3.1.1.10 Security Descriptor

Each registry key MUST have the following element.

Security Descriptor: A Security Descriptor as specified in [MS-DTYP] section 2.4.6. The server is responsible for initializing, maintaining, and storing the Security Descriptor for each key, as well as validating client access to the associated registry key when a given key is opened using the methods described in section 3.1.5: BaseRegCreateKey, OpenClassesRoot, OpenCurrentUser, OpenLocalMachine, OpenPerformanceData, OpenUsers, BaseRegOpenKey, OpenCurrentConfig, OpenPerformanceText, and OpenPerformanceNlsText. The Security Descriptor is read by the client by using the BaseRegGetKeySecurity method, and the Security Descriptor is updated by the client by using the BaseRegSetKeySecurity method. The server MUST create new Security Descriptors in self-relative format [MS-DTYP] (section 2.4.6).

The server is responsible for validating client access to registry keys as part of the operation of many of the methods described in section 3.1.5. The server MUST implement service routines to compare the Security Descriptor for a given registry key to the security context of the client request and validate access. This implementation is outside the bounds of the registry protocol specification.