S 4.75 Protection of the registry under Windows NT

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

All important configuration and initialisation information is stored in the registry of a Windows NT system. The registry also manages the SAM database which contains the user and computer accounts.

The registry of a Windows NT system consists of several files which are located in the directory path%SystemRoot%\SYSTEM32\Config. For this reason, the rights to access this directory and the files contained therein should be set as recommended in S 4.53 Restrictive allocation of access rights to files and directories under Windows NT.

After installation of the operating system, the following security-relevant components of the registry should additionally be protected through the explicit entry of access rights with the help of the registry editor (the program named REGEDT32.EXE in the Windows system directory%SystemRoot%\SYSTEM32), so that the group " All " only has the access rights " View value ", " List partial keys ", " Report " and " Read access " for these components:

• in the area HKEY_LOCAL_MACHINE:

\Software\Windows3.1MigrationStatus (with all sub-keys)

\Software\Microsoft\RPC (with all sub-keys)

\Software\Microsoft\Windows NT\CurrentVersion

under the key \Software\Microsoft\Windows NT\CurrentVersion\:

+ Profile List

+ AeDebug

+ Compatibility

+ Drivers

+ Embedding

+ Fonts

+ FontSubstitutes

+ GRE_Initialize

+ MCI

+ MCI Extensions

+ Port (with all sub-keys)

+ WOW (with all sub-keys)

• in the area HKEY_CLASSES_ROOT:

\HKEY_CLASSES_ROOT (with all sub-keys)

Care must be exercised here, as faulty settings in the registry might impair the operability of the system, thus preventing it from starting up properly the next time. Consequently, the settings mentioned here should first be used in a separate test system and checked critically for proper functionality under real conditions before being put into regular operation.

Network access to the registry

Access to the registry via the network should be disabled, unless this function is absolutely necessary. This is allowed by version 4.0 or higher, by setting the entry " winreg " in the key \System\CurrentControlSet\Control\SecurePipeServers in the area HKEY_LOCAL_MACHINE to the value REG_DWORD = 1.

Version 3.x does not allow an explicit blockage of the registry against network access. In this case, it is helpful to withdraw the right of "All" to access the root of the area HKEY_LOCAL_MACHINE (but not the underlying keys!), so that only administrators have access to this area. This modification must, on all accounts, be checked in a test system as it could paralyse certain applications. It must be noted that such a change only remains effective until the system is restarted.