You might also want to look into what's really available in the registry these days. It isn't much. First, remote access to the registry is gated by the permissions on HKLM\System\CurrentControlSet\Control\SecurePipeServers\Winreg. Any user with ANY (doesn't matter what - read, write, anything) level of permissions to that key is allowed remote access to the registry as gated by the ACL on the specific keys.
Default for this is admins and backup ops. If malicious admins have network access to your system, you have MUCH bigger problems than just the registry. Next gating factor is the values contained in the AllowedPaths key just below that. While there are some information leaks available on XP (assuming you can authenticate), I don't think you'll find anything that is remotely writable. On Win2k3, there is an AllowedExactPaths key - values in this key only allow access to the exact key cited, not any of the subkeys, as AllowedPaths would. Due to the increased restrictions on remote access to the registry on Win2k3, you won't even find much along the lines of information leaks there. So when you're looking into restricting access to something, it always pays off to thoroughly understand the access mechanisms that are already in place, and what it really allows. Something else to remember is that people have to authenticate in the first place to do anything. I often find it handy to set the right to logon from the network (or the deny version of the same) to restrict this. Another interesting approach is to use IPSec to accomplish the same thing. Before you go looking into what an IDS system can do, it might be best to look into what the OS can do first. Hope this helps - ----------------------------------- This information is provided in an attempt to be helpful. Your Milage May Vary. It is most certainly not an official statement on behalf of my employer. ----------------------------------- > -----Original Message----- > From: securitylists [mailto:[EMAIL PROTECTED] > Sent: Monday, May 22, 2006 2:00 AM > To: [email protected] > Subject: VS: Restricting Remote Registry Access > > You might want to check this address: > http://www.silentrunners.org/ so that you'll get somekind of > an idea of a number of "critical" keys in the registry. That > software only checks keys that can be used to launch programs > on the target computer... And there are LOT OF THEM.. > > > Pauli Porkka\PrettyBit Software Oy > > > -----Alkuperäinen viesti----- > > Lähettäjä: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Lähetetty: 11. toukokuuta 2006 17:28 > > Vastaanottaja: [email protected] > > Aihe: Restricting Remote Registry Access > > > > Hello All, > > > > > > I am currently looking into restricting remote registry access to > > certain parts of the registry. I understand and know how to > completely > > restrict remote access but my intention is to block access to only > > certain keys. I am attempting to do this using a cisco Host > IDS agent > > which has registry control features. My question is, are there any > > critical registry keys that should definately be restricted. > > I am ooking for like a top 10 or top 20 most commly > targeted registry > > keys. That way I can allow remote access to the registry. Just not > > those 10 or 20 keys. Thanks > > > > -------------------------------------------------------------- > > ------------- > > -------------------------------------------------------------- > > ------------- > > > > > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
