Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


December 1998

Expanding Your System Policy Capabilities


From the December 1998 Edition
of Windows IT Pro
Clayton Johnson
Feature
InstantDoc #4529
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More System Policies Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Security Permissions in the Registry

Overcome SPE's limitations by editing the policy file directly

I have struggled with two challenges since I began working with Windows NT. For years, I couldn't figure out how to push Registry security settings to users across a network or how to create user Registry entries for software on systems that the user already has a profile on. These tasks are challenging not because the Registry function is difficult, but because efficiently pushing Registry entries to all the users in a domain can be difficult. I know I'm not the only systems administrator who has struggled with these problems because audiences at my speaking engagements regularly ask me how to perform these tasks.

You can use tools such as regini or regsec from the Microsoft Windows NT Server 4.0 Resource Kit, Microsoft Windows NT Workstation 4.0 Resource Kit, and Microsoft Windows NT 3.51 Resource Kit to accomplish both tasks. However, the tools are command-line based, so they are complex and difficult to use.

System policies provide the easiest way to manage systems and users across your network. NT's System Policy Editor (SPE) makes enterprisewide Registry changes quick and efficient. Service Pack 2 (SP2) expands SPE's default options to include new entries, but despite its new entries, SPE can't solve the Registry security and software access problems. (For more information about SPE and NT system policies, see "Related Articles in Windows NT Magazine.")

Until recently, the only way I knew to expand SPE's capabilities was to edit the templates that create the interface, but this way can be confusing. You can create templates through a text editor such as Notepad or a sophisticated tool such as Policy Template Editor, but these tools cannot address the two challenges I described. Fortunately, I recently found a method for resolving my challenges: You can edit the policy file, ntconfig.pol, directly.

Ntconfig.pol
Ntconfig.pol is a Registry hive similar to the hives that create the keys Registry editors usually modify. You can load the ntconfig.pol hive into regedt32 and modify the policy file directly. Understand that this is an advanced policy function and that incorrect policy changes might severely damage your systems. Always back up the Registry before modifying hives, and test changes in a small, controlled environment before applying them to your network.

To load ntconfig.pol, open regedt32 and select HKEY_LOCAL_MACHINE. Select Load Hive from the Registry menu. Find ntconfig.pol in the NETLOGON share, and click Open. When you open ntconfig.pol, regedt32 asks you for a name for the hive. The name has no permanent effect on your system; it makes policy changes more convenient for you. You can enter any name you want. I call my ntconfig.pol hive Policy.

After you enter a name, the hive opens, as Screen 1 shows. Select Read Only Mode from regedt32's Options menu to protect the Registry until you're ready to make changes. Double-click the Policy key and examine the structure of the keys within it. Expand each key to see how the activated settings fit together. When you finish exploring, you're ready to solve your users' security and software access problems.

Challenge 1: Registry Security
When users have access to the Internet, one of an administrator's biggest challenges is regulating which programs users download and install on their systems. Some commercial software requires administrative rights for installation, but much of the freeware and shareware available on the Internet doesn't require special permissions to download.

To restrict users from installing software on one computer, you need to change permissions for the HKEY_LOCAL_MACHINE\SOFTWARE Registry key. (For a description of each permission option's function, see the sidebar "Security Permissions in the Registry.") Run regedt32, select the SOFTWARE key, select Permissions from the Security drop-down menu, and select the users you want to set permissions for. The SOFTWARE key's default settings include Full Control for CREATOR OWNER, SYSTEM, and the local Administrators group. These users can make changes freely; they can add and remove software, use applications that have entries in the SOFTWARE key, and modify permissions.

All other users are in the Everyone group. As Screen 2 shows, the default Special Access permissions for the Everyone group let users perform all Registry functions except creating a link to another key, changing the key's permissions (which the Write Discretionary Access Control­DAC­check box controls), and changing the key's ownership. To prevent users in the Everyone group from installing new software without preventing them from using the software that the SOFTWARE key lists, you need to remove their Set Value and Create Subkey permissions. Change the Everyone group's permissions from Special Access to Read. Then, users in the group will have only Query Value, Enumerate Subkeys, Notify, and Read Control permissions.

This Registry solution successfully prevents users from installing software on a system, but making this change on hundreds or thousands of computers is an administrative challenge. No System Policy Editor (SPE) function makes security changes, and you can't easily write a custom template to facilitate the change.

Adding security settings to a policy. Like SPE, ntconfig.pol adds entries to the Registry in such a way that every change you make adds to the current Registry entries. Making changes is like laying a transparency (the policy) on top of a sheet of paper (the existing Registry). Unchanged information shows through, and new settings replace only the settings that you modify. Ntconfig.pol's Users\.default key already contains a Software key. All you need to do to change the SOFTWARE key's permissions for users throughout your network is modify the Users\.default\Software key as you would modify an individual user's HKEY_LOCAL_MACHINE\SOFTWARE key.

In regedt32, open HKEY_LOCAL_MACHINE\Policy\Users\.default\Software. Select the Software key and click Security, Permissions. Choose the Everyone group, and set permissions for the group to Read. This prepares the policy file to send all the systems on your network the SOFTWARE key's permissions update (which will replace current security settings in the SOFTWARE key for the Everyone group) the next time users log on. This procedure will prevent all users except administrators from installing software that registers itself with NT.

   Previous  [1]  2  Next 


Top Viewed ArticlesView all articles
CES 2009: Ballmer Announces Windows 7, Windows Live, Live Search Milestones

During his first-ever Consumer Electronics Show (CES) 2009 keynote address last night in Las Vegas, Microsoft CEO Steve Ballmer announced the pending public availability of a feature-complete Windows 7, the final version of Windows Live Essentials, and ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

Where is Microsoft NetMeeting in Windows XP?

...
Windows OSs Whitepapers Why SaaS is the Right Solution for Log Management
Related Events Virtualization Forum: Optimizing Storage, Networks, Desktops, and Security

Cloud Computing Forum: Integrating Software, Server and Storage as a Service into Your Enterprise IT Delivery Model

Virtualization Forum: Optimizing Storage, Networks, Desktops, and Security

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Download Data Protection Manager 2007
Disaster recovery at a low cost

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Microsoft Learning Snack - Green IT Through Virtualization
Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.

Microsoft Learning Snack - Virtualization With Windows Server 2008
Windows Server 2008 includes virtualization technology that allows many operating systems - including open source - to run on a single host. Come learn the basics of implementing these features.

Microsoft Learning Snack - Virtualization Basics
With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.


Microsoft Learning Snack - Virtualization Basics
With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.

Microsoft Learning Snack - Virtualization With Windows Server 2008
Windows Server 2008 includes virtualization technology that allows many operating systems - including open source - to run on a single host. Come learn the basics of implementing these features.

Empower Your Processes with PowerShell 201
Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!

Microsoft Learning Snack - Green IT Through Virtualization
Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.

New Release: Windows IT Pro Master CD
13 years of content archives, fast answers with advanced search tools, and full access to WindowsITPro.com—order today!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2009 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing