[266] in winnt
Re: Securing the WinNT root.
daemon@ATHENA.MIT.EDU (Paul B. Hill)
Mon Nov 16 16:51:47 1998
Date: Mon, 16 Nov 1998 16:51:05 -0500
To: "Stephen D. Dowdy" <sdowdy@MIT.EDU>, ntpartners@MIT.EDU
From: "Paul B. Hill" <pbh@MIT.EDU>
In-Reply-To: <3.0.5.32.19981116162854.009f07b0@po10.mit.edu>
Hi,
>I've heard that a rumor that NT 5 compliance may mean not to have .ini
>files but rather include these things in the registry.
This has been the trend for several years already. The Logo requirements
make Microsoft's thinking on the subject a bit clearer.
>It seems to me that
>will only complicate things more cause now we'll need to allow user access
>to the registry.
Users already have access to the directory. I think the issue that you are
concerned about is _write_ access.
User's already have write access to part of the registry, even when you
have performed some lock down. The registry is a heirarchy. One branch is
for the currently logged in user.
The Logo requirements are really an effort to get application developers,
including Microsoft's own developers, to use the registry properly. E.g.
There is configuration information that is global but there is also
configuration information that is specific to individual users. Today, most
applications don't make a proper distinction and become a nightmare to manage.
> Is/are these rumors or is there a real direction towards
>the use of registry over .ini ??? If so... will registry now have its own
>set of permissions so that administrators can do their thing and users can
>store preferences without worrying about other users preferences?
If the applications actually meet the Logo requirements then the system
should be manageable.
> Also, as
>this thing continues to grow, how the heck will we ever know how to clean
>it up?
Personally, I think Microsoft still has a long way to go in this area. But
since their revenue is driven by upgrades ...
>I already am seeing many user profiles proliferating across many
>machines. At least I know which ones I might delete from the local
>machine. I certainly wouldn't want to start scanning the registry for
>potential clean-up activities.
>
I've heard people from Microsoft say that they are working on making
roaming profiles much better but I haven't looked into that area enough
yet. On the other hand, a lot of the registry issues that you are worrying
about are addressed by the MSI work that is part of NT 5.0.
An early article on the subject can be found at
http://www.winntmag.com/Magazine/Article.cfm?IssueID=30&ArticleID=3152
A more detailed article can be found at
http://www.microsoft.com/msj/0998/windowsinstallertop.htm
Paul
