9.4 Fixing Registry Security ACLs in Windows NT
Every key in the Registry has an ACL.
Unfortunately, many of those ACLs are unnecessarily permissive. For
example, by default the Everyone account has write access to several
keys that allow untrusted users to execute arbitrary
programs--never a good idea. You can significantly improve your
NT security posture by paying careful attention to a few simple
steps.
 |
These steps aren't necessary in Windows 2000 because Microsoft
has changed its default Registry ACLs to be more restrictive.
Furthermore, you can use the Security Configuration Manager to apply
even more restrictive settings by applying a particular security
template.
|
|
First, a brief digression: every authenticated user is automatically
a member of the Everyone group. On machines running NT 4.0 SP3 or
later, these users are also members of the Authenticated Users group.
Everyone also includes anonymous and guest accounts, though, so in
general it's a wise idea to never grant Everyone:Full Control
access to anything if you can prevent it.
On to the actual steps. First of all, apply the changes suggested
earlier in the section Section 9.3.
Once you've done so, make sure that Everyone has only Read
access on
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths.
This prevents an interloper from inserting her own allowed paths for
anonymous access.
Next, follow Microsoft's suggestions from knowledge base
article Q126713 and tighten the permissions on these three keys by
limiting Everyone to Read access on them:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
These keys specify programs to run when NT starts (Run and RunOnce)
or when a program's uninstalled (Uninstall), so you don't
want an attacker to be able to change them.
Likewise, you should remove the Server Operators group's Write
permission on HKLM\System\CurrentControlSet\Services\Schedule.
Normally, members of the Server Operators group have permission to
schedule jobs, but these jobs are run under the SYSTEM
account--making it possible for a Server Operators member to
gain Administrator privileges. In the same vein, remove Server
Operators' Write privilege on
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon to prevent
a similar attack on the UserInit and BootVerificationProgram values.
The next step is pretty open-ended: you should bolt down your
Registry by restricting access wherever possible. The kicker is in
knowing what's possible, and that varies from application to
application. For example, Office 97 requires Everyone:Read on its own
keys under HKLM\Software and HKCU\Software (plus write access to a
number of other keys in HKLM and HKCU). Remove those permission, and
some Office features stop working. The same is true for Internet
Explorer and a wide range of other products. As you make changes to
Registry key ACLs, be sure to test the applications you need to run
to ensure their correct function before rolling out your changes to
the entire network.
Instead of just randomly adjusting ACLs, I recommend you start with
the ones in Table 9.2. These are excerpted from
the canonical reference for Windows NT Registry ACLs, the
"Windows NT Security Guidelines-A Study for NSA Research"
white paper, written by Trusted System Services (http://www.trustedsystems.com) for the U.S.
National Security Agency. The white paper is detailed and covers
workstation, server, and network security settings, not just Registry
ACLs. In the table, "Installers" refers to any groups you
want to have permission to install application software, and
"Apply to entire tree" means you should make the ACL
change to all keys and subkeys in the specified path, not just the
indicated key.
Table 9.2. Recommended Registry ACLs for Windows NT
|
\Software
|
Installers: Change
Everyone: Read
|
Only accounts that can install software should have change rights to
this tree. In particular, only installers should be able to create
new subkeys.
|
|
\Software\Classes
|
Installers: Add
Everyone: Read
|
Upon installing Windows NT, set the ACLs on the entire Classes tree
to Public: Read (plus the Common ACEs), then set the ACL on Classes
key as noted. (This removes the INTERACTIVE entry from these ACLs.)
This Registry tree holds various properties associated with
applications, such as the correlation between the filename extension
and the application defined to handle it. To contain potential
spoofing threats, it seems prudent to limit these keys, although it
may impact some applications.
|
|
\Software\Microsoft\Windows\CurrentVersion\App Paths
|
Installers: Change
Everyone: Read
|
Apply to entire tree. At install time this key is empty; remove
Public: Write permission to prevent its misuse.
|
|
\Software\Microsoft\Windows\Current Version\Explorer
|
Everyone:Read
|
Apply to entire tree. (Appears to be unused.)
|
|
\Software\Microsoft\Windows\Current Version\Embedding
|
Installers: Change
Everyone: Read
|
Apply to entire tree.
|
|
\Software\Microsoft\Windows\Current Version\Run, RunOnce, Uninstall,
and AEDebug
|
Everyone: Read
|
The command named in the Run key runs at logon for all users
(including administrators) and must therefore be protected against
spoofing. It should only be writable by full administrators.
Similarly, protect RunOnce and Uninstall. The AEDebug key specifies
[arameters for the system debugger users can run when a program
crashes (such as "Dr. Watson"). Restrict access to
prevent spoofing.
|
|
\Software\Microsoft\Windows NT\CurrentVersion\Font*, GRE_Initialize
|
Installers: Change
Everyone: Add
|
Change only keys that begin with "Font," except
FontDrivers, and Gre-Initialize. Some sites may wish to restrict
Everyone access to Read to prevent users from adding fonts.
|
|
\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\Type 1
Fonts
|
Installers: Change
Everyone: Add
|
|
|
\Software\Microsoft\Windows NT\CurrentVersion\Drivers, Drivers.desc
|
Everyone: Read
|
Apply to entire tree. Drivers32 is the principal storage control
location for Windows NT drivers and is strongly protected. The
function of the Driver key is unclear, but protect it anyway.
|
|
\Software\Microsoft\Windows NT\CurrentVersion\MCI, MCI Extensions
|
Installers:Change
|
Apply to entire tree.
|
|
\Software\Microsoft\Windows NT\CurrentVersion\Ports
|
INTERACTIVE: Change
Everyone: Read
|
Apply to entire tree. Parameters for COM, LPT, and other ports. You
allow INTERACTIVE users to modify these because there seems little
security risk, although some sites may wish to tighten these ACLs.
Note that Microsoft recommends tightening these keys to Everyone:
Read only.
|
|
\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
|
Public: Add
|
Install as nonpropagating ACL if possible. Each subkey in Profiles
holds parameters for a profile created in WINNT\Profiles. To prevent
spoofing, a new subkey should not be publicly writable.
Unfortunately, there's no standard Registry ACL tool that
allows the public to create keys that then have no public access,
although "Add" permission is secure as long as the
subkeys don't themselves have meaningful subkeys, which is the
case in Profiles. Third party tools (such as SuperCACLS, available
from http://www.trustedsystems.com) that can
install ACL entries that don't propagate to subkeys are useful
here because they produce the desired protection.
|
|
\Software\Microsoft\Windows NT\CurrentVersion\WOW
|
Everyone: Read
|
Apply to entire tree. Holds parameters for the DOS environment.
Although it is not clear how serious a spoofing threat exists, it
seems wise to prevent public modification.
|
|
\Software\Windows 3.1 Migration Status
|
Everyone: Read
|
Apply to entire tree.
|
|
\System\CurrentControlSet\Services\LanmanServer\Shares
|
Everyone: Read
|
The values in this key and its Security subkey holds critical
information about directory and printer shares. These values are
adequately protected by default. However, any user can add new
subkeys to these keys, and Microsoft recommends tightening the
permissions.
|
|
\System\CurrentControlSet\Services
|
Everyone: Read
|
Apply to entire tree. This setting prevents nonadministrators from
changing service settings.
|
You can also use the Security Explorer tool, discussed later in this
chapter, to automatically and recursively apply whatever permissions
you want (including removing Everyone in all Registry ACEs).
|
