Control Values: Registry Permissions (Windows)

Some controls identify the permissions that are set on a Windows registry key for different user groups and individual users. To save space, the compliance module assigns each permission a letter (A,B,C,D,...) and uses the letter instead of the full permission name.

When specifying the default expected value for a control in the Policy Editor or when creating a custom Registry Permission control, you must use the mapping described below. In your reports the service provides a legend that translates these values to the permissions they represent.

This table maps each letter to the permission it represents.

Security Templates

Registry permissions are often granted using security templates, which are logical groupings of permissions. The following table describes the security templates applicable to registry keys, and how the list of permissions for these templates will appear in your policy compliance reports.

Example

The registry key "HKLM\SYSTEM" has the following permissions set:

The Administrators group has Full Control permission.
The Users group has Read permission.
User named Robert has Read Control permission.

These permissions translate to:

Administrators:D:E:F:G:H:I:J:K:L:M
Users:E:F:I:M
Robert:M

Permission Translation Table in Compliance Reports

A permission translation table is provided for each registry permission control included in your compliance reports. The translation table appears below the Expected Value and Actual Value fields in the Detailed Results section of the report, and maps each letter that appears in the Actual Value field with the permission it represents. See sample report output below.