Multi-point attack to enhance Windows Registry Security

For Windows systems, the Registry is related to the secure and stable operation of the system. For this reason, it also becomes a weakness of the system. Any improper operation or malicious destruction will cause disastrous consequences. In fact, to reduce the preceding security risks, the Registry has some built-in security restrictions (for example, the Registry restricts some areas to be viewed only by specific users by default, for example, HKLMSAM and HKLMSECURITY can only be viewed by LocalSystem users ). However, these security measures far cannot ensure the security of the Registry. We should also implement stricter security control. I will share with you some of my experiences in this area.

Note: All of the following operations are performed on Windows Server 2008. The vast majority of these operations are applicable to other Windows systems. Only a few of them require Server 2008.

1st region sets operation restrictions for the registration table tool (regedit.exe)

One of the best ways to protect the registry from unauthorized access is to prevent malicious users from accessing the registry. This means that you must strictly control the physical security of the server and only allow the Administrator to log on locally. For other systems, attackers can configure access permissions for regedit.exeand reg.exe to make it safer. In addition, we can also try to delete the Registry Editor and Reg command from the system, but this may cause other problems and cause the Administrator to manage the system, this is especially true when the administrator needs to remotely access the registry.

You can modify the access permissions of the Registry Editor to restrict access by other unauthorized users. %Systemroot.exe folder, find the register table editor program regedit.exe, right-click the tool and select "properties ". In the Properties dialog box, open the "Security" tab to view the interface. In this interface, we add or delete users or groups as needed, and then set necessary access permissions. The permission settings here are the same as the permission settings for files (folders). We can select an object and then allow or deny specific permissions. In addition to the settings of regedit.exe, we also set permissions for the registration table named reg.exe under the command line. Open the % SystemRoot % System32 folder, right-click the program, and select "properties ". Also open the "Security" tab in the Properties dialog box. By default, this command can be used by common user administrators. You can perform user authorization and permission settings on the interface as needed. In my experience, do not grant permissions by group, because all users in the group have the corresponding permissions. We can delete the group and only authorize the specific user. In this way, attackers can add the Group to implement registry control. (Figure 1)

 

Figure 1

In Windows, a Registration Table named regedit32is available. In fact, this tool is only a link to regedit.exe. If you have set the regedit.exepermission, and do not renew retdit32.exe, perform similar permission settings.

2. Set access permissions for the registry key.

For permission control of the Registry, we can also specify access control for the registry key. In addition to editing permissions, you can also use Security templates to Configure permissions for the registry key. Using an appropriate security template not only locks access to the registry, but also does not worry that incorrect settings will cause the system to fail or applications to run.

However, we usually only control permissions for specific registry keys. At this time, we can only directly edit permissions. The specific method is: run the Registry Editor, find the key to be set, right-click and select "permission ", alternatively, you can select the key and select "permission" from the "edit" menu of the Registry Editor. The "SAM permission" dialog box is displayed. Like setting file permissions, we can install and add or delete groups and users, select an object, and set to deny or allow a permission.

It should be noted that many permissions are inherited from more advanced keys and cannot be directly modified. To edit its permissions, click Advanced to open the Advanced Security Settings dialog box for SAM. There are four tabs: the "inherit from" column on the "Permissions" tab shows where the permission is inherited, generally, these permissions are inherited from the root key of the target key. Before clicking "OK", we should consider whether to select the "include permissions that can be inherited from the parent of this object" check box. If selected, the permissions of the selected key and its sub-keys are all changed. Under the review tab, you can review the selected key configurations. The "owner" tab displays the current owner of the selected key and can assign ownership. By default, only the selected keys will be affected. If you want all the subkeys of the current key to be valid, you need to check the "Replace sub-container and object owner" option. The "valid Permissions" tab can be used to determine the permissions that the current setting will apply to a specific user or group. This function is very useful, in addition, the permission Modification on the "Permissions" tab will not be applied until you click "OK" or "application. (Figure 2)

 

Figure 2

3. Security Settings Control remote access to the registry

Windows registry not only supports local access, but also remote access. Therefore, attackers or unauthorized users may attempt to remotely access the registry of the system like administrators, which undoubtedly brings great security risks. Generally, if we do not remotely access the Registry in a personal system, remote access to the registry is prohibited.

Click "run" in the "Start" menu and enter services. msc open the Service Manager, find the "Remote Registry" service item, double-click the "stop" service, and set the start type to "forbidden. However, after the preceding settings, remote access to the registry is completely disabled. But sometimes we need to allow remote access to some keys in the registry. What should we do? In fact, we can also control remote access to the registry by modifying the registry key value. This registry key is "HKLMSYSTEMCurrentControlSetControlSecurePipeServersWinreg ". The Registry key is available in the Windows system where the Remote Registry service is enabled. In Windows, the permission settings of this key are used to determine which users can remotely access the Registry. By default, all verified users are allowed. In fact, the verified user has the permission to query the value, enumerate subkeys, notifications, and read the key. Therefore, we need to exclude some sensitive registry directories to prevent remote malicious access. The "HKLMSYSTEMCurrentControlSetControlSecurePipeServersWinreg" key first has a "AllowedPaths" key, and a string registry key value "Machine" on the right. Double-click the key value to view the Remotely accessible registry key value path, you can add or delete the Registry path as needed to control remote access to the registry path. (Figure 3)

 

Figure 3

The following is a supplement. I have seen some administrators disable the Registry's remote access function based on security requirements, but somehow caused some system faults. In this case, some services in the Windwos system may need to remotely access the Registry to implement special functions. For example, the Directory Replicator service has already been a Spooler Service, in this way, remote access to the registry is disabled, and these services may run incorrectly. In this way, we must bypass these services to restrict remote access to the registry. Add the account name of the service that requires remote access to the registry to the Winreg access list, or add the path of the registry key that requires remote access to the AllowedPath value. The Paths value under the Machine Key allows computers to access the listed locations. The Paths value under the Users Key allows Users to access the listed locations. As long as there are no explicit access restrictions on these keys, remote access can be performed. After the modification, You need to restart the computer to make the modification to the Registry take effect. (Figure 4)

 

Figure 4

In addition, for Windows Vista and Windows Server 2008 systems, we can enable or disable remote access to the Registry through the "Local Security Policy" console, you can also set whether the user or group is listed in the access control list (ACL) of the Winreg registry key. Many default paths are set here. I suggest you do not modify them unless you are very clear about the operations you want to perform. Click Start> Administrative Tools> Local Security Policy to open the Local Security Policy console. Expand the "local policy" node in the left pane and select "Security Options". Many policy settings are listed in the main pane. Here, we can drag the scroll bar and double-click the "Network Access: Remote Access registry path" or "Network Access: Remote Access registry path and sub-path" option as needed. On the "local policy settings" tab of the property conversation, you can view the Registry path and sub-path list that allow remote access. You can add or delete paths or sub-paths as needed.

 

Figure 5

4. Deploy audit to monitor user operations on the registry

Review is an important function of Windows systems. Like reviewing files and other system items, we can also review registry access. Based on this, we can learn which users have accessed the registry and what operations he has performed on the registry. However, enabling registry review will consume a certain amount of system performance.