SQL Server Magazine

I have struggled with two challenges since I began working with Windows NT. For years, I couldn't figure out how to push Registry security settings to users across a network or how to create user Registry entries for software on systems that the user already has a profile on. These tasks are challenging not because the Registry function is difficult, but because efficiently pushing Registry entries to all the users in a domain can be difficult. I know I'm not the only systems administrator who has struggled with these problems because audiences at my speaking engagements regularly ask me how to perform these tasks.

You can use tools such as regini or regsec from the Microsoft Windows NT Server 4.0 Resource Kit, Microsoft Windows NT Workstation 4.0 Resource Kit, and Microsoft Windows NT 3.51 Resource Kit to accomplish both tasks. However, the tools are command-line based, so they are complex and difficult to use.

System policies provide the easiest way to manage systems and users across your network. NT's System Policy Editor (SPE) makes enterprisewide Registry changes quick and efficient. Service Pack 2 (SP2) expands SPE's default options to include new entries, but despite its new entries, SPE can't solve the Registry security and software access problems. (For more information about SPE and NT system policies, see "Related Articles in Windows NT Magazine.")

Until recently, the only way I knew to expand SPE's capabilities was to edit the templates that create the interface, but this way can be confusing. You can create templates through a text editor such as Notepad or a sophisticated tool such as Policy Template Editor, but these tools cannot address the two challenges I described. Fortunately, I recently found a method for resolving my challenges: You can edit the policy file, ntconfig.pol, directly.

Ntconfig.pol
Ntconfig.pol is a Registry hive similar to the hives that create the keys Registry editors usually modify. You can load the ntconfig.pol hive into regedt32 and modify the policy file directly. Understand that this is an advanced policy function and that incorrect policy changes might severely damage your systems. Always back up the Registry before modifying hives, and test changes in a small, controlled environment before applying them to your network.

To load ntconfig.pol, open regedt32 and select HKEY_LOCAL_MACHINE. Select Load Hive from the Registry menu. Find ntconfig.pol in the NETLOGON share, and click Open. When you open ntconfig.pol, regedt32 asks you for a name for the hive. The name has no permanent effect on your system; it makes policy changes more convenient for you. You can enter any name you want. I call my ntconfig.pol hive Policy.

After you enter a name, the hive opens, as Screen 1 shows. Select Read Only Mode from regedt32's Options menu to protect the Registry until you're ready to make changes. Double-click the Policy key and examine the structure of the keys within it. Expand each key to see how the activated settings fit together. When you finish exploring, you're ready to solve your users' security and software access problems.

Challenge 1: Registry Security
When users have access to the Internet, one of an administrator's biggest challenges is regulating which programs users download and install on their systems. Some commercial software requires administrative rights for installation, but much of the freeware and shareware available on the Internet doesn't require special permissions to download.

To restrict users from installing software on one computer, you need to change permissions for the HKEY_LOCAL_MACHINE\SOFTWARE Registry key. (For a description of each permission option's function, see the sidebar "Security Permissions in the Registry.") Run regedt32, select the SOFTWARE key, select Permissions from the Security drop-down menu, and select the users you want to set permissions for. The SOFTWARE key's default settings include Full Control for CREATOR OWNER, SYSTEM, and the local Administrators group. These users can make changes freely; they can add and remove software, use applications that have entries in the SOFTWARE key, and modify permissions.

All other users are in the Everyone group. As Screen 2 shows, the default Special Access permissions for the Everyone group let users perform all Registry functions except creating a link to another key, changing the key's permissions (which the Write Discretionary Access Control­DAC­check box controls), and changing the key's ownership. To prevent users in the Everyone group from installing new software without preventing them from using the software that the SOFTWARE key lists, you need to remove their Set Value and Create Subkey permissions. Change the Everyone group's permissions from Special Access to Read. Then, users in the group will have only Query Value, Enumerate Subkeys, Notify, and Read Control permissions.

This Registry solution successfully prevents users from installing software on a system, but making this change on hundreds or thousands of computers is an administrative challenge. No System Policy Editor (SPE) function makes security changes, and you can't easily write a custom template to facilitate the change.

Adding security settings to a policy. Like SPE, ntconfig.pol adds entries to the Registry in such a way that every change you make adds to the current Registry entries. Making changes is like laying a transparency (the policy) on top of a sheet of paper (the existing Registry). Unchanged information shows through, and new settings replace only the settings that you modify. Ntconfig.pol's Users\.default key already contains a Software key. All you need to do to change the SOFTWARE key's permissions for users throughout your network is modify the Users\.default\Software key as you would modify an individual user's HKEY_LOCAL_MACHINE\SOFTWARE key.

In regedt32, open HKEY_LOCAL_MACHINE\Policy\Users\.default\Software. Select the Software key and click Security, Permissions. Choose the Everyone group, and set permissions for the group to Read. This prepares the policy file to send all the systems on your network the SOFTWARE key's permissions update (which will replace current security settings in the SOFTWARE key for the Everyone group) the next time users log on. This procedure will prevent all users except administrators from installing software that registers itself with NT.

   Prev. page   [1] 2     next page