dcgames
asked on
What does this change to SOFTWARE registry key do?
I have a Windows 2000 Advanced Server in my kitchen connected to the internet.
It hosts a web site, an e-mail server, etc.
It also does DNS, DHCP, and NAT for the internal network (3 additional PCs, runnign WIndows 98).
HOWEVER, this is the computer we all use regularly to check e-mail and browse the internet, since it is conveniently located and always on.
To do this, I have enabled some users to "log-in-locally" to the server. They use Outlook Express and Internet Explorere primarily.
I am trying to add a "Content filter" application called Cyber Snoop that I hope will prove less restrictive than tradditional filters. I don't want to restrict access to an un-rated page just because it's unrated, and this tool allows you to filter based on both page rating and content analysis.
The instructions for installation on Windows 2000 say that after installing (as Administrator), you should:
a) Run REGEDT32
b) Select HKEY_LOCAL_MACHINE
c) Select SOFTWARE registry key
d) Select Permissions under the SECURITY menu item.
e) In Registry Key Permissions, select "USERS" (i.e.
the users group)
f) Select "Full Control"
g) Under "Advanced.." button select "Reset permissions on all child objects and enable propagation of inheritable permissions"
Now, if they told me to do this on an entry for the specific product, I might understand, but why the whole SOFTWARE key?
What does this change allow a user account to do that was not allowed before?
Is this safe? Unwise? Stupid?
I get the feeling this instructions may have been ment for a Windows 2000 Pro client, not for a server.
Dave
It hosts a web site, an e-mail server, etc.
It also does DNS, DHCP, and NAT for the internal network (3 additional PCs, runnign WIndows 98).
HOWEVER, this is the computer we all use regularly to check e-mail and browse the internet, since it is conveniently located and always on.
To do this, I have enabled some users to "log-in-locally" to the server. They use Outlook Express and Internet Explorere primarily.
I am trying to add a "Content filter" application called Cyber Snoop that I hope will prove less restrictive than tradditional filters. I don't want to restrict access to an un-rated page just because it's unrated, and this tool allows you to filter based on both page rating and content analysis.
The instructions for installation on Windows 2000 say that after installing (as Administrator), you should:
a) Run REGEDT32
b) Select HKEY_LOCAL_MACHINE
c) Select SOFTWARE registry key
d) Select Permissions under the SECURITY menu item.
e) In Registry Key Permissions, select "USERS" (i.e.
the users group)
f) Select "Full Control"
g) Under "Advanced.." button select "Reset permissions on all child objects and enable propagation of inheritable permissions"
Now, if they told me to do this on an entry for the specific product, I might understand, but why the whole SOFTWARE key?
What does this change allow a user account to do that was not allowed before?
Is this safe? Unwise? Stupid?
I get the feeling this instructions may have been ment for a Windows 2000 Pro client, not for a server.
Dave
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
mikecr
No matter whether it is NT or 2K, you have to have certain rights to read/manipulate the registry. I think what they are trying to do is set the permissions used to access these keys in the registry by the program and you limit the programs abilities. Was this program specifically designed for Workstation or Server?
Any users who have full (or write) access to the HKEY_LOCAL_MACHINE\Softwar
Doing what this software is suggesting will make any hope of having a secure Win2000 system disappear into the ether....
Doing what this software is suggesting will make any hope of having a secure Win2000 system disappear into the ether....
- the whole Software hive because it's much easier for them to support problems with rights that doesn't appear in Win9x.
- It might allow a user to delete the whole hive and make the server unusable
- it is unsafe, unwise and is contrary to the NT philosophy
- even on a Win2k Pro it's very unprofessional.
- It might allow a user to delete the whole hive and make the server unusable
- it is unsafe, unwise and is contrary to the NT philosophy
- even on a Win2k Pro it's very unprofessional.
ASKER
Hello, Your comments all match pretty much what I thought.
Sysexpert: I did try to apply this only to the keys of the specific software, but it didn't work.
Perhaps they only need that kind of access initially (to configure the software). If so, I might try:
a) Do what they ask for the Software key.
b) Run the software, make sure everythign is working.
c) "undo" the permission setting.
But I'm thinking it may not be un-doable in the sense that "adding Full Control to all SOFTWARE key entries" is not undone by "remove Full Control from all SOFTWARE key entries". Some keys may HAVE full control already, and the undo would break them.
Any suggestions?
I could add the user to the "Administration" group temporarily, go through the configuration / setup, make sure it's working, then remove the user from the Admin group and see if that works.
Does that sound reasonable?
One last question. I've seen some installation with "POWER USER" setup. I think that it gets created when you have UPGRADED from a Win 9x environment. I don't have a POWER USER group defined (I did a clean install).
I'm not concerned about the users "abusing" or "hacking" the system, but I don't want to open the doorway for a virus or external hack to do more damage.
I could add the permission explicitly to the users that need it instead of the generic USERS group. Would that make it safer?
Dave
Sysexpert: I did try to apply this only to the keys of the specific software, but it didn't work.
Perhaps they only need that kind of access initially (to configure the software). If so, I might try:
a) Do what they ask for the Software key.
b) Run the software, make sure everythign is working.
c) "undo" the permission setting.
But I'm thinking it may not be un-doable in the sense that "adding Full Control to all SOFTWARE key entries" is not undone by "remove Full Control from all SOFTWARE key entries". Some keys may HAVE full control already, and the undo would break them.
Any suggestions?
I could add the user to the "Administration" group temporarily, go through the configuration / setup, make sure it's working, then remove the user from the Admin group and see if that works.
Does that sound reasonable?
One last question. I've seen some installation with "POWER USER" setup. I think that it gets created when you have UPGRADED from a Win 9x environment. I don't have a POWER USER group defined (I did a clean install).
I'm not concerned about the users "abusing" or "hacking" the system, but I don't want to open the doorway for a virus or external hack to do more damage.
I could add the permission explicitly to the users that need it instead of the generic USERS group. Would that make it safer?
Dave
POWER USER is normal only on win2k Pro installs, not server, to the best of my knowledge.
Your Idea about admin, sounds good.
Your Idea about admin, sounds good.
if you are a bit experienced, but can try the great tool Regmon of Sysinternals (http://www.sysinternals.com/ntw2k/source/regmon.shtml)
and filter for "denied" entries.
So you will find where the program has problems with rights on registry hives.
and filter for "denied" entries.
So you will find where the program has problems with rights on registry hives.
Frankly, I'd STAY AWAY from such a program on W2K. Any such application should be designed to install as administrator and run using the SERVICE account, LOCAL SYSTEM. This will give it the required privileges over the settings and applications on the machine but will not force you to open up the registry protections for people to mess with.
I'll just reiterate. Any users who can modify registry entries under HKEY_LOCAL_MACHINE can gain full access to the machine. In other words, it makes security a farce!
I'll just reiterate. Any users who can modify registry entries under HKEY_LOCAL_MACHINE can gain full access to the machine. In other words, it makes security a farce!
ASKER
Thank you guys. Sound Advice.