Solved

registry permission change for hklm\Software\Microsoft\Windows NT\CurrentVersion\SecEdit

Posted on 2015-02-04
1
255 Views
Last Modified: 2015-02-16
I have been task by the Security department to change the registry permissions for the following paths for all of my Windows 2008 R2 servers (which include DCs, member servers, Exchange 2010, ect. )

HKLM\Software\Microsoft\Windows NT\CurrentVersion\SecEdit\
HKLM\System\CurrentControlSet\Services\CryptSvc\Security\
HKLM\System\CurrentControlSet\Services\rpcss\Security\
HKLM\System\CurrentControlSet\Services\samss\Security\

The requirement is to have an ACL of only:
Administrators - Full Control
SYSTEM - Full Control

Has anyone done this before with no negative effects within their network?  No time to setup a test network right now.
0
Comment
Question by:SOCCSUPPORT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40589970
The last 3 ACLs control the ability to read the ACL for those 3 services: CryptSvc, samss and rpcss. It should not be critical to change those, but I don't see the point what you would win changing them...
The first one, one might argue that users have read permissions and taking those would make it harder for a user to enumerate permissions, but that's not really a critical thing, either.

So I would do the following anyway: tell them that you will do it if they will agree to be held responsible if problems occur (I don't think there will).
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DNS forwarders "unable to resolve" 1 158
Measure time after installing Antivirus 8 100
BgInfo help 5 106
How do I restrict certain programs? 9 76
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question