Click here to get back home

Default Regitry Permissions
 HomeNewsGroups | Search | About
Login Password
Register Now! Lost Password?
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Default Regitry Permissions G. Stoynev 10-17-2006
Get Chitika Premium
Posted by G. Stoynev on October 17, 2006, 10:58 am
Please log in for more thread options
 Windows 2003 Server R2 SP1 with IIS, ASP .NET 1.1 and .NET 2.0,
standalone server, developer machine with Visual Studio 6.0, VS.NET
2003 and 2005 installed.

I'm registering a custom DLL and the resulting keys in
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ are assigned permissions different
than the container's permissions.

As a container,
HKEY_LOCAL_MACHINE\SOFTWARE\Classes allows "Everyone - Full Control" -
that's the only setting, in addition to "Allow inheritable permissions
to propagate to this object"


My class however, after registering my DLL using regsvr32,
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\myDLL.myClass allows only SYSTEM
and the Administrators group "Special Permissions - Full Controll"

This prevents an ASP web application to access my DLL - the
IUSR_MachineName account is denied access.

Something must have changed recently since this was working fine. I am
the only person who has access to that machine. The only changes I've
made recently are possibly Windows Update and the addition of Windows
Media Services (WMS). I suspect installing WMS tightened the security,
but I can't fins a security policy regarding the registry. Checked
local policies - nothing defined. No domain policy as this is a
standalone server.

My question is: What is the mechanism that determines permission levels
on registry keys added by running regsvr32 on a DLL?


Posted by Roger Abell [MVP] on October 18, 2006, 12:17 pm
Please log in for more thread options
 Your registry seems to have been changed as what you state
to be the ACL on HKLM\Software\Classes is not what is set
by default, at least with a clean install (I am not sure what you
would see on a machine upgraded to W2k3 or R2 from earlier
versions with a history of upgrade clear back to NT 4)

It is my understanding that just using regsvr32 would add the
reg entries allowing them to have an initial ACL as determined
from the ACL on their parents. This is apparently not happening
for you, but you do not indicate use of an installer that might be
adjusting the ACL after regsvr32 runs.

PS
SP1 for W2k3 R2 has not come out
--
Roger Abell
Microsoft MVP (Windows Server : Security)

> Windows 2003 Server R2 SP1 with IIS, ASP .NET 1.1 and .NET 2.0,
> standalone server, developer machine with Visual Studio 6.0, VS.NET
> 2003 and 2005 installed.
>
> I'm registering a custom DLL and the resulting keys in
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ are assigned permissions different
> than the container's permissions.
>
> As a container,
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes allows "Everyone - Full Control" -
> that's the only setting, in addition to "Allow inheritable permissions
> to propagate to this object"
>
>
> My class however, after registering my DLL using regsvr32,
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\myDLL.myClass allows only SYSTEM
> and the Administrators group "Special Permissions - Full Controll"
>
> This prevents an ASP web application to access my DLL - the
> IUSR_MachineName account is denied access.
>
> Something must have changed recently since this was working fine. I am
> the only person who has access to that machine. The only changes I've
> made recently are possibly Windows Update and the addition of Windows
> Media Services (WMS). I suspect installing WMS tightened the security,
> but I can't fins a security policy regarding the registry. Checked
> local policies - nothing defined. No domain policy as this is a
> standalone server.
>
> My question is: What is the mechanism that determines permission levels
> on registry keys added by running regsvr32 on a DLL?
>



Posted by G. Stoynev on October 18, 2006, 5:26 pm
Please log in for more thread options
Thank you for your reply. My comments are below.

Roger Abell [MVP] wrote:
> Your registry seems to have been changed as what you state
> to be the ACL on HKLM\Software\Classes is not what is set
> by default, at least with a clean install (I am not sure what you
> would see on a machine upgraded to W2k3 or R2 from earlier
> versions with a history of upgrade clear back to NT 4)

Can't comment on that as I didn't take a note what the ACL looked like
freshly installed. But it's a clean 2003 install and R2 immediately
after that.

>
> It is my understanding that just using regsvr32 would add the
> reg entries allowing them to have an initial ACL as determined
> from the ACL on their parents. This is apparently not happening
> for you, but you do not indicate use of an installer that might be
> adjusting the ACL after regsvr32 runs.

No installer involved. I run regsvr32 and immediately after that I
check the permssions.

> PS
> SP1 for W2k3 R2 has not come out
Control Panel->System displays exactly the following string:
Microsoft Windows Server 2003 R2
Standard Edition
Serviec Pack 1

> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
>


Posted by Roger Abell [MVP] on October 19, 2006, 2:09 am
Please log in for more thread options
> Thank you for your reply. My comments are below.
>
> Roger Abell [MVP] wrote:
>> Your registry seems to have been changed as what you state
>> to be the ACL on HKLM\Software\Classes is not what is set
>> by default, at least with a clean install (I am not sure what you
>> would see on a machine upgraded to W2k3 or R2 from earlier
>> versions with a history of upgrade clear back to NT 4)
>
> Can't comment on that as I didn't take a note what the ACL looked like
> freshly installed. But it's a clean 2003 install and R2 immediately
> after that.
>

default ACL'ing runs:

System Full Key+Subkeys
Administrators Full Key+Subkeys
Users Read Key+Subkeys
Creator Owner Full Subkeys
Power Users Special Key+Subkeys
(where PU exists; Special = Full less Create link, Write DAC, Write Owner)

How are you determining it is Everyone Full on your clean install ?


>>
>> It is my understanding that just using regsvr32 would add the
>> reg entries allowing them to have an initial ACL as determined
>> from the ACL on their parents. This is apparently not happening
>> for you, but you do not indicate use of an installer that might be
>> adjusting the ACL after regsvr32 runs.
>
> No installer involved. I run regsvr32 and immediately after that I
> check the permssions.
>

What are the permissions you are seeing?

>> PS
>> SP1 for W2k3 R2 has not come out
> Control Panel->System displays exactly the following string:
> Microsoft Windows Server 2003 R2
> Standard Edition
> Serviec Pack 1
>

Well, I guess you cannot believe that interface then.
(Note that W2k3 R2 initial relase was in lock-step with W2k3 Sp1)



Posted by G. Stoynev on October 19, 2006, 10:47 am
Please log in for more thread options
Straight to your questions:

> How are you determining it is Everyone Full on your clean install ?
It's Everyone: Full now, not on the clean install. And the clean
install is probably irrelevant.

> What are the permissions you are seeing?
As a container,
HKEY_LOCAL_MACHINE\SOFTWARE\Classes allows "Everyone - Full Control" -
that's the only setting, in addition to "Allow inheritable permissions
to propagate to this object"

My class however, after registering my DLL using regsvr32,
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\myDLL.myClass allows only SYSTEM
and the Administrators group "Special Permissions - Full Controll"

Do you have any idea, what Windows security mechanism is responsible
for determining what permissions are assigned to the myDLL.myClass key.


It's not the container's ACL.

As far as I can tell, it's not a local security policy. The only
remotely related setting that I've found so far are under the Local
Security Settings snap-in:
Security Settings\Software restriction policies\Enforcement ("All
software except libraries" and "All users")
and
Security Settings\Software restriction policies\Additional
Rules\%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot% ("Unrestricted")
Security Settings\Software restriction policies\Additional
Rules\%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%*.exe ("Unrestricted")
Security Settings\Software restriction policies\Additional
Rules\%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%System32\*.exe ("Unrestricted")
Security Settings\Software restriction policies\Additional
Rules\%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
("Unrestricted")

Under Security Settings\Software restriction policies\Security Levels,
"Unrescrticted" is the default one; "Dissallowed" is also defined as
"Software will not run, regardless of the access rights of the user."

I've confirmed these settings by running "Resultant Set of Policy on
the login I use as well as on the "computer policy settings only".

Note that in no snap-in any policy showed as defined under
"...\Security Settings\Registry

I haven't been able to run "Security Configuration and Analysis" on my
"C:\windows\security\Database\secewdit.sdb". I use NTBackup to copy the
file to a temp folder and get "Error while opening the file". (I use
NTBAckup because regular "Copy" comes back with "File in use by another
program" error.

Thanks.
(you can use my profile email to speed up communication - I can alsop
send snapshots that way.)

Roger Abell [MVP] wrote:
> > Thank you for your reply. My comments are below.
> >
> > Roger Abell [MVP] wrote:
> >> Your registry seems to have been changed as what you state
> >> to be the ACL on HKLM\Software\Classes is not what is set
> >> by default, at least with a clean install (I am not sure what you
> >> would see on a machine upgraded to W2k3 or R2 from earlier
> >> versions with a history of upgrade clear back to NT 4)
> >
> > Can't comment on that as I didn't take a note what the ACL looked like
> > freshly installed. But it's a clean 2003 install and R2 immediately
> > after that.
> >
>
> default ACL'ing runs:
>
> System Full Key+Subkeys
> Administrators Full Key+Subkeys
> Users Read Key+Subkeys
> Creator Owner Full Subkeys
> Power Users Special Key+Subkeys
> (where PU exists; Special = Full less Create link, Write DAC, Write Owner)
>
> How are you determining it is Everyone Full on your clean install ?
>
>
> >>
> >> It is my understanding that just using regsvr32 would add the
> >> reg entries allowing them to have an initial ACL as determined
> >> from the ACL on their parents. This is apparently not happening
> >> for you, but you do not indicate use of an installer that might be
> >> adjusting the ACL after regsvr32 runs.
> >
> > No installer involved. I run regsvr32 and immediately after that I
> > check the permssions.
> >
>
> What are the permissions you are seeing?
>
> >> PS
> >> SP1 for W2k3 R2 has not come out
> > Control Panel->System displays exactly the following string:
> > Microsoft Windows Server 2003 R2
> > Standard Edition
> > Serviec Pack 1
> >
>
> Well, I guess you cannot believe that interface then.
> (Note that W2k3 R2 initial relase was in lock-step with W2k3 Sp1)


Similar ThreadsPosted
default NTFS permissions - 2003 - vista PE? November 20, 2008, 1:36 pm
Default NTFS permissions too liberal on newly created volumes January 22, 2006, 9:58 pm
Can login domain be set to a default? August 31, 2005, 2:09 am
RE: Default Security Groups February 21, 2007, 3:24 am
RE: Default Security Groups March 27, 2007, 7:01 pm
RE: Default Security Groups March 27, 2007, 8:07 pm
RE: Default Security Groups March 27, 2007, 8:51 pm
Returning Administrator Account to 'default' - how to? September 12, 2005, 10:30 am
Default Shares on Member Servers October 12, 2006, 5:47 pm
secpol on DC vs. Default Domain Policy? November 30, 2006, 6:12 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap