none
All Applications Package Permission Question RRS feed

  • Question

  • Hello,

    I'm hoping someone can help me with some information here. We are setting up a group of Windows 10 PCs for testing to get ready for an upgrade to the new OS. Our current default domain policy, however, breaks the 'Start Menu' (it does nothing when you click it) when any of the PCs are joined to the domain. In my research I found that the 'All Application Packages' account needs to have read only access to the Registry in the GPO (PC config > windows settings > Security Settings > Registry).

    In a test GPO I created and linked to the Windows 10 PCs, I gave permission to the keys under the Registry GPO setting and the start menu worked again. I take it away, and it breaks. My question is, since our Default Domain Policy GPO currently covers a few 2003 servers, mostly 2008/2008 R2, Windows 7, and some Server 2012, are there any major security risks that we should be aware of by giving All Application Packages Read Only access to the keys under the Registry GPO?

    Hopefully I'm clear enough here :).

    Thanks!
    Kyle


    • Edited by Kibbis Friday, January 20, 2017 2:39 PM Info
    Friday, January 20, 2017 2:37 PM

Answers

  • > Default Domain Policy GPO currently covers a few 2003 servers, mostly 2008/2008 R2 and a some Server 2012, are there any major security risks that we should be aware of by giving All Application Packages Read Only access to the keys under the Registry GPO?
     
    I suggest cleaning up registry permissions in the DDP and move them over to more specific GPOs targeting the appropriate Windows version (via WMI filtering). Create 2 of them, one for "up to 2008R2", one "starting with 2012".
     
    If you simply modify the DDP and include the all app packages account, this will result in errors on all 2003/2008 servers in the Application Eventlog since the GP security extension will be unable to add the app packages SID to the Registry ACL.
     
    Anyway - there's no security risk at all.
     
    • Marked as answer by Kibbis Tuesday, January 24, 2017 4:54 PM
    Friday, January 20, 2017 2:57 PM

All replies

  • > Default Domain Policy GPO currently covers a few 2003 servers, mostly 2008/2008 R2 and a some Server 2012, are there any major security risks that we should be aware of by giving All Application Packages Read Only access to the keys under the Registry GPO?
     
    I suggest cleaning up registry permissions in the DDP and move them over to more specific GPOs targeting the appropriate Windows version (via WMI filtering). Create 2 of them, one for "up to 2008R2", one "starting with 2012".
     
    If you simply modify the DDP and include the all app packages account, this will result in errors on all 2003/2008 servers in the Application Eventlog since the GP security extension will be unable to add the app packages SID to the Registry ACL.
     
    Anyway - there's no security risk at all.
     
    • Marked as answer by Kibbis Tuesday, January 24, 2017 4:54 PM
    Friday, January 20, 2017 2:57 PM
  • Agreed. We were thinking that would be the best way forward here.

    Another question regarding the Registry GPO. Is there any real reason to have permissions set for that in the GPO? Any serious security reasons/hardening? I guess what I'm trying to ask here is there any real harm in taking the registry settings out completely?
    Friday, January 20, 2017 4:27 PM
  • Hi,
    Windows apps run with very limited user rights compared to their non-Windows 8 counterparts that run with standard user rights by default. Windows apps can access only those resources (files, folders, registry keys, and DCOM interfaces) to which they have been explicitly granted access (“ALL APPLICATION PACKAGES”). Please see details from: https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_AccessPermsGP
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 23, 2017 6:09 AM
    Moderator
  • > Is there any real reason to have permissions set for that in the GPO? Any serious security reasons/hardening?
     
    I don't know... Starting with Vista/2008, we never modified reg permissions. In XP/2003 this was neccessary, but MS adjusted privs so the default privs are quite ok now :-)
     
    > I guess what I'm trying to ask here is there any real harm in taking the registry settings out completely?
     
    No. Throw them away :-)
     
    Monday, January 23, 2017 8:59 AM