Re: Default Regitry Permissions

Your registry seems to have been changed as what you state
to be the ACL on HKLM\Software\Classes is not what is set
by default, at least with a clean install (I am not sure what you
would see on a machine upgraded to W2k3 or R2 from earlier
versions with a history of upgrade clear back to NT 4)

It is my understanding that just using regsvr32 would add the
reg entries allowing them to have an initial ACL as determined
from the ACL on their parents. This is apparently not happening
for you, but you do not indicate use of an installer that might be
adjusting the ACL after regsvr32 runs.

PS
SP1 for W2k3 R2 has not come out
--
Roger Abell
Microsoft MVP (Windows Server : Security)

"G. Stoynev" <gstoynev@xxxxxxxxx> wrote in message
news:1161097132.523009.314180@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Windows 2003 Server R2 SP1 with IIS, ASP .NET 1.1 and .NET 2.0,
standalone server, developer machine with Visual Studio 6.0, VS.NET
2003 and 2005 installed.

I'm registering a custom DLL and the resulting keys in
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ are assigned permissions different
than the container's permissions.

As a container,
HKEY_LOCAL_MACHINE\SOFTWARE\Classes allows "Everyone - Full Control" -
that's the only setting, in addition to "Allow inheritable permissions
to propagate to this object"


My class however, after registering my DLL using regsvr32,
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\myDLL.myClass allows only SYSTEM
and the Administrators group "Special Permissions - Full Controll"

This prevents an ASP web application to access my DLL - the
IUSR_MachineName account is denied access.

Something must have changed recently since this was working fine. I am
the only person who has access to that machine. The only changes I've
made recently are possibly Windows Update and the addition of Windows
Media Services (WMS). I suspect installing WMS tightened the security,
but I can't fins a security policy regarding the registry. Checked
local policies - nothing defined. No domain policy as this is a
standalone server.

My question is: What is the mechanism that determines permission levels
on registry keys added by running regsvr32 on a DLL?



.

Relevant Pages

  • Re: Unnown process... 5eplorer.exe
    ... do not remove the cause (a "super"-hidden .dll program) but only remove ... symptom files and registry settings. ... It has all permissions but 'copy' denied to everyone, ... then by using the Windows XP Recovery Console. ...
    (microsoft.public.win2000.general)
  • Problem with performance of IDE devices
    ... index 0, dll tcpstk.dll, context 0x3f8a5c9 ... 0x801abbe8: FSREG: Mounted ROM portion of boot registry ... 0x8014abcc: FSREG: Invalid HKEY 0x00000000 ...
    (microsoft.public.windowsce.platbuilder)
  • Re: Active Directory domain policy not available - Windows cannot access the registry information (5
    ... shuffling the registry around as a result. ... >What share permissions did you change? ... >SYSVOL and NETLOGON shares aren't accessible. ... >the domain controller is changed but the DNS still points to the old IP ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: OT: Win 7 comments
    ... I had to edit the Registry. ... This is right up there with repairing permissions, ... That's odd, consider how some of you guys bring the same habits to Windows, ... I will wait for some apps to crash. ...
    (comp.sys.mac.advocacy)
  • Re: Minimum NTFS Permissions on the SystemDrive
    ... File system and registry access control list modifications ... Microsoft Windows XP and Microsoft Windows Server 2003 have considerably ... You can no longer use the Anonymous security ... Additional ACL changes may invalidate all or most of the application ...
    (microsoft.public.windows.server.security)