Everyone security hole

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

When a properly authenticated user logs on locally to a Windows NT computer, that user becomes a member of the Everyone group. The default permission on the keys below allow members of the "Everyone" group special access, which includes the right to Set Values or Create Subkeys. This allows members of the "Everyone" group to create an entry under the Run and RunOnce keys that contains the name of a program to run when the computer starts. The Uninstall key defines the programs to run when you remove an application.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Because there is a potential for the abuse of this level of rights, you may want to reset these permissions.

A. From the Security menu, click Permissions.
B. Click "Replace Permissions on Existing Subkeys" so that it is selected.
C. Click Everyone, change the Type Of Access to Read, and then click OK.

Several sources recommend modifying the following subkeys so that the Everyone group has only Query Value, Read Control, Enumberate Subkeys, and Notify access.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RPC HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version HKEY_LOCAL_MACHINE\SOFTWARE\Windows 3.1 Migration Status HKEY_CLASSES_ROOT

See Also

Featured Links