Lesson 4: Including Registry Security | MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)

Lesson 4: Including Registry Security

In this lesson, you will learn about registry security and the RegEdt32 security registry editor.

After completing this lesson, you will be able to

Understand the role of registry security in securing computers
Modify permissions on registry keys

Estimated lesson time: 15 minutes

Why Use Registry Security?

The registry is the central configuration database for Windows and most software installed on a Windows-based computer. Internally, the registry is viewed as a hierarchical structure of keys, which can contain either keys or values. Values are named identifiers containing simple data types such as integers (whole numbers) or strings (text) that store configuration information required for the operating system and installed applications that make use of the registry.

Because the information stored in the registry controls the configuration of the operating system, indiscriminate changes to it can dramatically affect the security of the system as a whole. For example, hackers could insert keys that would cause kernel-level drivers to be loaded, which would have open access to the system inside the kernel's security boundary. It would be possible to replace nearly any component of the operating system with a non-secure mimic, which would subsequently fail to prevent inappropriate access. Therefore, controlling access to the registry is critical to keeping a computer secure.

The registry itself is read from files on disk. This fact might lead you to believe that file system security could be used to secure the registry. However file system security can be used only to secure files as a whole it cannot be used to secure internal portions of a file independently. Because each registry file contains numerous keys, and because the keys require different security settings depending upon their function, file system security is not granular enough to provide security for the registry.

To learn more about the registry, its purpose, and structure, refer to the Microsoft Windows 2000 Server Resource Kit (Microsoft Press, 2002).

To properly implement security, registry keys have ACLs that determine exactly how security principals are able to access and modify the keys. ACLs in the registry work in exactly the same way as ACLs do for the rest of the system they contain ACEs, which bind a specific security principal to a certain type of access that can be allowed or denied.

Editing the Registry

There are two primary registry editing tools:

Regedit, which was first included with Microsoft Windows 95, presents the registry as a single hierarchical tree. Because Windows 95 did not implement ACL security on registry keys, Regedit cannot manage registry permissions.
RegEdt32, which was first included with Windows NT 3.5, presents the registry in five different windows corresponding to the different files (also called hives) from which the keys are loaded. RegEdt32 is the only registry editing tool that allows administrators to directly modify registry key ACLs.

Indiscriminately editing the registry is extremely likely to cause unintended malfunction. You should never edit the values or the ACL of a registry key unless you fully understand the impact on the operation of the system.

The operating system establishes registry security settings for crucial keys during its installation. Likewise, applications set permissions for their own registry keys when they are installed. Editing the registry is usually not required for routing administration, and modifying registry security is very rare.

However, various security tools such as the Internet Information Services (IIS) Lockdown tool and the Microsoft Baseline Security Analyzer will increase, or recommend manually increasing, the security of many registry keys. The settings in these tools have been established and tested by Microsoft and are appropriate for the level of security implemented by the specific tool.

Stay up to date on Microsoft security tools, practices, and checklists at http://www.microsoft.com/technet/security/tools/tools.asp

For the most part, registry key permissions are established so that users cannot modify registry keys outside the HKEY Current Users hive. Administrators are permitted wide access to registry keys and are prevented only from seeing and modifying the portions of the registry where the Security Accounts Manager security database is stored. These settings are appropriate for the vast majority of users.

For facilities with a hierarchy of network administrators, it may be appropriate to create customized security settings. However, custom registry security settings must be rigorously tested in the context of every affected security group to ensure that computers operate properly. Strange and obscure errors are likely to result from the inability of applications and the operating system to read and change registry keys.

The registry in Windows 2000 is secure against all known registry attacks, and it is not normally necessary for administrators to modify registry security to keep users from causing problems. When registry permissions problems are discovered that allow hackers to exploit systems, Microsoft releases hotfixes to change security, so registry permissions are kept up to date through the normal patching mechanism.

Practice: Exploring the Registry

In this practice, you lower registry security to allow the administrator to explore the registry structure of the Security Accounts Manager for training purposes on a test machine. You will modify the permissions on a registry key to enable administrators to view the contents of the Security Accounts Manager.

This practice will reduce the security of the system that you perform it on, and it should only be performed on a test machine.

To view the contents of the Security Accounts Manager

Click Start, and click Run.
Type regedt32 in the Run dialog box, and press Enter.
Click the HKEY_LOCAL_MACHINE window.
Double-click SAM. Click the dimmed SAM key that appears below the top-level SAM key, as shown in Figure 4.17.

Figure 4-17. The Registry Editor
From the Security menu, choose Permissions.
Select Administrators, and then select Allow Read. Click OK. Notice that the SAM key is now available.
Double-click the SAM key to show its subkeys.
Explore the SAM key to view details about how local accounts are stored on the server, as shown in Figure 4.18.

Figure 4-18. Viewing key details in the Registry Editor
Click the SAM subkey under the SAM key in HKEY_LOCAL_MACHINE.
From the Security menu, choose Permissions.
Click Administrators, and clear the Allow Read check box. Click OK.
Close the registry editor.

Lesson Review

What security mechanism is used to provide security for registry keys?
How are registry permissions problems in Windows 2000 normally dealt with?
What tool is used to modify registry permissions in Windows?

Lesson Summary

The Windows 2000 registry stores configuration settings for the operating system and installed applications. Because these configuration settings affect security, controlling access to the registry is critical. Windows 2000 uses permissions to control access to registry keys.
Registry security is strong by default in Windows 2000, and it is not normally managed by administrators. Administrators can use RegEdt32 to immediately strengthen registry security when vulnerabilities are discovered.