Disable Registry Editors
Prevents standard Registry tools from running. This will only protect against
the casual, unsophisticated user. You can start the Registry editors but they
exit with a brief security messsage.
Hive: HKEY_CURRENT_USER
Key:
Software\Microsoft\Windows\CurrentVersion\Policies\System
Name:
DisableRegistryTools
Type: REG_DWORD
Value: 1
To prevent remote editing of registry. The
registry ACLs have special access permissions:
Query Value: Read any values
within the key
Set Value:
Create or update a value within the key
Create
Subkey: Create a subkey to the current key
Enumerate Subkeys: List
the subkeys of the current key
Notify: Audit notification events raised by the key
Create Link: Create a link in the current
key
Delete: Delete the
current key
Write DAC:
Write a discretionary ACL to the key
Write
Owner: Take ownership of the key
Read Control: Read the key's ACL
Windows NT and Windows 2000 ship with two registry editors, regedit.exe, and
regedt32.exe. Regedt32.exe provides access to a key's ACL. You can list the
access permissions in regedt32.exe by selecting a registry key, then
Security|Permissions from the main menu, click the Advanced button to open the
Access Control Settings for Names dialog box, select the Permissions tab, and
click the View/Edit button.
As with other objects secured by ACLs, you can audit activity for a
particular key. From the same Access Control Settings for Names dialog box,
select the Auditing tab and the Add button. You can audit all of the same
actions in the above list, selecting success, failure, or both for each
activity. Any such events are then recorded in the Windows NT / Windows 2000
security event log.