Re: Default Regitry Permissions

Straight to your questions:

How are you determining it is Everyone Full on your clean install ?
It's Everyone: Full now, not on the clean install. And the clean
install is probably irrelevant.

What are the permissions you are seeing?
As a container,
HKEY_LOCAL_MACHINE\SOFTWARE\Classes allows "Everyone - Full Control" -
that's the only setting, in addition to "Allow inheritable permissions
to propagate to this object"

My class however, after registering my DLL using regsvr32,
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\myDLL.myClass allows only SYSTEM
and the Administrators group "Special Permissions - Full Controll"

Do you have any idea, what Windows security mechanism is responsible
for determining what permissions are assigned to the myDLL.myClass key.


It's not the container's ACL.

As far as I can tell, it's not a local security policy. The only
remotely related setting that I've found so far are under the Local
Security Settings snap-in:
Security Settings\Software restriction policies\Enforcement ("All
software except libraries" and "All users")
and
Security Settings\Software restriction policies\Additional
Rules\%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot% ("Unrestricted")
Security Settings\Software restriction policies\Additional
Rules\%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%*.exe ("Unrestricted")
Security Settings\Software restriction policies\Additional
Rules\%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%System32\*.exe ("Unrestricted")
Security Settings\Software restriction policies\Additional
Rules\%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
("Unrestricted")

Under Security Settings\Software restriction policies\Security Levels,
"Unrescrticted" is the default one; "Dissallowed" is also defined as
"Software will not run, regardless of the access rights of the user."

I've confirmed these settings by running "Resultant Set of Policy on
the login I use as well as on the "computer policy settings only".

Note that in no snap-in any policy showed as defined under
"...\Security Settings\Registry

I haven't been able to run "Security Configuration and Analysis" on my
"C:\windows\security\Database\secewdit.sdb". I use NTBackup to copy the
file to a temp folder and get "Error while opening the file". (I use
NTBAckup because regular "Copy" comes back with "File in use by another
program" error.

Thanks.
(you can use my profile email to speed up communication - I can alsop
send snapshots that way.)

Roger Abell [MVP] wrote:
"G. Stoynev" <gstoynev@xxxxxxxxx> wrote in message
news:1161206786.232071.150850@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thank you for your reply. My comments are below.

Roger Abell [MVP] wrote:
Your registry seems to have been changed as what you state
to be the ACL on HKLM\Software\Classes is not what is set
by default, at least with a clean install (I am not sure what you
would see on a machine upgraded to W2k3 or R2 from earlier
versions with a history of upgrade clear back to NT 4)

Can't comment on that as I didn't take a note what the ACL looked like
freshly installed. But it's a clean 2003 install and R2 immediately
after that.


default ACL'ing runs:

System Full Key+Subkeys
Administrators Full Key+Subkeys
Users Read Key+Subkeys
Creator Owner Full Subkeys
Power Users Special Key+Subkeys
(where PU exists; Special = Full less Create link, Write DAC, Write Owner)

How are you determining it is Everyone Full on your clean install ?



It is my understanding that just using regsvr32 would add the
reg entries allowing them to have an initial ACL as determined
from the ACL on their parents. This is apparently not happening
for you, but you do not indicate use of an installer that might be
adjusting the ACL after regsvr32 runs.

No installer involved. I run regsvr32 and immediately after that I
check the permssions.


What are the permissions you are seeing?

PS
SP1 for W2k3 R2 has not come out
Control Panel->System displays exactly the following string:
Microsoft Windows Server 2003 R2
Standard Edition
Serviec Pack 1


Well, I guess you cannot believe that interface then.
(Note that W2k3 R2 initial relase was in lock-step with W2k3 Sp1)

.

Relevant Pages

  • Re: Windows Firewall Wont Stay On
    ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: get rid of security center?
    ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Removing the Internet Security in SP2
    ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.security_admin)
  • Re: [2nd attempt] keep getting Windows firewall message
    ... alerts, or rather a way to keep the user settings for alerts from ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ...
    (microsoft.public.windowsxp.general)
  • Re: [2nd attempt] keep getting Windows firewall message
    ... or rather a way to keep the user settings for alerts from ... > I have come up with a solution that does not disable Security Center, ... > By changing the Permissions of that key, ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.general)