Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Permissions Mode Behavior Under Terminal Services


View products that this article applies to.

This article was previously published under Q298372

↑ Back to the top


Summary

When a user logs on to a terminal server, the link propagation protocol, Link State Algorithm (LSA), determines whether the terminal server is in Full Security or Relaxed Security mode. If the server is in Relaxed mode, LSA adds the TSUserSID attribute to the user's security token.

Because the settings of certain registry subfolders and file system folders provide near-power-user-level access to TsUserSID, any user on such a Relaxed mode server can make changes to those objects.

These permissions are necessary when a power user starts legacy programs that the power user should be able run successfully.

↑ Back to the top


More information

When a user places a terminal server in Relaxed Security mode, the following program compatibility measures are taken:
  1. LSA adds TsUserSID to user's token when the user logs on. The TsUserSID settings, because they were initially set during the operating system installation from the Defltsv.inf file, allow the access that is noted in the following list.

    Note: The following format is known as SDDL, which is documented in MSDN. Only the TsUserSID entry (the S-1-5-13 string) from that file is documented in the following list.
    [Registry Keys] 
    "MACHINE\Software",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
    "MACHINE\SOFTWARE\Microsoft\Tracing",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;S-1-5-13)"
    ;The following keys need to be writable by TERMINAL_SERVER_USER for App-Compat
    "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
    "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
    "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
    "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
    "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
    ;---------------------------------------------------------------------------------------------
    ;ProgramFiles
    ;---------------------------------------------------------------------------------------------
    "%SceInfProgramFiles%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;S-1-5-13)"
    ;Directories with a legacy history being changed for security reasons
    "%SystemRoot%\help",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGX;;;S-1-5-13)"
     
    
  2. When a user starts program that is non-Terminal Services-aware in a user context, the user receives an "access denied" error when the user attempts to open a restricted registry key. The reg-code attempts to open the same key again, with the maximum permissions that the user can have (which is typically read-only), and returns that handle to the program. Most legacy programs open a key with write/create privileges, but they only perform read actions, so legacy programs still run correctly.

    There is a global setting to enable or disable this behavior. The default is to provide this behavior when in the Relaxed Security mode. This behavior is controlled through the following key:
    HKLM ,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server"
    "RegistryExtensionFlags", 0x1 [bit mask, 1st bit]
  3. When a non-Terminal Services-aware program, which is running in the user context, attempts to change or write a value under HKCR and HKLM\Software\Classes, the change is redirected to its own HKCU\Software\Classes; therefore, when necessary, a whole sub-branch is created under HKCU\Software\Classes.

    There is a global setting to enable or disable this behavior. The default setting is available primarily for Relaxed Security mode. You can control this behavior through the following key:
    HKLM ,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server"
    "RegistryExtensionFlags", 0x2 [bit mask, 2nd bit]

↑ Back to the top


Keywords: KB298372, kbinfo

↑ Back to the top

Article Info
Article ID : 298372
Revision : 8
Created on : 3/1/2007
Published on : 3/1/2007
Exists online : False
Views : 273