SECURITY

Registry ACLs

7/28/2010 9:29:49 AM
Registry ACLs
The registry ACLs have undergone changes, just like the file system ACLs. The changes are much smaller in scope than the changes to the file system, however. The most obvious difference from earlier versions of Windows is that, because of the deprecation of Power Users, almost all the Power User ACEs are gone. Power Users are not supposed to be any more powerful than any other users in Windows Vista. It is a testament to just how complicated ACLs really are, however, that not all the ACEs for Power Users are actually gone. A few were, unfortunately, missed.

While you are looking at ACLs in the registry, in a few places you will see an ACE for a SID called RESTRICTED. This is not new to Windows Vista, but it is an interesting and not well understood SID. That SID denotes any process that presents a restricted token. A restricted token is created using a special feature of the CreateRestrictedToken API. Such a token has one or more "restricting SIDs"-SIDs that are used in a separate access check. When a process running with a restricted token attempts to access an object with an ACE for the RESTRICTED SID, the OS actually performs two access checks. The first is the normal access check. The second one works exactly like the first but takes place only against the restricting SIDs in the token. Both access checks must pass.

Currently, several ACLs use the RESTRICTED SID, particularly in the Registry. A screenshot of such an ACL is shown in Figure 1.

Image from book
Figure 1: The Registry ACLs include an ACE for RESTRICTED in several places.

At this time, few processes make use of the restricted token functionality, particularly with respect to restricting SIDs. One example of a process that does is the service process that hosts the Windows Firewall, the Base Filtering Engine, and the Diagnostic Policy Service. It also uses a write restricted token. On the Web site for the book (http://www.wiley.com/go/windowsvistasecurity) you will find a document that lists security parameters for every service that ships with Windows Vista Ultimate Edition. Based on the findings outlined in that document, only nine services currently use RESTRICTED and write restricted tokens in Windows Vista.

As with recent previous versions of Windows, the best practice with respect to registry permissions is to tread very carefully. Except for in exceptional, and highly targeted, circumstances, do not modify permissions in the registry. Given the complicated inheritance model and the sensitive operations performed on the registry, you run an unacceptably high likelihood of fatal failure if you modify ACLs in the registry carelessly.


Other  
 
Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
VIDEO TUTORIAL
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8