private static void SetRegistryAcls() { string pGinaSubKey = pGina.Shared.Settings.pGinaDynamicSettings.pGinaRoot; using (RegistryKey key = Registry.LocalMachine.CreateSubKey(pGinaSubKey)) { if (key != null) { //m_logger.InfoFormat("Setting ACLs on {0}", key.Name); RegistryAccessRule allowRead = new RegistryAccessRule( USERS_GROUP, RegistryRights.ReadKey, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); RegistryAccessRule adminFull = new RegistryAccessRule( ADMIN_GROUP, RegistryRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); RegistryAccessRule systemFull = new RegistryAccessRule( SYSTEM_ACCT, RegistryRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); RegistrySecurity keySec = key.GetAccessControl(); //if (//m_logger.IsDebugEnabled) { //m_logger.DebugFormat("{0} before update:", key.Name); ShowSecurity(keySec); } // Remove inherited rules keySec.SetAccessRuleProtection(true, false); // Add full control for administrators and system. keySec.AddAccessRule(adminFull); keySec.AddAccessRule(systemFull); // Remove any read rules for users (if they exist) keySec.RemoveAccessRuleAll(allowRead); // Apply the rules.. key.SetAccessControl(keySec); //if (//m_logger.IsDebugEnabled) { //m_logger.DebugFormat("{0} after update: ", key.Name); ShowSecurity(keySec); } } } }
private static void SetRegistryAcls() { string ToopherSubKey = Abstractions.Settings.DynamicSettings.ROOT_KEY; using (RegistryKey key = Registry.LocalMachine.CreateSubKey(ToopherSubKey)) { if (key != null) { RegistryAccessRule allowRead = new RegistryAccessRule( USERS_GROUP, RegistryRights.ReadKey, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); RegistryAccessRule adminFull = new RegistryAccessRule( ADMIN_GROUP, RegistryRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); RegistryAccessRule systemFull = new RegistryAccessRule( SYSTEM_ACCT, RegistryRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); RegistrySecurity keySec = key.GetAccessControl(); // Remove inherited rules keySec.SetAccessRuleProtection(true, false); // Add full control for administrators and system. keySec.AddAccessRule(adminFull); keySec.AddAccessRule(systemFull); // Remove any read rules for users (if they exist) keySec.RemoveAccessRuleAll(allowRead); // Apply the rules.. key.SetAccessControl(keySec); } } }
public static void Main() { string user = Environment.UserDomainName + "\\" + Environment.UserName; // Create a security object that grants no access. RegistrySecurity mSec = new RegistrySecurity(); // Add a rule that grants the current user the right // to read and enumerate the name/value pairs in a key, // to read its access and audit rules, to enumerate // its subkeys, to create subkeys, and to delete the key. // The rule is inherited by all contained subkeys. // RegistryAccessRule rule = new RegistryAccessRule(user, RegistryRights.ReadKey | RegistryRights.WriteKey | RegistryRights.Delete, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow); mSec.AddAccessRule(rule); // Add a rule that allows the current user the right // right to set the name/value pairs in a key. // This rule is inherited by contained subkeys, but // propagation flags limit it to immediate child // subkeys. rule = new RegistryAccessRule(user, RegistryRights.ChangePermissions, InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly | PropagationFlags.NoPropagateInherit, AccessControlType.Allow); mSec.AddAccessRule(rule); // Add a rule that denies the current user the right // to set the name/value pairs in a key. This rule // has no inheritance or propagation flags, so it // affects only the key itself. rule = new RegistryAccessRule(user, RegistryRights.SetValue, AccessControlType.Deny); mSec.AddAccessRule(rule); // Display the rules in the security object. ShowSecurity(mSec); // Create a rule that allows the current user the // right to change the ownership of the key, with // no inheritance or propagation flags. The rights // and flags are ignored by RemoveAccessRuleAll, // and all rules that allow access for the current // user are removed. rule = new RegistryAccessRule(user, RegistryRights.TakeOwnership, AccessControlType.Allow); mSec.RemoveAccessRuleAll(rule); // Show that all rules that allow access have been // removed. ShowSecurity(mSec); }
private void RemoveRegistryAccessRuleAll(RegistrySecurity permissions, SecurityIdentifier securityIdentifier) { permissions.RemoveAccessRuleAll(new RegistryAccessRule(securityIdentifier, RegistryRights.FullControl, AccessControlType.Allow)); }