Security implications of changing HKEY_CLASSES_ROOT ACL

  • Thread starter Thread starter Inverted Prophecy
  • Start date Start date
I

Inverted Prophecy

Gentlemen,

Could anyone give an example why Microsoft's recommended practice on
the HKEY_CLASSES_ROOT key is not to change its ACL? We're faced with
an application (Voloview) that writes a key to this registry hive the
moment a user actives it, and removes it again when a user logs off.
Since we want security to be as strict as possible, we don't want to
open up anything we shouldn't have to. It seems inevitable now though.

What are the consequences of this action? It's fairly hard to oversee
for me. Microsoft won't provide these rules for fun, that's one thing
I know for sure.

Kind regards,

Casper.
 
Why not set the permissions on the specific key or ask the application
developer what their solution is.
 
In said:
Gentlemen,

Could anyone give an example why Microsoft's recommended practice
on the HKEY_CLASSES_ROOT key is not to change its ACL? We're faced
with an application (Voloview) that writes a key to this registry
hive the moment a user actives it, and removes it again when a
user logs off. Since we want security to be as strict as possible,
we don't want to open up anything we shouldn't have to. It seems
inevitable now though.

What are the consequences of this action? It's fairly hard to
oversee for me. Microsoft won't provide these rules for fun,
that's one thing I know for sure.

Because setting at the "root" means inheritence to other sub-keys.
That _could_ break some things. <G> I wouldn't do it.

This is it appears a application/developer problem
(Create/use/remove). I can't offhand think of why they would do that
except at Install/Un-Install. You need to ask them I suspect. Maybe
they should be using HKCU\Software\Classes\ instead which should have
USERNAME:FULL for new keys.
 
Are you using local and global groups?

We (in this situation) would give the local group (say ws-appl-voloview)
change control on the particular subkey that Voloview wants to create its
key in and link the global group (appl-voloview)to the local group.

Since the user (presumably) has no sight of the registry they will not know
what is being done in the background.

We have experienced no problems in this area.

Gary
 
Back
Top