Article ID: 298372 - Last Review: March 1, 2007 - Revision: 4.4 Permissions Mode Behavior Under Terminal ServicesThis article was previously published under Q298372 When a user logs on to a terminal server, the link
propagation protocol, Link State Algorithm (LSA), determines whether the
terminal server is in Full Security or Relaxed Security mode. If the server is
in Relaxed mode, LSA adds the TSUserSID attribute to the user's security
token.
Because the settings of certain registry subfolders and file
system folders provide near-power-user-level access to TsUserSID, any user on
such a Relaxed mode server can make changes to those objects.
These
permissions are necessary when a power user starts legacy programs that the
power user should be able run successfully. When a user places a terminal server in Relaxed Security
mode, the following program compatibility measures are taken:
- LSA adds TsUserSID to user's token when the user logs on.
The TsUserSID settings, because they were initially set during the operating
system installation from the Defltsv.inf file, allow the access that is noted
in the following list.
Note: The following format is known as SDDL, which is documented in
MSDN. Only the TsUserSID entry (the S-1-5-13 string) from that file is
documented in the following list.[Registry Keys]
"MACHINE\Software",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
"MACHINE\SOFTWARE\Microsoft\Tracing",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;S-1-5-13)"
;The following keys need to be writable by TERMINAL_SERVER_USER for App-Compat
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
;---------------------------------------------------------------------------------------------
;ProgramFiles
;---------------------------------------------------------------------------------------------
"%SceInfProgramFiles%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;S-1-5-13)"
;Directories with a legacy history being changed for security reasons
"%SystemRoot%\help",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGX;;;S-1-5-13)"
- When a user starts program that is non-Terminal
Services-aware in a user context, the user receives an "access denied" error
when the user attempts to open a restricted registry key. The reg-code attempts
to open the same key again, with the maximum permissions that the user can have
(which is typically read-only), and returns that handle to the program. Most
legacy programs open a key with write/create privileges, but they only perform
read actions, so legacy programs still run correctly.
There is a
global setting to enable or disable this behavior. The default is to provide
this behavior when in the Relaxed Security mode. This behavior is controlled
through the following key:HKLM ,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server"
"RegistryExtensionFlags", 0x1 [bit mask, 1st bit] - When a non-Terminal Services-aware program, which is
running in the user context, attempts to change or write a value under HKCR and
HKLM\Software\Classes, the change is redirected to its own
HKCU\Software\Classes; therefore, when necessary, a whole sub-branch is created
under HKCU\Software\Classes.
There is a global setting to enable or
disable this behavior. The default setting is available primarily for Relaxed
Security mode. You can control this behavior through the following key:HKLM ,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server"
"RegistryExtensionFlags", 0x2 [bit mask, 2nd bit]
APPLIES TO- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
| |
Help and Support
Back to the top
