Securing Windows 2000 Server

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Appendix B: Registry Access Control Changes

Published: November 17, 2004 | Updated : May 31, 2006

Note: Welcome to the TechNet Archive. We've created this Archive area so that we can continue to make available older content that is still of interest to some of our users. This allows us to streamline the content offerings on the site and keep it focused on the newest, most relevant content.

The default permissions, also called access control lists (ACLs), applied to the registry in Microsoft® Windows® 2000 Server are much more secure than those that appear in Microsoft Windows NT® version 4.0, but they can be tightened even more without significantly increasing the risk of application compatibility issues arising. The Member Server Baseline Policy (MSBP) does not change the registry ACLs defined in hisecws.inf. These ACLs reduce the level of access that unauthenticated users, Standard Users, and Power Users have to the registry. These changes make it much more difficult for an attacker who has anything less than administrative privileges to make any undesirable changes to the registry.

Important   You should perform careful testing in your environment before you make any changes to the existing ACLs.

The ACLs defined in hisecws.inf mainly change the Power Users group, which is created by default for backward compatibility with Windows NT 4.0-based environments. The template ensures that the Power Users group has the same permissions as the Users group in Windows 2000.

Note   The Power Users group is not defined in the domain controllers.

Table B.1  Registry Access Control Changes


Note   To view the full size image of Table B.1 after clicking the See full-sized image link, you need to place the mouse cursor over the image and wait for the Expand to Regular size button to appear. Clicking Expand to Regular size button expands the graphic to its full size and the text becomes readable.


Get the Securing Windows 2000 Server

Solution Accelerator Notifications

Sign up to stay informed


Send us your comments or suggestions