Setting Permissions on the Base Security Key
To set permissions on the ChangeMan ZDD security keys, we can use the Windows Registry Editor (regedit.exe). You will need to have Windows Administrator privileges for this.
The first and most complicated step is to configure the permissions on the base security key. This is the most important key, because all the sub-keys will inherit their permissions from this key.
To begin the process, first select the ChangeMan ZDD base security key:
- HKEY_LOCAL_MACHINE\Software\Micro Focus\ChangeMan ZDD\Security
Right click on the “Security” key and select “Permissions…” from the popup menu. Alternatively, you can select “Edit” “Permissions” from the menu bar.
Select the group “Users”, which is the default group to which all users belong. Notice that it allows “Read” permission to all users. The checkbox for “Read” is disabled (grayed out), because the permission is inherited and cannot be changed directly.
In the ChangeMan ZDD security system, “Read” permission to a key grants a user access to the ZDD privilege that it represents. We will need to override that “Read” permission, because if all the sub-keys inherit that permission, all users will have permissions to all ZDD privileges.
For effective security control, we need to change the permissions on our base security key.
We must change the defaults for our base security key, such that not all users have “Read” permission. All its sub-keys will inherit the updated permissions, so that the default will not be to allow the privileges.
Press the “Advanced” button to display the access list for this registry key.
Notice that all permission entries are inherited from “Machine\Software”. You will not be allowed to remove or change inherited entries. To do this, we must disable inheritance.
Check the box labeled “Replace all child object permission entries with inheritable permission entries from this object”. Then press the “Disable inheritance” button.
When prompted, be sure to select the option to convert the inherited permission into explicit permissions. We want to edit the permission entries, but not lose them.
Notice that now all of the permission entries indicate that they are not inherited (inherited from “None”).
To apply the changes to the registry key, you must press the “Apply” button.
When prompted, press the “Yes” button to continue.
Now that the permission entries are explicit entries for this key, we can change them. Next, we need to change permissions for the “Users” group, so that not everyone has “Read” permission. Select the “Users” group and press the “Edit” button.
Remember that the “Read” permission is actually a combination of four permissions:
-
Query value
-
Enumerate sub-keys
-
Notify (request change notifications)
-
Read control (ability to check access permissions)
We cannot simply uncheck the box for “Read” permissions. That would remove all four of the above permissions. At a minimum, everybody needs to have at least “Read control” permission to all keys, which allows us to query the permissions for that key. Without “Read control” permission, we would be unable to check the permissions for any of the sub-keys.
We need to be more granular than the “Read” permission, which is really a combination of four permissions. Click on the “Show advanced permissions” link.
On the advanced permission view, you can see all four of the permissions that compose the “Read” permission. It is sufficient simply to remove any one of the four permissions, other than “Read control”. We recommend that you uncheck the “Notify” permission, and leave the others alone.
Press the “OK” button to return.
Notice that the access for the “Users” entry now indicates “Special” rather than “Read”. Users require the complete set of “Read” permissions to have the ChangeMan ZDD privilege associated with that key.
All the sub-keys will inherit this set of permissions. The sub-keys will not allow any ZDD privilege by default. You will now explicitly have to grant “Read” permissions on the sub-keys below this base security key.
Be sure to press the “Apply” button to set the new permissions on the registry key.