The information contained within the Registry is vital to the reliability, stability, and performance of the system. Protecting the Registry is therefore critical to the system's operation. Microsoft has done a much better job setting secure default permissions in Windows Server 2003 than it did with its previous operating systems. Registry permissions are no exception. There is limited access to the Registry even for system administrators. For example, the HKEY_LOCAL_MACHINE\SAM and HKEY_LOCAL_MACHINE\SECURITY keys give administrators only read and write DAC access by default. If your system requires tighter access controls than the default permissions, you can set them accordingly from within the Registry Editor. Registry permissions are configured on a per-key basis, but subkeys can inherit permissions from parent keys. Setting Registry key permissions is similar to setting permissions to files and folders within the NTFS file system. To set Registry key permissions, perform the following steps:
You can set numerous permissions within the advanced security settings for a particular key, including the following:
Preventing Remote AccessIn some cases you may want to control remote access into a system's Registry. You can do this by setting permissions in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key. By default, only administrators, backup operators, and the LOCAL SERVICE have access permissions to connect from another system. You may want to change the default permissions when you want only specific administrators or backup operators to have access. In this case, you could remove the default Administrators and Backup Operators groups and replace them with specific user accounts. Auditing the RegistryAuditing the Registry may be beneficial in your network environment for security reasons, troubleshooting, or just general observation. No matter the reason, the auditing capabilities with Windows Server 2003 are very powerful and flexible. Two essential steps must take place before you can begin auditing the Registry. First, you must enable successes or failures either through a Group Policy Object (GPO) or a local policy (it's disabled by default). For more information on GPOs, refer to Chapter 21, "Windows Server 2003 Group Policies." The next step after enabling auditing is to specify what Registry keys to audit and to what extent from within the Registry Editor. To enable auditing through a GPO, perform the following steps:
To enable auditing through the local policy, follow these steps:
Now you're ready to specify what to audit within the Registry. To begin auditing the Registry, perform the following steps:
Analyzing Event LogsAfter you've established auditing on the Registry, you can examine the results in the Event Viewer, like the events shown in Figure 20.7. Auditing is a security-related event, so any auditing events are written to the security log. Figure 20.7. Examining the Registry access in the security log.
Note The default size of the security log in Windows Server 2003 is 131072KB (128MB). This is an adequate size for auditing. If you're auditing many different components, increasing the maximum log size is recommended. |