Managing Registry Security To manage registry security, the Regedit.exe version supplied with Windows XP and products of the Windows Server 2003 family includes the Permissions command. Using this command, you can edit registry-key permissions and set the rules for auditing registry-key access. N ote It should be noted that, in Windows NT/2000, these capabilities were only available in Regedt32.exe. As you remember, Regedt32.exe had a special Security menu, which allowed you to specify registry-key permissions and establish auditing rules. Beginning with Windows XP, this functionality was delegated to Regedit.exe. Note that registry key permissions can be set independently from the file-system type on the disk partition containing the operating-system files. This chapter provides only a brief overview of these functions and general instructions for performing operations needed to protect the registry. More detailed information on these topics will be provided in Chapter 9 , which is dedicated to registry protection. As in previous Windows NT/2000 versions, Windows XP and products of the Windows Server 2003 family possess the following capabilities for protecting the system and managing security:  All access to system resources can be controlled.  All operations that access system objects can be registered in the security log.  A password is required for accessing the system, and all access operations can be logged. Setting Registry-Key Permissions The Permissions command opens the Permissions for the <Keyname> window intended for viewing and setting registry-key permissions. The capability to set registry key permissions doesn't depend on the file system used to format the partition that contains the operating-system files. N ote Changing registry-key permissions can lead to serious consequences. For example, if you set the No Access permission for the key required for configuring network settings using the Control Panel applet, this applet won't work. Full Control permissions for the registry should be assigned to the members of the Administrators group and the operating system itself. This setting provides the system administrator with the ability to restore the registry key after rebooting the system. Since setting registry-key permissions can lead to serious consequences, reserve this measure for the keys added in order to optimize software, or other examples of customizing the system. N ote If you change permissions for the registry key, it is best also to audit the key access (or, at least, to audit the failed attempts at accessing this key). A brief overview of registry auditing will be provided later in this chapter. The Permissions command follows the principles used by the Explorer commands to set file and folder permissions on NTFS partitions. To set registry-key permissions, proceed as follows: 1. Before modifying registry-key permissions, back up the registry keys you are going to modify. 2. Select the key for which you are going to set permissions, and then select the Permissions command. 3. The Permissions for <Keyname> window, allowing you to specify registry-key permissions (Fig. 3.20 ) will open. Windows XP and Windows Server 2003 provide many enhancements, including security enhancements. However, the main types of access permissions and basic principles for setting these permissions are similar to the ones found in previous versions of Windows NT/2000. Select the name of the user or group from the list at the top of this window, and then set the required access level by selecting the option you need from the Permissions for <Username> list provided below. Brief descriptions of the available access types (Read, Full Control, and Special Permissions) are listed in Table 3.3 . To set permissions for a selected registry key, proceed as follows: o From the list at the top of this window, select the user or group for which you need to set registry-key permissions. If the user or group should have read capabilities, but not those to modify the key, set the Allow checkbox next to the Read option. o If the user or group should be able to open the selected registry key for editing ownership, set the Allow checkbox next to the Full Control option. o To assign the user or group a special combination of permissions (special permissions), click the Advanced button. Figure 3.20: The Permissions for <Keyname> window allows you to specify registry-key permissions Table 3.3: Registry-Key Permission Types Permission type Description Read Users who have permission to access this key can view its contents, but can't save any changes. Full Control Users who have permission to access this key can open the key to edit its contents, save the changes, and modify access levels for the key. Special Permissions Users who have permission to access this key have individual combinations of access rights for the selected key. A detailed description of all these types and their combinations will be provided later in this chapter. 4. Set the system audit for registry access (more detailed information on this topic will be provided later in this chapter). Audit the system carefully over a period of time to make sure that new access rights have no negative influence on the applications installed in your system. Specifying Advanced Security Settings To set special access types for a registry key, click the Advanced button in the registry- key permissions dialog (see Fig. 3.20 ). The Advanced Security Settings for <Keyname> window will open (Fig. 3.21 ). Figure 3.21: The Permissions tab in the Advanced Security Settings for <Keyname> window If you are setting permissions for the registry subkey and want this subkey to inherit permissions from its parent key, set the Allow inheritable permissions from parent to propagate to this object and all child objects… checkbox. If you are setting permissions for the parent key and want all of its subkeys to inherit the permission from the selected key, set the Replace permission entries on all child objects… checkbox. Double-click the name of the user or group for which you need to set special access (or select the name and click the Edit button). The dialog shown in Fig. 3.22 will appear. In the Permissions list, select Allow or Deny checkboxes next to the type of access that you need to allow or deny for the selected user or group. The list of special-access options is provided in Table 3.4 . Note that the list doesn't differ from the similar list in Windows NT 4.0 and Windows 2000. Figure 3.22: The Permission Entry window Table 3.4: The Special Access Options Checkbox Description Query Value Allows the user to read values within the selected registry key Set Value Allows the user to set values within the selected registry key Create Subkey Allows the user to create subkeys within the selected registry key Enumerate Subkeys Allows the user to identify the subkeys within the selected registry key Notify Allows the user to audit this key Create Link Allows the user to create symbolic links in the selected registry key Delete Allows the user to delete the selected registry key Write DAC Allows the user to access the key and create or modify its Access Control List (ACL) Write Owner Allows the user to take ownership of this registry key Read Control Allows the user to view the security parameters set for the selected registry key Taking Registry Key Ownership As a system administrator, you may take ownership of any registry key and restrict access to this key. Anyone who has logged in to the local system as a member of the Administrators group may take ownership of any registry key. However, if you have owner rights without full control access type, you won't be able to return this key to its initial owner at a later time and the appropriate message will appear in the security log. To take ownership of the registry key in Windows XP or any product of the Windows Server 2003 family, proceed as follows: 1. Select the registry key for which you wish to take ownership. 2. Select the Permissions command from the Edit menu. 3. Click the Advanced button. The Advanced Security Settings for <Keyname> window will open. Go to the Owner tab (Fig. 3.23 ). Figure 3.23: The Owner tab of the Advanced Security Settings for <Keyname> window 4. Select the new owner from the Change owner to list and click OK. N ote If you need to change the owner for all nested objects of this key as well, set the Replace owner on subcontainers and objects checkbox. You can change the registry-key owner only if you log in as an Administrator (or a member of the Administrators group), or if the previous owner has explicitly assigned you owner rights for this key. Registry Auditing Auditing is the process used by Windows NT-based operating systems, including Windows 2000/XP and products of the Windows Server 2003 family, for detecting and logging security-related events. For example, any attempt to create or delete system objects or any attempt to access these objects are security-related events. Note that, in object-oriented operating systems, anything is considered an object, including files, folders, and registry keys. All security-related events are registered in the security-log file. Auditing is not activated in the system by default. So, if you need to audit security- related events, you will need to activate the audit. After the system audit has been activated, the operating system starts logging security-related events. You can view information registered in the security log using Event Viewer. When initiating auditing, you can specify the types of events to be registered in the security log, and the operating system will create a record each time the specified event type occurs in the system. The record written to the security log contains an event description, the name of the user who performed the action corresponding to the event, and the event date/time information. You can audit successful and failed attempts, and the security log will display both the names of the users who performed successful attempts and the names of the users whose attempts failed. Detailed information on this topic and tips on auditing registry access are provided in Chapter 9 , which is dedicated to registry protection. To establish registry auditing, proceed as follows: 1. Activate the audit and set the audit policy for each event that requires auditing. 2. Specify users and groups whose access to the specified registry keys you wish to be audited. 3. Use the Event Viewer for viewing the audit results in the Security log. To perform any of the actions mentioned above, you need to log in to the local system as a member of the Administrators group. The audit policy is specified individually for each computer. Before you can set the registry-auditing policy, you need to activate the audit in the system. Regedit.exe will display an error message if you attempt to set registry auditing without activating the audit in the system. To set the auditing options for the registry, proceed as follows: 1. Select the key that you wish to audit. 2. Select the Permissions command from the Edit menu, and then click the Advanced button. The Advanced Security Settings for <Keyname> window will open. Go to the Auditing tab (Fig. 3.24 ). Figure 3.24: The Auditing tab of the Advanced Security Settings for <Keyname> window 3. If you are setting the auditing options for this key for the first time, the Auditing Entries list will be blank. Click the Add button below this list, select the users and groups whose activity you need to audit, and add them to the list. 4. To audit the activity of a certain user or group, select the name of this user/group from the Auditing Entries list, and click the Edit button. The dialog shown in Fig. 3.25 will appear. In the Access list, set the Successful and/or Failed checkboxes for the access types that require auditing. Figure 3.25: The Auditing Entry for <Keyname> window The auditing options available to you are described in Table 3.5 . Note that the set of options hasn't changed from that in Windows NT/2000. Table 3.5: Auditing Option Types for Registry Keys Auditing option Description Query Value Accessing the key with the right to query the value. Set Value Opening the key with the right to set the value. Create Subkey Opening the key with the right to create subkeys. Enumerate Subkeys Opening the key with the right to enumerate its subkeys. This option controls events that open the keys and attempts to get a list of the subkeys contained within the key being opened. Notify Accessing the key with the right to notify. Create Link Opening the key with the right of creating symbolic links within this key. Delete Deleting the key. Write DAC Attempts to modify the list of users who have access to this key. Table 3.5: Auditing Option Types for Registry Keys Auditing option Description Read Control Reading owner-related information on this key. N ote To set registry-key auditing, you need to log in to the local system as an Administrator or a member of the Administrators group. If the local computer is connected to the network, then network-security policy may prevent you from auditing the registry keys. To view the auditing results, select the Programs | Administrative Tools | Computer Management commands from the Start menu. Expand the console tree in the left pane of the MMC window by selecting the System Tools | Event Viewer | Security Log options. The right pane will display a list of security-related events. Viewing this list is similar to viewing the security log in Windows NT 4.0 and Windows 2000. Options included in other menus, such as Window and Help, are standard for most Windows applications. . Managing Registry Security To manage registry security, the Regedit.exe version supplied with Windows. ownership of this registry key Read Control Allows the user to view the security parameters set for the selected registry key Taking Registry Key Ownership