Every key in the Registry has an ACL. Unfortunately, many of those ACLs are unnecessarily permissive. For example, by default the Everyone account has write access to several keys that allow untrusted users to execute arbitrary programs--never a good idea. You can significantly improve your NT security posture by paying careful attention to a few simple steps.
Tip
These steps aren’t necessary in Windows 2000 because Microsoft has changed its default Registry ACLs to be more restrictive. Furthermore, you can use the Security Configuration Manager to apply even more restrictive settings by applying a particular security template.
First, a brief digression: every authenticated user is automatically a member of the Everyone group. On machines running NT 4.0 SP3 or later, these users are also members of the Authenticated Users group. Everyone also includes anonymous and guest accounts, though, so in general it’s a wise idea to never grant Everyone:Full Control access to anything if you can prevent it.
On to the actual steps. First of all, apply the changes suggested earlier in the section Limiting Remote Registry Access. Once you’ve done so, make sure that Everyone has only Read access on HKLMSYSTEMCurrentControlSetControlSecurePipeServerswinregAllowedPaths. This prevents an interloper from inserting her own allowed paths for anonymous access.
Next, follow Microsoft’s suggestions from knowledge base article Q126713 and tighten the permissions on these three keys by limiting Everyone to Read access on them:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstall
These keys specify programs to run when NT starts (Run and RunOnce) or when a program’s uninstalled (Uninstall), so you don’t want an attacker to be able to change them.
Likewise, you should remove the Server Operators group’s Write permission on HKLMSystemCurrentControlSetServicesSchedule. Normally, members of the Server Operators group have permission to schedule jobs, but these jobs are run under the SYSTEM account--making it possible for a Server Operators member to gain Administrator privileges. In the same vein, remove Server Operators’ Write privilege on HKLMSoftwareMicrosoftWindowsNTCurrentVersionWinlogon to prevent a similar attack on the UserInit and BootVerificationProgram values.
The next step is pretty open-ended: you should bolt down your Registry by restricting access wherever possible. The kicker is in knowing what’s possible, and that varies from application to application. For example, Office 97 requires Everyone:Read on its own keys under HKLMSoftware and HKCUSoftware (plus write access to a number of other keys in HKLM and HKCU). Remove those permission, and some Office features stop working. The same is true for Internet Explorer and a wide range of other products. As you make changes to Registry key ACLs, be sure to test the applications you need to run to ensure their correct function before rolling out your changes to the entire network.
Instead of just randomly adjusting ACLs, I recommend you start with the ones in Table 9-2. These are excerpted from the canonical reference for Windows NT Registry ACLs, the “Windows NT Security Guidelines-A Study for NSA Research” white paper, written by Trusted System Services (http://www.trustedsystems.com) for the U.S. National Security Agency. The white paper is detailed and covers workstation, server, and network security settings, not just Registry ACLs. In the table, “Installers” refers to any groups you want to have permission to install application software, and “Apply to entire tree” means you should make the ACL change to all keys and subkeys in the specified path, not just the indicated key.
Table 9-2. Recommended Registry ACLs for Windows NT
|
Key Path |
Permissions |
Notes |
|---|---|---|
|
Software |
Installers: Change Everyone: Read |
Only accounts that can install software should have change rights to this tree. In particular, only installers should be able to create new subkeys. |
|
SoftwareClasses |
Installers: Add Everyone: Read |
Upon installing Windows NT, set the ACLs on the entire Classes tree to Public: Read (plus the Common ACEs), then set the ACL on Classes key as noted. (This removes the INTERACTIVE entry from these ACLs.) This Registry tree holds various properties associated with applications, such as the correlation between the filename extension and the application defined to handle it. To contain potential spoofing threats, it seems prudent to limit these keys, although it may impact some applications. |
|
SoftwareMicrosoftWindowsCurrentVersionApp Paths |
Installers: Change Everyone: Read |
Apply to entire tree. At install time this key is empty; remove Public: Write permission to prevent its misuse. |
|
SoftwareMicrosoftWindowsCurrent VersionExplorer |
Everyone:Read |
Apply to entire tree. (Appears to be unused.) |
|
SoftwareMicrosoftWindowsCurrent VersionEmbedding |
Installers: Change Everyone: Read |
Apply to entire tree. |
|
SoftwareMicrosoftWindowsCurrent VersionRun, RunOnce, Uninstall, and AEDebug |
Everyone: Read |
The command named in the Run key runs at logon for all users (including administrators) and must therefore be protected against spoofing. It should only be writable by full administrators. Similarly, protect RunOnce and Uninstall. The AEDebug key specifies [arameters for the system debugger users can run when a program crashes (such as “Dr. Watson”). Restrict access to prevent spoofing. |
|
SoftwareMicrosoftWindows NTCurrentVersionFont*, GRE_Initialize |
Installers: Change Everyone: Add |
Change only keys that begin with “Font,” except FontDrivers, and Gre-Initialize. Some sites may wish to restrict Everyone access to Read to prevent users from adding fonts. |
|
SoftwareMicrosoftWindows NTCurrentVersionType 1 InstallerType 1 Fonts |
Installers: Change Everyone: Add | |
|
SoftwareMicrosoftWindows NTCurrentVersionDrivers, Drivers.desc |
Everyone: Read |
Apply to entire tree. Drivers32 is the principal storage control location for Windows NT drivers and is strongly protected. The function of the Driver key is unclear, but protect it anyway. |
|
SoftwareMicrosoftWindows NTCurrentVersionMCI, MCI Extensions |
Installers:Change |
Apply to entire tree. |
|
SoftwareMicrosoftWindows NTCurrentVersionPorts |
INTERACTIVE: Change Everyone: Read |
Apply to entire tree. Parameters for COM, LPT, and other ports. You allow INTERACTIVE users to modify these because there seems little security risk, although some sites may wish to tighten these ACLs. Note that Microsoft recommends tightening these keys to Everyone: Read only. |
|
SoftwareMicrosoftWindows NTCurrentVersionProfileList |
Public: Add |
Install as nonpropagating ACL if possible. Each subkey in Profiles holds parameters for a profile created in WINNTProfiles. To prevent spoofing, a new subkey should not be publicly writable. Unfortunately, there’s no standard Registry ACL tool that allows the public to create keys that then have no public access, although “Add” permission is secure as long as the subkeys don’t themselves have meaningful subkeys, which is the case in Profiles. Third party tools (such as SuperCACLS, available from http://www.trustedsystems.com) that can install ACL entries that don’t propagate to subkeys are useful here because they produce the desired protection. |
|
SoftwareMicrosoftWindows NTCurrentVersionWOW |
Everyone: Read |
Apply to entire tree. Holds parameters for the DOS environment. Although it is not clear how serious a spoofing threat exists, it seems wise to prevent public modification. |
|
SoftwareWindows 3.1 Migration Status |
Everyone: Read |
Apply to entire tree. |
|
SystemCurrentControlSetServicesLanmanServerShares |
Everyone: Read |
The values in this key and its Security subkey holds critical information about directory and printer shares. These values are adequately protected by default. However, any user can add new subkeys to these keys, and Microsoft recommends tightening the permissions. |
|
SystemCurrentControlSetServices |
Everyone: Read |
Apply to entire tree. This setting prevents nonadministrators from changing service settings. |
You can also use the Security Explorer tool, discussed later in this chapter, to automatically and recursively apply whatever permissions you want (including removing Everyone in all Registry ACEs).