]

-----Original Message-----
Hi Keven,

Thank you for the posting.

I understand you performed the steps in knowledge base article 153183 and
then when you log on as just a domain user you can get read access to
HKEY_CLASSROOT and HKEY_USERS.

This is normal because your domain user account is in the administrators
group. To test whether the restriction is effective, you can have other
domain user log on your computer and they should not be able to access the
registry keys because they are not in the administrators group.

If you want, you can also remove your domain user account from the
administrators group to pervent it from accessing the registry keys.
Anyone in the administrators group can have access to the registry keys.
Only those who are not in the administrators group will be prevented from
accessing the registry keys.

Hope the above information and suggestion helps and answers your question.
If anything is unclear, please let me know.


Sincerely,

Cherry Qian
MCSE2000, MCSA2000, MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.

.

I think I might have been unclear. I created a domain
user. This guy is not part of the administrators group on
my machine, the domain or the remote machine I am trying
to access. Yet I can still get to
then when you log on as just a domain user you can get
read access to
HKEY_CLASSROOT and HKEY_USERS. If I use my account which
is a domain admin then I can edit the full registry that
is fine. I just want to know why a person with no
explicit rights still gets the read right to the above
keys. Thanks for your help. Keven

 

[Keven]

-----Original Message-----
Hi Keven,

Thank you for the posting.

I understand you performed the steps in knowledge base article 153183 and
then when you log on as just a domain user you can get read access to
HKEY_CLASSROOT and HKEY_USERS.

This is normal because your domain user account is in the administrators
group. To test whether the restriction is effective, you can have other
domain user log on your computer and they should not be able to access the
registry keys because they are not in the administrators group.

If you want, you can also remove your domain user account from the
administrators group to pervent it from accessing the registry keys.
Anyone in the administrators group can have access to the registry keys.
Only those who are not in the administrators group will be prevented from
accessing the registry keys.

Hope the above information and suggestion helps and answers your question.
If anything is unclear, please let me know.


Sincerely,

Cherry Qian
MCSE2000, MCSA2000, MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.

.
I Should also note in case I made an error we are talking

about opening a remote registry on a remote computer even
a DC and I see read rights to this file as just a plain
user with no admin rights anywhere. Thanks Keven