Securing the Registry

For the most part, the Windows 2000 registry is secure because only locally logged on users with sufficient permissions can access it, and only Administrators and Backup Operators can access the registry from across the network. At least that's the theory, but without Service Pack 3 you might still be vulnerable.

To be sure that the registry is adequately protected against anonymous network access, and the Local Security Authority (LSA) component of the registry is closed to anonymous users, follow these steps:

  1. Open Regedt32.
  2. Go to the HKEY_LOCAL_MACHINE\SYSTEM hive.
  3. Open the \CurrentControlSet\Control\SecurePipeServers key.
  4. Select the \Winreg value.
  5. Choose Permissions from the Security menu and verify that Administrators have Full Control and that Backup Operators have Read access (if you want to enable Backup Operators to back up the registry from across the network).

If the key and values mentioned here don't exist, see Microsoft Knowledge Base Article Q153183 for information about creating them.

Windows 2000 systems that were upgraded from Windows NT might not have the appropriate registry ACLs, because existing ACLs aren't changed during the upgrade process. If this is the case, you should refer to the "Default Access Control Settings in Windows 2000" white paper for the appropriate ACLs. This document is available at http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/secdefs.asp.

Anonymous access to the Local Security Authority (LSA) should be restricted, making it difficult for anonymous users to obtain security information from a computer. Windows 2000 systems running Service Pack 3 or newer should have anonymous access restricted, but to verify the restriction, use the following steps:

  1. Open Regedt32.
  2. Go to the HKEY_LOCAL_MACHINE\SYSTEM hive.
  3. Open the \CurrentControlSet\Control\LSA key.
  4. Double-click the \RestrictAnonymous value and verify that the data reads 1. If the value doesn't exist, create a new key with the following attributes:
    • Key Name restrictanonymous
    • Class REG_DWORD
    • Data 1


Microsoft Windows 2000 Server Administrator's Companion
Microsoft Windows 2000 Server Administrators Companion
ISBN: 0735617856
EAN: 2147483647
Year: 2003
Pages: 320

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net