Windows NT 3.51 with Service pack 4 or Windows NT version 4.0, remote access to registry is turned off by default for servers. To turn off for workstation, create the registry key to restrict access to the registry:
Value: Registry Server
In English, you need to add (if it does not exist) the key winreg to SecurePipeServers; then add the value, Description, of type REG_SZ, with the data (string), Registry Server.
When you attempt to connect to the registry of a remote computer running Windows NT, the Server service on the target computer checks for the presence of the Winreg key and if it does not exist, you are permitted to connect to the remote computer's registry. If Winreg exists, the ACL on Winreg is checked, and if the ACL gives the you read or write access you are connected to the registry. The gotcha!, since is often misunderstood, is the meaning of the ACL gives the you read or write access. Select winreg (highlight it), click Security, and then click Permissions. You add users and groups you want to grant remote access. Thus you would NOT add everyone or authenicated users and those groups would be blocked. You might want to add or leave domain admins.
The Registry path names listed in the following key define Registry keys that are exempt from Winreg's otherwise global ACL.
The value would be a valid path to a location(s) in the registry. The default value is: SYSTEM\CurrentControlSet\Control\ProductOptions
The value would be a valid path to a location(s) in the registry. There is no default value. This allows Users access to specific locations in the registry providing it not blocked by the keys ACL. Each key in the registry has its own ACL. The registry ACLs are conceptually similar to file permission ACLs. The registry ACL access permission types follow.
|Query Value||Read access to values in key|
|Set Value||Create / update values in key |
|Create Subkey||Create subkey in key |
|Enumerate Subkeys||List subkeys in key |
|Notify||Audit notification events in key |
|Create Link||Create link to key |
|Delete||Delete key |
|Write DAC||Write Discretionary ACL (DAC) on key |
|Write Owner||Take ownership of key |
|Read Control||Read ACL of key |
This tip gives you a method to restrict or block remote access to the registry. I rewrote it when I couldn't successfully follow my own tip. To be honest, I strongly recommend blocking all remote access: registry, shares, or whatever - by disabling the Server service. It is the single most effective method to frustrate hackers. In any case, if your environment does not support disabling Server service, you can use this tip to secure the registry from inappropriate remote access.