You might also want to look into what's really available in the registry
these days. It isn't much. First, remote access to the registry is gated by
the permissions on
HKLM\System\CurrentControlSet\Control\SecurePipeServers\Winreg. Any user
with ANY (doesn't matter what - read, write, anything) level of permissions
to that key is allowed remote access to the registry as gated by the ACL on
the specific keys.

Default for this is admins and backup ops. If malicious admins have network
access to your system, you have MUCH bigger problems than just the registry.
Next gating factor is the values contained in the AllowedPaths key just
below that. While there are some information leaks available on XP (assuming
you can authenticate), I don't think you'll find anything that is remotely
writable. On Win2k3, there is an AllowedExactPaths key - values in this key
only allow access to the exact key cited, not any of the subkeys, as
AllowedPaths would. Due to the increased restrictions on remote access to
the registry on Win2k3, you won't even find much along the lines of
information leaks there.

So when you're looking into restricting access to something, it always pays
off to thoroughly understand the access mechanisms that are already in
place, and what it really allows. Something else to remember is that people
have to authenticate in the first place to do anything. I often find it
handy to set the right to logon from the network (or the deny version of the
same) to restrict this. Another interesting approach is to use IPSec to
accomplish the same thing.

Before you go looking into what an IDS system can do, it might be best to
look into what the OS can do first.

Hope this helps -

-----------------------------------
This information is provided in an attempt to be helpful. Your Milage May
Vary.
It is most certainly not an official statement on behalf of my employer.
-----------------------------------

> -----Original Message-----
> From: securitylists [mailto:securitylists (at) prettybit (dot) fi [email concealed]]
> Sent: Monday, May 22, 2006 2:00 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: VS: Restricting Remote Registry Access
>
> You might want to check this address:
> http://www.silentrunners.org/ so that you'll get somekind of
> an idea of a number of "critical" keys in the registry. That
> software only checks keys that can be used to launch programs
> on the target computer... And there are LOT OF THEM..
>
>
> Pauli Porkka\PrettyBit Software Oy
>
> > -----Alkuperäinen viesti-----
> > Lähettäjä: genius (at) cwgz (dot) net [email concealed] [mailto:genius (at) cwgz (dot) net [email concealed]]
> > Lähetetty: 11. toukokuuta 2006 17:28
> > Vastaanottaja: focus-ms (at) securityfocus (dot) com [email concealed]
> > Aihe: Restricting Remote Registry Access
> >
> > Hello All,
> >
> >
> > I am currently looking into restricting remote registry access to
> > certain parts of the registry. I understand and know how to
> completely
> > restrict remote access but my intention is to block access to only
> > certain keys. I am attempting to do this using a cisco Host
> IDS agent
> > which has registry control features. My question is, are there any
> > critical registry keys that should definately be restricted.
> > I am ooking for like a top 10 or top 20 most commly
> targeted registry
> > keys. That way I can allow remote access to the registry. Just not
> > those 10 or 20 keys. Thanks
> >
> > --------------------------------------------------------------
> > -------------
> > --------------------------------------------------------------
> > -------------
> >
> >
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]