registry permission change for hklm\Software\Microsoft\Windows NT\CurrentVersion\SecEdit

I have been task by the Security department to change the registry permissions for the following paths for all of my Windows 2008 R2 servers (which include DCs, member servers, Exchange 2010, ect. )

HKLM\Software\Microsoft\Windows NT\CurrentVersion\SecEdit\
HKLM\System\CurrentControlSet\Services\CryptSvc\Security\
HKLM\System\CurrentControlSet\Services\rpcss\Security\
HKLM\System\CurrentControlSet\Services\samss\Security\

The requirement is to have an ACL of only:
Administrators - Full Control
SYSTEM - Full Control

Has anyone done this before with no negative effects within their network?  No time to setup a test network right now.
LVL 1
SOCCSUPPORTAsked:
Who is Participating?
 
McKnifeConnect With a Mentor Commented:
The last 3 ACLs control the ability to read the ACL for those 3 services: CryptSvc, samss and rpcss. It should not be critical to change those, but I don't see the point what you would win changing them...
The first one, one might argue that users have read permissions and taking those would make it harder for a user to enumerate permissions, but that's not really a critical thing, either.

So I would do the following anyway: tell them that you will do it if they will agree to be held responsible if problems occur (I don't think there will).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.