[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 319
  • Last Modified:

registry permission change for hklm\Software\Microsoft\Windows NT\CurrentVersion\SecEdit

I have been task by the Security department to change the registry permissions for the following paths for all of my Windows 2008 R2 servers (which include DCs, member servers, Exchange 2010, ect. )

HKLM\Software\Microsoft\Windows NT\CurrentVersion\SecEdit\
HKLM\System\CurrentControlSet\Services\CryptSvc\Security\
HKLM\System\CurrentControlSet\Services\rpcss\Security\
HKLM\System\CurrentControlSet\Services\samss\Security\

The requirement is to have an ACL of only:
Administrators - Full Control
SYSTEM - Full Control

Has anyone done this before with no negative effects within their network?  No time to setup a test network right now.
0
SOCCSUPPORT
Asked:
SOCCSUPPORT
1 Solution
 
McKnifeCommented:
The last 3 ACLs control the ability to read the ACL for those 3 services: CryptSvc, samss and rpcss. It should not be critical to change those, but I don't see the point what you would win changing them...
The first one, one might argue that users have read permissions and taking those would make it harder for a user to enumerate permissions, but that's not really a critical thing, either.

So I would do the following anyway: tell them that you will do it if they will agree to be held responsible if problems occur (I don't think there will).
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now