Managing Registry Security

Managing Registry Security To manage registry security, the Regedit.exe version supplied with Windows XP and products of the Windows Server 2003 family includes the Permissions command. Using this command
Nội dung trích xuất từ tài liệu:
Managing Registry SecurityManaging Registry SecurityTo manage registry security, the Regedit.exe version supplied with Windows XP andproducts of the Windows Server 2003 family includes the Permissions command. Usingthis command, you can edit registry-key permissions and set the rules for auditingregistry-key access.Note It should be noted that, in Windows NT/2000, these capabilities were only available in Regedt32.exe. As you remember, Regedt32.exe had a special Security menu, which allowed you to specify registry-key permissions and establish auditing rules. Beginning with Windows XP, this functionality was delegated to Regedit.exe. Note that registry key permissions can be set independently from the file-system type on the disk partition containing the operating-system files.This chapter provides only a brief overview of these functions and general instructionsfor performing operations needed to protect the registry.More detailed information on these topics will be provided in Chapter 9, which isdedicated to registry protection.As in previous Windows NT/2000 versions, Windows XP and products of the WindowsServer 2003 family possess the following capabilities for protecting the system andmanaging security: All access to system resources can be controlled. All operations that access system objects can be registered in the security log. A password is required for accessing the system, and all access operations can be logged.Setting Registry-Key PermissionsThe Permissions command opens the Permissions for the windowintended for viewing and setting registry-key permissions. The capability to set registrykey permissions doesnt depend on the file system used to format the partition thatcontains the operating-system files.Note Changing registry-key permissions can lead to serious consequences. For example, if you set the No Access permission for the key required for configuring network settings using the Control Panel applet, this applet wont work. Full Control permissions for the registry should be assigned to the members of the Administrators group and the operating system itself. This setting provides the system administrator with the ability to restore the registry key after rebooting the system.Since setting registry-key permissions can lead to serious consequences, reserve thismeasure for the keys added in order to optimize software, or other examples ofcustomizing the system.Note If you change permissions for the registry key, it is best also to audit the key access (or, at least, to audit the failed attempts at accessing this key). A brief overview of registry auditing will be provided later in this chapter.The Permissions command follows the principles used by the Explorer commands to setfile and folder permissions on NTFS partitions. To set registry-key permissions, proceedas follows: 1. Before modifying registry-key permissions, back up the registry keys you are going to modify. 2. Select the key for which you are going to set permissions, and then select the Permissions command. 3. The Permissions for window, allowing you to specify registry-key permissions (Fig. 3.20) will open. Windows XP and Windows Server 2003 provide many enhancements, including security enhancements. However, the main types of access permissions and basic principles for setting these permissions are similar to the ones found in previous versions of Windows NT/2000. Select the name of the user or group from the list at the top of this window, and then set the required access level by selecting the option you need from the Permissions for list provided below. Brief descriptions of the available access types (Read, Full Control, and Special Permissions) are listed in Table 3.3. To set permissions for a selected registry key, proceed as follows: o From the list at the top of this window, select the user or group for which you need to set registry-key permissions. If the user or group should have read capabilities, but not those to modify the key, set the Allow checkbox next to the Read option. o If the user or group should be able to open the selected registry key for editing ownership, set the Allow checkbox next to the Full Control option. o To assign the user or group a special combination of permissions (special permissions), click the Advanced button. Figure 3.20: The Permissions for window allows you to specify registry-key permissions Table 3.3: Registry-Key Permission Types Permission Description type Read Users who have permission to access this key can view its contents, but cant save any changes. Full Control Users who have permission to access this key can open the key to edit its contents, save the changes, and modify access levels for the key. Special Users who have permission to access this key have individual Permissions combinations of access rights for the selected key. A detailed description of all these types and their combinations will be provided later in this chapter.4. Set the system audit for registry access (more detailed information on this topic will be provided later in this chapter). Audit the system carefully over a period of time to make sure that new access rights have no negative influence on the applications installed in your system.Specifying Advanced Security SettingsTo set special access types for a registry key, click the Advanced button in the registry-key permissions dialog (see Fig. 3.20). The Advanced Security Settings for window will open (Fig. 3.21).Figure ...