Источник: Ray Zadjmool. Securing the Windows 2000 Registry // http://www.windowsecurity.com. - 2004.
http://www.windowsecurity.com/articles/Securing_the_Windows_2000_Registry.html

Securing the Windows 2000 Registry

One key security practice that is often overlooked by admins is the Windows registry. In addition to configuration information, the registry contains security contexts that can be used to elevate a user’s privilege. If left unsecured, it is a good platform from which a hacker can use to gain access to administrative functions of the computer, and even possibly the domain as well.

As part of a system hardening routine and standard network policy, in Windows 2000, ACL permissions can be configured to limit a user access to keys that can be used by hackers or malicious programs.

Much like file permissions, ACLS can be configured on the registry through a couple of different ways. The easiest and most manual way is through the registry editor regedt32.exe. Regedt32.exe comes installed by default on most versions of Microsoft Windows with the exception of Windows 95/98/ME systems which only come bundled with the less functional regedit.exe. 

Regedt32 is different than its simpler cousin regedit.exe by its ability to allow the configuration of permissions or ACL’s (Access Control Lists) on specific registry keys.


FIGURE 1

Once regedt32 is launched, permissions can be viewed and configured by highlighting the hive or key you want to configure and navigating to the security>permissions menu. Once selected, users are giving a familiar menu by which permissions can be configured for groups as well as individual users.


FIGURE 2

Registry Auditing can also be turned for specific keys and subkeys using the advanced button in the permissions window.


FIGURE 3

With Active Directory, administrators can configure permissions using group policies. Registry permissions are manipulated using the “computer configuration>windows settings> registry” bucket. ACLS can be added manually per key, or a preconfigured template can be imported to configure multiple registry keys at once.


FIGURE 4

Once you have decided on which configuration tool is right for your organization, careful consideration should be made as to what permissions are appropriate for your environment as changing them will most definitely affect out of the box functionality. A proper test plan is highly recommended before making registry permission changes to a production environment.

A good starting point in hardening the registry would be to lockdown remote registry access. Network access to the registry is controlled by the Remote Registry Service which is installed by default in Windows 2000.  This service provides access to the Registry API and must be running on both the client and the target computer for network access to the registry to function. By default, in Windows 2000 only the Administrators and Backup Operators have permisions for network access to the registry.
 
As a good security practice, the remote registry service should be disabled on all servers and workstations. In addition, auditing should be turned on for the following registry key that controls ACL permissions for network registry access:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

Once you have locked down remote access to the registry, ACL permissions should be hardened on specific keys that have security implications.

In accordance with the Common Criteria (CC) for Information Technology Security Evaluation http://csrc.nist.gov/cc/, Microsoft recommends locking down the registry by configuring the following keys:  

HKEY_CLASSES_ROOT

Authenticated Users: Read/Execute
Administrators: Full Control
Creator Owner None
System: Full Control
Power Users: Read/Execute/Write/Delete
Users: Read/Execute

HKEY_LOCAL_MACHINE\Software

Authenticated Users: Read/Execute
Administrators: Full Control
Creator Owner None
System: Full Control
Power Users: Read/Execute/Write/Delete
Users: Read/Execute

HKEY_LOCAL_MACHINE\Software\Classes

Authenticated Users: Read/Execute
Administrators: Full Control
Creator Owner None
System: Full Control
Power Users: Read/Execute/Write/Delete
Users: Read/Execute

HKEY_LOCAL_MACHINE\Software\Classes\.hlp

Authenticated Users: Read/Execute
Administrators: Full Control
Creator Owner None
System: Full Control
Power Users: Read/Execute/Write/Delete
Users: Read/Execute

HKEY_LOCAL_MACHINE\Software\Classes\helpfile

Authenticated Users: Read/Execute
Administrators: Full Control
Creator Owner None
System: Full Control
Power Users: Read/Execute/Write/Delete
Users: Read/Execute

HKEY_LOCAL_MACHINE\Microsoft\Os/2 Subsystem For NT

Administrators: Full Control
Creator Owner None
System: Full Control

HKEY_LOCAL_MACHINE\Microsoft\Windows NT\CurrentVersion

Administrators: Full Control
Creator Owner None
System: Full Control

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Computername

Authenticated Users: Read + Execute

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ContentIndex

Authenticated Users: Read + Execute

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layout

Authenticated Users: Read + Execute

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts

Authenticated Users: Read + Execute

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers

Authenticated Users: Read/Execute
Administrators: Full Control
Creator Owner None
System: Full Control
Power Users: Read/Execute/Write/Delete
Users: Read/Execute

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions

Authenticated Users: Read + Execute

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog

Authenticated Users: Read + Execute

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TcpIP

Authenticated Users: Read + Execute
 

  1. Tip: Never change SYSTEM permissions from Full Control in the Registry. Any changes to this permission will cause your system to fail upon reboot.
  2. Tip: For added security, consider removing permissions for the Power Users Group if not in use.
  3. Tip: For added security, consider replacing all permissions for Users and Everyone with Authenticated Users.

Active Directory administrators that are using a group policy security template can add the following lines to their .inf template file:

[Registry Keys]

"CLASSES_ROOT",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)"
"MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Services\EventLog",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers",2,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Computername",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\Software\Microsoft\Windows NT\CurrentVersion",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SOFTWARE\Classes\.hlp",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SOFTWARE\Classes\helpfile",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\Software\Classes",0,"D:AR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\Software",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"

Reference:

The Windows 2000 Common Criteria Security Target
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/issues/W2kCCSCG/

Microsoft Knowledge Base Article - 153183
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q153/1/83.asp&NoWebContent=1

Common Criteria for IT Security Evaluation
http://csrc.nist.gov/cc/