Windows Registry Security
This section provides some background information on how Windows security permissions work, in particular with respect to Windows registry keys.
Each registry key has an associated access control list (ACL). Each access control entry (ACE) in the list either allows or denies a set of permissions to a user or group. “Deny” entries always take precedence over “Allow” entries.
We recommend not using “Deny” entries. If a user is a member of two groups, one that allows the permission, and one that denies the permission, the user will be denied that permission. It is better to restrict access simply by the absence of “Allow” entries in the list.
For a registry key, each permission entry (access control entry) can be either explicitly specified, or inherited from a parent key. The “HKEY_LOCAL_MACHINE\Software” key allows read access to all users, and by default, all sub-keys below that inherit that “Read” permission. As such, if you do not override the permissions on the ZDD security keys, all users will have permission to everything.
The next section provides illustrated instructions for setting the registry key permissions appropriately for ChangeMan ZDD using the Windows Registry Editor.
For registry keys, “Read” permission is actually a combination of the following four permissions:
-
Query value
-
Enumerate sub-keys
-
Notify (request change notifications)
-
Read control (ability to check access permissions)
To be granted read access, the user must have all four of these permissions. If you are missing any one of those four permissions, then the user will not have the ChangeMan ZDD permission defined by that registry key.
When setting permissions on ZDD security keys, we recommend disallowing access to a ChangeMan ZDD permission by removing only the “Notify” permission, rather than all four of the “Read” permissions. That will still allow the user to browse through the registry keys.
At a minimum, you must allow the “Read control” permission for all users on all keys in order to query the permissions. If a user does not have “Read control” permission for a registry key, we will be unable to check the permissions on any sub-key below that key.