The Microsoft® Windows® 2000 and Microsoft Windows XP operating systems allow administrators to set permissions-restricted access to the registry and to the file system, which keeps users from installing, modifying, or removing applications without the knowledge or permission of other users.

Administrators can change the security permissions to nodes in the registry or file system by using the Group Policy Microsoft Management Console snap-in, or the registry editor available with Windows 2000 (regedt32.exe) or Windows XP (regedit.exe). Administrators do not need to change the default security settings of Windows XP because Office automatically installs and functions in a locked-down configuration. For more information about, see Registry Overview in the "Microsoft Windows 2000 Scripting Guide," or Hardening Systems and Servers: Checklists and Guides.

Changing the default permissions in the registry or file system can adversely affect applications that store information in the registry, including Microsoft Office 2003 applications. For this reason, administrators should test any changes to the registry or file system before deploying those changes to users.

If needed, you can relax security settings in the registry. Instead of locking down the entire system, you can apply permission-restricted access to specific keys or sub-nodes of the registry or file system for writing, editing, or deletion.

Because permission-restricted access to the registry and file system is dependent on NT authorization of an existing user account, locking down the system also implies regular maintenance of user IDs, passwords, and user accounts.

Terminal Services

A locked-down configuration is implemented by default when Terminal Services is enabled for either Windows 2000 or Windows XP. When Terminal Services is enabled, multiple users can simultaneously connect from remote network locations. If the operating system is not locked down, all users can change the configuration of the computer at any time, which could cause configuration problems.

When a Terminal Services-enabled system is locked down, the two branches of the registry — HKEY_CURRENT_USER (HKCU) and HKEY_LOCAL_MACHINE (HKLM) — are affected; only an administrator of the locked-down computer has permissions to make changes to these areas. Locking the registry forces the administrator to administer the system on behalf of the users. If administrators cannot review and maintain Terminal Services, they should consider revising some of the restrictions or allow one local user administrative access to perform needed maintenance (such as adding or removing software).