Solved

registry permission change for hklm\Software\Microsoft\Windows NT\CurrentVersion\SecEdit

Posted on 2015-02-04
1
228 Views
Last Modified: 2015-02-16
I have been task by the Security department to change the registry permissions for the following paths for all of my Windows 2008 R2 servers (which include DCs, member servers, Exchange 2010, ect. )

HKLM\Software\Microsoft\Windows NT\CurrentVersion\SecEdit\
HKLM\System\CurrentControlSet\Services\CryptSvc\Security\
HKLM\System\CurrentControlSet\Services\rpcss\Security\
HKLM\System\CurrentControlSet\Services\samss\Security\

The requirement is to have an ACL of only:
Administrators - Full Control
SYSTEM - Full Control

Has anyone done this before with no negative effects within their network?  No time to setup a test network right now.
0
Comment
Question by:SOCCSUPPORT
1 Comment
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 40589970
The last 3 ACLs control the ability to read the ACL for those 3 services: CryptSvc, samss and rpcss. It should not be critical to change those, but I don't see the point what you would win changing them...
The first one, one might argue that users have read permissions and taking those would make it harder for a user to enumerate permissions, but that's not really a critical thing, either.

So I would do the following anyway: tell them that you will do it if they will agree to be held responsible if problems occur (I don't think there will).
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now