S 4.75 Protection of the registry under Windows systems

All important configuration and initialisation information is stored in the registry on a Windows system. Amongst other things, the registry manages the SAM database, which contains the user and computer accounts. This applies especially to computers not connected to any domain and domain computers local accounts are also used on.

The registry of a Windows system consists of several files located in the %SystemRoot%\SYSTEM32\Config directory. For this reason, the access rights to this directory and the files it contains should be set as suggested in S 4.149 File and share authorisation under Windows and S 4.247 Restrictive assignment of authorisations under Windows Vista and Windows 7.

In order to increase the protection provided, the following security-related sections of the registry should be protected specifically by explicitly specifying their access rights with the help of the Registry Editor immediately after the installation of Windows operating systems. They are specified using the regedt32.exe or regedit.exe programmes found in the Windows system directory %SystemRoot%\SYSTEM32. The settings should be specified in such a way that the Everyone group is only granted Query Value, Enumerate Subkeys, Notify, and Read Control access rights to the following sections of the registry:

• This applies to the following keys in the HKEY_LOCAL_MACHINE section:
  
  \Software\Windows3.1MigrationStatus (including all subkeys)
  
  \Software\Microsoft\RPC (including all subkeys)
  
  \Software\Microsoft\Windows NT\CurrentVersion
• This applies to the following entries of the \Software\Microsoft\Windows NT\CurrentVersion\ key:
  
  + Profile List+ AeDebug
  
  + Compatibility
  
  + Drivers
  
  + Embedding
  
  + Fonts
  
  + FontSubstitutes
  
  + GRE_Initialize
  
  + MCI
  
  + MCI Extensions
  
  + Port (including all subkeys)
  
  + WOW (including all subkeys)
• The following section must be protected in HKEY_CLASSES_ROOT:
  
  \HKEY_CLASSES_ROOT (including all subkeys)

The corresponding access right settings for the registry for Windows XP, Vista, and Windows 7 can be found in S 4.247 Restrictive assignment of authorisations under Windows Vista and Windows 7.

In a Windows Server 2003 domain, access to the HKEY_CLASSES_ROOT, HKEY_LOCAL_MACHINE, and HKEY_USERS keys should be configured using group policies in the Active Directory.

Care must be taken when setting these rights, since incorrect settings in the registry can cause the system to become inoperable and possibly unable to boot the next time it is started. For this reason, the settings mentioned here should be tested on a test system first and critically examined regarding their executability in the current environment before they are approved for general use.

Network access to the registry

Access to the registry over the network should also be disabled unless this functionality is necessary. This is possible in Windows NT 4.0 and higher by configuring the winreg entry in the /System/CurrentControlSet/Control/SecurePipeServers in the area HKEY_LOCAL_MACHINE accordingly.