Securing Windows 2000 Server
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Appendix B: Registry Access Control Changes
Note: Welcome to the TechNet Archive. We've created this Archive area so that we can continue to make available older content that is still of interest to some of our users. This allows us to streamline the content offerings on the site and keep it focused on the newest, most relevant content.
The default permissions, also called access control lists (ACLs), applied to the registry in Microsoft® Windows® 2000 Server are much more secure than those that appear in Microsoft Windows NT® version 4.0, but they can be tightened even more without significantly increasing the risk of application compatibility issues arising. The Member Server Baseline Policy (MSBP) does not change the registry ACLs defined in hisecws.inf. These ACLs reduce the level of access that unauthenticated users, Standard Users, and Power Users have to the registry. These changes make it much more difficult for an attacker who has anything less than administrative privileges to make any undesirable changes to the registry.
Important You should perform careful testing in your environment before you make any changes to the existing ACLs.
The ACLs defined in hisecws.inf mainly change the Power Users group, which is created by default for backward compatibility with Windows NT 4.0-based environments. The template ensures that the Power Users group has the same permissions as the Users group in Windows 2000.
Note The Power Users group is not defined in the domain controllers.
Table B.1 Registry Access Control Changes
Note To view the full size image of Table B.1 after clicking the See full-sized image link, you need to place the mouse cursor over the image and wait for the Expand to Regular size button to appear. Clicking Expand to Regular size button expands the graphic to its full size and the text becomes readable.
Solution Accelerator Notifications