Sign in with
Sign up | Sign in
Your question

denying registry usage.

Last response: in Windows 2000/NT
Share
Anonymous
June 16, 2005 2:34:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I am a software developer, I have developed a software with a seperate
software registration
process, which accesses the windows registry to input some details about the
software.

but some users complain that there registration process fails.

so I want to make an environment on my machine so that I cannot write to the
registry
how can I achieve this.

i know how to stop accessing the registry editors, but not how to stop
writing to it


thanks

More about : denying registry usage

Anonymous
June 16, 2005 2:34:03 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If you log in as a limited user on XP and later (in its default install
condition)
you will only have write to areas where you should (the user account's
keys).
You should review the guidance for Windows application logo certification
as it details application installation and runtime behaviors that are
correct
for both registry and filesystem usage.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"EDMS" <qasoft4@sltnet.lk> wrote in message
news:o yMI70icFHA.1384@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I am a software developer, I have developed a software with a seperate
> software registration
> process, which accesses the windows registry to input some details about
the
> software.
>
> but some users complain that there registration process fails.
>
> so I want to make an environment on my machine so that I cannot write to
the
> registry
> how can I achieve this.
>
> i know how to stop accessing the registry editors, but not how to stop
> writing to it
>
>
> thanks
>
>
>
Anonymous
June 17, 2005 11:31:25 AM

Archived from groups: microsoft.public.win2000.security (More info?)

You can deny users access to regedit.exe and regedt32.exe, via NTFS file
permissions, via Group Policy, and/or via Software Restriction Policy [as
long as they are not in the local Administrators group on the computer].
However, they can still attempt to edit the registry by, say, copying
regedit.exe to a floppy disk and running it from there, or via other means.

If it is really important that these users absolutely not have the ability
to edit the registry, I think it would however be more secure to run
whatever program is trying to access the registry as a different user
account. For example, if only the installer needs to edit the registry just
once, then you could require someone log in as administrator to do the
install. Or, if the program needs to be able to edit the registry, you
could figure out a way for the program to run under a different account,
such as via a service account. If absolutely necessary, I suppose a RunAs
icon [set up so that the user does not need to know the admin password]
might be something to consider [doesn't sound very elegant or completely
secure, but I don't know your complete situation].

http://securityadmin.info/faq.asp#runas



"EDMS" <qasoft4@sltnet.lk> wrote in message
news:o yMI70icFHA.1384@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I am a software developer, I have developed a software with a seperate
> software registration
> process, which accesses the windows registry to input some details about
the
> software.
>
> but some users complain that there registration process fails.
>
> so I want to make an environment on my machine so that I cannot write to
the
> registry
> how can I achieve this.
>
> i know how to stop accessing the registry editors, but not how to stop
> writing to it
>
>
> thanks
>
>
>
Related resources
Anonymous
June 19, 2005 2:04:41 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I think OP just needs to test with an environment that matches the
users reporting the issue with the installation.
My guess is prior tests as admin, users installing as users; or test
on W2k, users on XP, etc..
--
Roger Abell
Microsoft MVP (Windows Server: Security)


"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:o vqiJ8ycFHA.892@tk2msftngp13.phx.gbl...
> You can deny users access to regedit.exe and regedt32.exe, via NTFS file
> permissions, via Group Policy, and/or via Software Restriction Policy [as
> long as they are not in the local Administrators group on the computer].
> However, they can still attempt to edit the registry by, say, copying
> regedit.exe to a floppy disk and running it from there, or via other
> means.
>
> If it is really important that these users absolutely not have the ability
> to edit the registry, I think it would however be more secure to run
> whatever program is trying to access the registry as a different user
> account. For example, if only the installer needs to edit the registry
> just
> once, then you could require someone log in as administrator to do the
> install. Or, if the program needs to be able to edit the registry, you
> could figure out a way for the program to run under a different account,
> such as via a service account. If absolutely necessary, I suppose a RunAs
> icon [set up so that the user does not need to know the admin password]
> might be something to consider [doesn't sound very elegant or completely
> secure, but I don't know your complete situation].
>
> http://securityadmin.info/faq.asp#runas
>
>
>
> "EDMS" <qasoft4@sltnet.lk> wrote in message
> news:o yMI70icFHA.1384@TK2MSFTNGP09.phx.gbl...
>> Hi,
>>
>> I am a software developer, I have developed a software with a seperate
>> software registration
>> process, which accesses the windows registry to input some details about
> the
>> software.
>>
>> but some users complain that there registration process fails.
>>
>> so I want to make an environment on my machine so that I cannot write to
> the
>> registry
>> how can I achieve this.
>>
>> i know how to stop accessing the registry editors, but not how to stop
>> writing to it
>>
>>
>> thanks
>>
>>
>>
>
>
Anonymous
June 19, 2005 5:24:43 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in
news:o vqiJ8ycFHA.892@tk2msftngp13.phx.gbl:

> However, they can still attempt to edit the registry by, say,
> copying regedit.exe to a floppy disk and running it from there, or
> via other means.

Hash rules can take care of the floppy trick. :) 

Adam
Anonymous
June 19, 2005 5:24:44 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"Adam Leinss" <aleinss@techie.com> wrote in message
news:Xns9679CFA25B9B1aleinsstechie@toughguy.net...

> > However, they can still attempt to edit the registry by, say,
> > copying regedit.exe to a floppy disk and running it from there, or
> > via other means.
>
> Hash rules can take care of the floppy trick. :) 

Yes, but then you can probably change the hash or use a different registry
editing tool. I also don't know whether SRP with enough hash rules to make
the system sufficiently secure would make the system run like a slug. I'm
pretty sure that collecting and setting up all those hash rules by yourself
for all the various versions out there, and adding new hashes as executables
are patched and re-released, would be a nightmare. Whitelisting executables
instead of blacklisting them would probably be easier and more secure, but
even that would be pretty intensive to administer month to month. Which is
why very few enterprises are using SRP or similar solutions. SRP is one of
those things that everyone suggests in a theoretical way but rarely ever use
in real life.
!