COMMAND

    regedit

SYSTEMS AFFECTED

    WinNT

PROBLEM

    Jacques Forster found following.  NT4 System Policies can  enforce
    some  applications  behaviour.   For  example,  when the "Restrict
    access  to  registry  tools"  policy  is  enforced,  users can run
    REGEDIT.EXE nor REGEDT32.EXE.  In fact it is the application  code
    itself that will heck the  policy status (stored in the  registry)
    and behave accordingly.  In that case, REGEDIT/REGEDT32 will popup
    a message telling  the user that  te application was  "disabled by
    the system administrator".

    All this is fine but  Jacques discovered that a "restricted"  user
    can safely  create a  ".REG" file  with notepad  or any dumb ASCII
    editor, then double click on it and thus launch REGEDIT.EXE.  What
    is  wrong  here  is  that   REGEDIT  will  accept  launching   and
    interpreting the  REG file,  and modify  the registry accordingly.
    This was tested on SP4 machines.

    If you bring  in a copy  of regedit that  you've renamed fred.exe,
    it will  work fine.   As discovered,  the policy  only checks  the
    initial  program  being  launced,  not  what other programs it may
    call, what libraries  it may load,  what other program  it may let
    the user launch (shell behavior) etc..  So, for your example,  you
    have to block .reg files, too.   There's nothing to stop you  from
    writing your own registry editor,  or using Windows Perl, or  most
    any scripting language.

SOLUTION

    This happens because .reg is associated with regedit.  Change that
    association to something benign, like notepad.  There are ways  to
    trick  someone  into  double-clicking  a  .reg  file that might do
    something destructive -  people have been  known to stick  them on
    web sites.   If the association  has changed, then  this threat is
    removed.  You  can still always  type regedit whatever.reg  from a
    command prompt if you really want  to change the registry.  As  an
    extra measure, remove non-administrator's  rights to edit the  key
    (HKLM\Software\Classes\regfile) that controls this association.

    This is not a big deal as long as your registry keys are  properly
    protected  through  ACL's,  but  as  everyone  knows  the  default
    security  on  the  registry  is  rather poor...  Conclusion: don't
    rely on System Policies to  protect your registry!  Even  if users
    can't import  (diskette, mail,  ...) other  registry tools  (those
    that don't "read"  policy settings), they  still can use  REGEDIT.
    You'd better protect REGEDIT.EXE itself through an ACL ...