Protecting the Registry


The information contained within the Registry is vital to the reliability, stability, and performance of the system. Protecting the Registry is therefore critical to the system's operation.

Microsoft has done a much better job setting secure default permissions in Windows Server 2003 than it did with its previous operating systems. Registry permissions are no exception. There is limited access to the Registry even for system administrators. For example, the HKEY_LOCAL_MACHINE\SAM and HKEY_LOCAL_MACHINE\SECURITY keys give administrators only read and write DAC access by default.

If your system requires tighter access controls than the default permissions, you can set them accordingly from within the Registry Editor. Registry permissions are configured on a per-key basis, but subkeys can inherit permissions from parent keys. Setting Registry key permissions is similar to setting permissions to files and folders within the NTFS file system. To set Registry key permissions, perform the following steps:

1.

Within the Registry Editor, right-click the key for which you want to modify permissions and select Permissions.

2.

The most common permission attributes used are displayed on the Permissions for <key> window. Specify Allow or Deny for the Full Control, Read, or Special Permissions settings.

3.

If you want more granular control, click the Advanced button to display the Advanced Security Settings for <key>. Select the permissions that the key requires.

You can set numerous permissions within the advanced security settings for a particular key, including the following:

  • Full Control

  • Query Value

  • Set Value

  • Create Subkey

  • Enumerate Subkey

  • Notify

  • Create Link

  • Delete

  • Write DAC

  • Write Owner

  • Read Control

Preventing Remote Access

In some cases you may want to control remote access into a system's Registry. You can do this by setting permissions in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key. By default, only administrators, backup operators, and the LOCAL SERVICE have access permissions to connect from another system.

You may want to change the default permissions when you want only specific administrators or backup operators to have access. In this case, you could remove the default Administrators and Backup Operators groups and replace them with specific user accounts.

Auditing the Registry

Auditing the Registry may be beneficial in your network environment for security reasons, troubleshooting, or just general observation. No matter the reason, the auditing capabilities with Windows Server 2003 are very powerful and flexible.

Two essential steps must take place before you can begin auditing the Registry. First, you must enable successes or failures either through a Group Policy Object (GPO) or a local policy (it's disabled by default). For more information on GPOs, refer to Chapter 21, "Windows Server 2003 Group Policies." The next step after enabling auditing is to specify what Registry keys to audit and to what extent from within the Registry Editor.

To enable auditing through a GPO, perform the following steps:

1.

Open Active Directory Users and Computers from the Start, Administrative Tools menu.

2.

In the right pane, right-click the domain and select Properties.

3.

Click the Group Policy tab.

4.

Select the Default Domain Policy object or a specific GPO that you want to use for auditing.

5.

Click Edit and then expand to Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy.

6.

Double-click the Audit object access setting.

7.

Check the Define These Policy Settings box and then check either Success or Failure.

8.

Click Apply and then OK to close the GPO editor.

To enable auditing through the local policy, follow these steps:

1.

Open Local Security Policy (or Default Domain Controllers Security Setting) from the Start, Administrative Tools menu.

2.

Expand Local Policies and select Audit Policy.

3.

Double-click the Audit object access.

4.

If the Define These Policy Settings box isn't already checked, do so and then check either Success or Failure.

5.

Click on Apply and then OK to close the GPO editor.

Now you're ready to specify what to audit within the Registry. To begin auditing the Registry, perform the following steps:

1.

Within the Registry Editor, right-click the key that you want to audit and select Permissions.

2.

Click the Advanced button to display the Advanced Security Settings for <key>. Select the permissions that the key requires.

3.

Select the Auditing tab and click the Add button.

4.

In the Select User or Group dialog box, enter the users or groups that you want to monitor. For example, you can type auth and then click Check Names to populate the Authenticate Users group.

5.

Click OK. This will bring up the Auditing Entry for <key> dialog box.

6.

Select Successful and/or Failed for each access to audit. Note that checking Successful or Failed for Full Control will enable all other accesses.

7.

Check the Apply These Auditing Entries to Objects and/or Containers Within This Container box only if you want to minimize what you are auditing.

8.

Click OK three times to return to the Registry Editor.

9.

Close the Registry Editor.

Analyzing Event Logs

After you've established auditing on the Registry, you can examine the results in the Event Viewer, like the events shown in Figure 20.7. Auditing is a security-related event, so any auditing events are written to the security log.

Figure 20.7. Examining the Registry access in the security log.


Note

The default size of the security log in Windows Server 2003 is 131072KB (128MB). This is an adequate size for auditing. If you're auditing many different components, increasing the maximum log size is recommended.





Microsoft Windows Server 2003 Unleashed(c) R2 Edition
Microsoft Windows Server 2003 Unleashed (R2 Edition)
ISBN: 0672328984
EAN: 2147483647
Year: 2006
Pages: 499

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net