Select the name of the user or group from the list at the top of this window, and then set the required access level by selecting the option you need from the Permissions for list prov
Trang 1Managing Registry Security
To manage registry security, the Regedit.exe version supplied with Windows XP and
products of the Windows Server 2003 family includes the Permissions command Using
this command, you can edit registry-key permissions and set the rules for auditing
registry-key access
Note It should be noted that, in Windows NT/2000, these capabilities were only available
in Regedt32.exe As you remember, Regedt32.exe had a special Security menu,
which allowed you to specify registry-key permissions and establish auditing rules Beginning with Windows XP, this functionality was delegated to Regedit.exe Note that registry key permissions can be set independently from the file-system type on the disk partition containing the operating-system files
This chapter provides only a brief overview of these functions and general instructions for performing operations needed to protect the registry
More detailed information on these topics will be provided in Chapter 9, which is
dedicated to registry protection
As in previous Windows NT/2000 versions, Windows XP and products of the Windows Server 2003 family possess the following capabilities for protecting the system and managing security:
All access to system resources can be controlled
All operations that access system objects can be registered in the security log
A password is required for accessing the system, and all access operations can be logged
Setting Registry-Key Permissions
The Permissions command opens the Permissions for the <Keyname> window
intended for viewing and setting registry-key permissions The capability to set registry key permissions doesn't depend on the file system used to format the partition that
contains the operating-system files
Note Changing registry-key permissions can lead to serious consequences For example,
if you set the No Access permission for the key required for configuring network settings using the Control Panel applet, this applet won't work Full Control
permissions for the registry should be assigned to the members of the
Administrators group and the operating system itself This setting provides the system administrator with the ability to restore the registry key after rebooting the
Trang 2system
Since setting registry-key permissions can lead to serious consequences, reserve this measure for the keys added in order to optimize software, or other examples of
customizing the system
Note If you change permissions for the registry key, it is best also to audit the key access (or, at least, to audit the failed attempts at accessing this key) A brief overview of registry auditing will be provided later in this chapter
The Permissions command follows the principles used by the Explorer commands to set
file and folder permissions on NTFS partitions To set registry-key permissions, proceed
as follows:
1 Before modifying registry-key permissions, back up the registry keys you are going to modify
2 Select the key for which you are going to set permissions, and then select the
Permissions command
3 The Permissions for <Keyname> window, allowing you to specify registry-key
permissions (Fig 3.20) will open Windows XP and Windows Server 2003
provide many enhancements, including security enhancements However, the main types of access permissions and basic principles for setting these permissions are similar to the ones found in previous versions of Windows NT/2000 Select the name of the user or group from the list at the top of this window, and then set the
required access level by selecting the option you need from the Permissions for
<Username> list provided below Brief descriptions of the available access types
(Read, Full Control, and Special Permissions) are listed in Table 3.3 To set permissions for a selected registry key, proceed as follows:
o From the list at the top of this window, select the user or group for which you need to set registry-key permissions If the user or group should have
read capabilities, but not those to modify the key, set the Allow checkbox next to the Read option
o If the user or group should be able to open the selected registry key for
editing ownership, set the Allow checkbox next to the Full Control option
o To assign the user or group a special combination of permissions (special
permissions), click the Advanced button
Trang 3Figure 3.20: The Permissions for <Keyname> window allows you to specify
registry-key permissions
Table 3.3: Registry-Key Permission Types
Permission
type
Description
Read Users who have permission to access this key can view its
contents, but can't save any changes
Full Control Users who have permission to access this key can open the key to
edit its contents, save the changes, and modify access levels for the key
Special
Permissions
Users who have permission to access this key have individual combinations of access rights for the selected key A detailed description of all these types and their combinations will be provided later in this chapter
4 Set the system audit for registry access (more detailed information on this topic will be provided later in this chapter) Audit the system carefully over a period of
Trang 4time to make sure that new access rights have no negative influence on the
applications installed in your system
Specifying Advanced Security Settings
To set special access types for a registry key, click the Advanced button in the
registry-key permissions dialog (see Fig 3.20) The Advanced Security Settings for
<Keyname> window will open (Fig 3.21)
Figure 3.21: The Permissions tab in the Advanced Security Settings for <Keyname>
window
If you are setting permissions for the registry subkey and want this subkey to inherit
permissions from its parent key, set the Allow inheritable permissions from parent to propagate to this object and all child objects… checkbox
If you are setting permissions for the parent key and want all of its subkeys to inherit the
permission from the selected key, set the Replace permission entries on all child
objects… checkbox
Double-click the name of the user or group for which you need to set special access (or
select the name and click the Edit button) The dialog shown in Fig 3.22 will appear In
the Permissions list, select Allow or Deny checkboxes next to the type of access that you
need to allow or deny for the selected user or group The list of special-access options is provided in Table 3.4 Note that the list doesn't differ from the similar list in Windows
NT 4.0 and Windows 2000
Trang 5Figure 3.22: The Permission Entry window
Table 3.4: The Special Access Options
Checkbox Description
Query Value Allows the user to read values within the selected registry key
Set Value Allows the user to set values within the selected registry key
Create Subkey Allows the user to create subkeys within the selected registry key
Enumerate
Subkeys
Allows the user to identify the subkeys within the selected registry key
Notify Allows the user to audit this key
Create Link Allows the user to create symbolic links in the selected registry key
Delete Allows the user to delete the selected registry key
Write DAC Allows the user to access the key and create or modify its Access
Control List (ACL)
Write Owner Allows the user to take ownership of this registry key
Read Control Allows the user to view the security parameters set for the selected
registry key
Taking Registry Key Ownership
Trang 6As a system administrator, you may take ownership of any registry key and restrict access to this key Anyone who has logged in to the local system as a member of the Administrators group may take ownership of any registry key However, if you have owner rights without full control access type, you won't be able to return this key to its initial owner at a later time and the appropriate message will appear in the security log
To take ownership of the registry key in Windows XP or any product of the Windows Server 2003 family, proceed as follows:
1 Select the registry key for which you wish to take ownership
2 Select the Permissions command from the Edit menu
3 Click the Advanced button The Advanced Security Settings for <Keyname>
window will open Go to the Owner tab (Fig 3.23)
Figure 3.23: The Owner tab of the Advanced Security Settings for <Keyname>
window
4 Select the new owner from the Change owner to list and click OK
Note If you need to change the owner for all nested objects of this key as well, set the
Replace owner on subcontainers and objects checkbox You can change the
registry-key owner only if you log in as an Administrator (or a member of the Administrators group), or if the previous owner has explicitly assigned you owner rights for this key
Registry Auditing
Trang 7Auditing is the process used by Windows NT-based operating systems, including
Windows 2000/XP and products of the Windows Server 2003 family, for detecting and logging security-related events For example, any attempt to create or delete system objects or any attempt to access these objects are security-related events Note that, in object-oriented operating systems, anything is considered an object, including files, folders, and registry keys All security-related events are registered in the security-log file Auditing is not activated in the system by default So, if you need to audit security-related events, you will need to activate the audit After the system audit has been
activated, the operating system starts logging security-related events You can view information registered in the security log using Event Viewer When initiating auditing, you can specify the types of events to be registered in the security log, and the operating system will create a record each time the specified event type occurs in the system The record written to the security log contains an event description, the name of the user who performed the action corresponding to the event, and the event date/time information You can audit successful and failed attempts, and the security log will display both the names of the users who performed successful attempts and the names of the users whose attempts failed
Detailed information on this topic and tips on auditing registry access are provided in
Chapter 9, which is dedicated to registry protection
To establish registry auditing, proceed as follows:
1 Activate the audit and set the audit policy for each event that requires auditing
2 Specify users and groups whose access to the specified registry keys you wish to
be audited
3 Use the Event Viewer for viewing the audit results in the Security log
To perform any of the actions mentioned above, you need to log in to the local system as
a member of the Administrators group The audit policy is specified individually for each computer Before you can set the registry-auditing policy, you need to activate the audit
in the system Regedit.exe will display an error message if you attempt to set registry auditing without activating the audit in the system
To set the auditing options for the registry, proceed as follows:
1 Select the key that you wish to audit
2 Select the Permissions command from the Edit menu, and then click the
Advanced button The Advanced Security Settings for <Keyname> window will
open Go to the Auditing tab (Fig 3.24)
Trang 8Figure 3.24: The Auditing tab of the Advanced Security Settings for
<Keyname> window
3 If you are setting the auditing options for this key for the first time, the Auditing Entries list will be blank Click the Add button below this list, select the users and
groups whose activity you need to audit, and add them to the list
4 To audit the activity of a certain user or group, select the name of this user/group
from the Auditing Entries list, and click the Edit button The dialog shown in
Fig 3.25 will appear In the Access list, set the Successful and/or Failed
checkboxes for the access types that require auditing
Trang 9Figure 3.25: The Auditing Entry for <Keyname> window
The auditing options available to you are described in Table 3.5 Note that the set of options hasn't changed from that in Windows NT/2000
Table 3.5: Auditing Option Types for Registry Keys
Auditing
option
Description
Query Value Accessing the key with the right to query the value
Set Value Opening the key with the right to set the value
Create
Subkey
Opening the key with the right to create subkeys
Enumerate
Subkeys
Opening the key with the right to enumerate its subkeys This option controls events that open the keys and attempts to get a list of the subkeys contained within the key being opened
Notify Accessing the key with the right to notify
Create Link Opening the key with the right of creating symbolic links within this key Delete Deleting the key
Write DAC Attempts to modify the list of users who have access to this key
Trang 10Table 3.5: Auditing Option Types for Registry Keys
Auditing
option
Description
Read Control Reading owner-related information on this key
Note To set registry-key auditing, you need to log in to the local system as an
Administrator or a member of the Administrators group If the local computer is connected to the network, then network-security policy may prevent you from auditing the registry keys
To view the auditing results, select the Programs | Administrative Tools | Computer Management commands from the Start menu Expand the console tree in the left pane
of the MMC window by selecting the System Tools | Event Viewer | Security Log
options The right pane will display a list of security-related events Viewing this list is similar to viewing the security log in Windows NT 4.0 and Windows 2000
Options included in other menus, such as Window and Help, are standard for most
Windows applications