WinSecWiki > Security Settings > Local Policies > Security Options > Network Access > Remotely accessible registry paths

Edit Network access: Remotely accessible registry paths

OK, get ready to be confused with regard to this setting and “Network access: Remotely accessible registry paths and sub-paths”. Well it’s not so bad if you get a clear explanation – as opposed the incredibly obtuse KB articles on these 2 settings.

First some background. Remote access to the registry (i.e. accessible to users on other computers on the network) is provided by the Remote Registry service and is limited to the users listed in the ACL of the winreg key (for more information on winreg see below). For instance you can open Registry Editor and connect to a different computer on the network. Only users with an entry in the ACL of winreg can access the registry remotely. But there are exceptions as defined by this setting and “Network access: Remotely accessible registry paths and sub-paths”.

The following applies to Windows Server 2003 and later. XP and earlier systems handle these 2 settings differently which is explained under “What about XP?”

This setting specifies which registry keys that should be available to remote users regardless whether they are defined in winreg’s ACL or not. Keys listed in this setting are available remotely but not their subkeys which is the fundamental difference between this setting and “Network access: Remotely accessible registry paths and sub-paths”. Based on the keys included by default it would appear this setting was primarily for keys important to scanning, identification and inventorying of systems on the network (and possibly license metering) but that have sensitive data in subkeys that should not be made available to any remote user. The default values are:

  • System\CurrentControlSet\Control\ProductOptions
  • System\CurrentControlSet\Control\Server Applications
  • Software\Microsoft\Windows NT\CurrentVersion

Note: this setting and the winreg key only control the remote aspect of accessing the registry. Regardless of whether you are remote or local you are still governed by the permissions on the actual registry keys you try to access. So this setting simply says these keys are available to any authenticated user on the network but users can only query or modify the key as allowed by the permissions on the key itself. And again, the user can’t drill down to subkeys.

This is similar to how shared folders work on NTFS volumes. Sharing the folder makes it “visible” to users on the network but what they can do inside the folder is still limited by the folder’s actual ACL (as well as the share’s ACL). 

What about XP?

OK, so that’s how this setting works on Windows Server 2003 and later but what about XP? Well, it depends on whether you are viewing the setting in Local Security Policy on an XP computer or configuring this setting in a group policy object that gets applied to an XP computer.

If you are viewing this setting in Local Security Policy of an XP system, you are actually looking at “Network access: Remotely accessible registry paths and sub-paths”. In Windows Server 2003, MS did something very confusing: they created a new security setting and named it “Network access: Remotely accessible registry paths” and took the old setting with this name and renamed it to “Network access: Remotely accessible registry paths and sub-paths”. Therefore, when you are looking at XP’s Local Security Policy you should interpret “Network access: Remotely accessible registry paths” as “Network access: Remotely accessible registry paths and sub-paths”. 

If you edit a GPO residing on a Win2003 domain controller from an XP computer, I’m not sure if both of these settings show up or not or how you should interpret them. Frankly, I’d stay away from it and stick with edit the GPO from Windows Server 2003 or later. When you edit a GPO on Windows Server 2003 or later make sure you remember that this setting has no meaning to XP or earlier computers. On the other hand “Network access: Remotely accessible registry paths and sub-paths” will be applied to XP and earlier computers as described.

Winreg

Remote access to the registry (i.e. accessible to users on other computers on the network) is provided by the Remote Registry service and is limited to the users listed in the ACL of the winreg key (for more information on winreg see below). For instance you can open Registry Editor and connect to a different computer on the network. With the exception of keys specified in “Network access: Remotely accessible registry paths” and “Network access: Remotely accessible registry paths and sub-paths”, only users with an entry in the ACL of winreg can access the registry remotely. Having an entry in the winreg ACL though doesn’t give you remote access to the entire registry, Windows still enforces each key’s ACL. Winreg simply allows you connect to the registry from another computer on the network. It doesn’t matter what permissions you grant the user in winreg’s ACL, they just need an entry in order to connect to the registry remotely. 

Bottom line

For normal servers and workstations leave this setting configured with its default value. I am not aware of any vulnerabilities associated with it. For hardened systems clear this value and disable the Remote Registry service to prevent any remote access to the registry and protect against buffer overflows or related attacks specific to the Remote Registry service.

Back to top

 

Additional Resources