|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: RestrictGuestAccess on WinReg??
From: subscribe (subscribe
CRAZYTRAIN.COM)Date: Wed Oct 04 2000 - 00:29:13 CDT
- Next message: Walter Williams: "Re: Digital Certificates and Encryption for Exchange 5.5"
- Previous message: Sean McHugh: "cached passwords..."
- Maybe in reply to: Loschiavo, Dave: "RestrictGuestAccess on WinReg??"
- Maybe reply: subscribe: "Re: RestrictGuestAccess on WinReg??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Dave
I've been reading the posts on this topic, is it time for my 2cents? Here
goes:
Pipes are used to allow communication between processes. For example, PA
and PB want to play nice. A pipe is formed and used so that they can play
nice. This shared pipe is actually a chunk of memory which PA and PB use
to communicate within.
There are TWO types of named pipes: 1) anonymous and 2)named
..anonymous pipes are used for 1-way communication, and on that local
machine only. Essentially, PA tells PB to do something.
..named pipes are used for 2-way communication, and these can reside on 2
or more machines (I.E., not local).
Moving forward...
HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg = this key
dictates which users and/or groups can access the registry remotely. Or,
more appropriately, the security setting on this key dictates which users
and/or groups may access the registry remotely.
If 'winreg' is not there, then there is no restriction on remote access to
registry (hello PWDUMP!!). The default install for NT Workstation does not
include this key. The default install for NT Server includes this key and
the permission is set to Administrators, Full Control.
Now, where the gray areas arise....
There may be another subkey here, \AllowedPaths, and this might be why the
document says to set the RestrictGuestAcess.
\AllowedPaths key can contain any number of strings, each of which
represent an entry (entries) in the registry. These can be read by
EVERYONE! The usefulness of this is to allow for the monitoring of
printers, performance, etc. \AllowedPaths does NOT care what the
permissions are on \winreg. So, you may have Admin only on winreg, but
down here it doesn't matter. However, by adding RestrictGuestAccess
subkey, it would appear that you are forcing the issue and not allowing
guest access, regardless of this subkey. (or am I so out of the water
here?!!?)
Another thought is that since some services NEED to access the registry
remotely (replicator and spooler services), perhaps when that document was
written you are reading, the RestrictGuestAccess subkey was added because
it was 'easier' to deny one (guest) than to add all (replicator, group for
monitoring printer > they need read access as well) who need access and
their permissions??
Alright, it's 2a.m., I need some sleep.
thomas
- Next message: Walter Williams: "Re: Digital Certificates and Encryption for Exchange 5.5"
- Previous message: Sean McHugh: "cached passwords..."
- Maybe in reply to: Loschiavo, Dave: "RestrictGuestAccess on WinReg??"
- Maybe reply: subscribe: "Re: RestrictGuestAccess on WinReg??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]