Security risks associated with granting permissions
I am in the process of a desktop lockdown review for a Windows XP deployment. We need to define the security risks associated with granting permissions to select directories and registry settings for the average user (member of local users). These permissions are required to allow applications to function. I have found white papers from Microsoft and CIS that recommend certain permissions, but none explain the impact of not granting those permissions.
The reason for granting permissions on registry keys and so forth is to allow custom groups the ability to run applications. The reason permissions are necessary is that some applications insist on making changes or opening files and keys as if to make changes -- permission usually granted only to administrators. Therefore, many companies have found that they need to make users members of administrative groups just so they can run certain applications. There is far less risk granting selected users permission on selected keys, files, etc., than there is in giving them administrative privileges, and therefore access to many more keys and files, as well as elevated privileges. On the other hand, if you are not using applications that require this level of access, then you should not be granting permissions. You may want to review the situation by using test groups, then try granting and not granting permissions while running applications to determine if there are some you can eliminate. The free utilities regmon and filemon available from Sysinternals
can help you determine exactly which items are being accessed.
This was first published in August 2003