Securing the Windows NT Registry
The initialization and configuration information used by your enterprise application is typically stored in the registry. For example, the configuration information for your application’s distributed components is kept in the registry. Because the default Windows NT workstation setup for the Registry Editor lets administrators have remote access, external tampering could put your application’s registry data at risk.
In order to protect your application’s registry information, you need to:
- Protect the registry files.
- Restrict network access to the registry on every workstation that uses your application.
Protecting the Registry Files
You must ensure that only the administrator can access the WINNT\SystemRoot\System32 directory. You can do this by applying NTFS file permissions to the System32 folder.
For More Information Protecting Files, in this chapter, offers an overview of security on the NTFS file system.
Restricting Network Access to the Registry
The default operating system installation on Windows NT workstations lets any administrator have remote access to the registry from another computer. If the "winreg" key does not appear in the registry, any user who can connect to the computer can also connect to the registry and damage your configuration information.
Note The default Windows NT Workstation installation does not define the winreg key and therefore remote registry access is allowed by default. Windows NT Server does define this key and allows only the administrator to remotely access the registry.
To restrict network access to the registry, you must create the following key on every workstation that uses your application:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Control\SecurePipeServers\winreg
Then you should edit the registry permissions of the winreg key to grant or revoke specific access privileges.
For More Information For more information on how to grant or revoke registry permissions, search for "Changing the winreg ACL" in MSDN Library Visual Studio 6.0.