Methods of Restricting Registry Access phần 4

/log log_filename-specifies a file in which to log the status of the import process. If not specified, the import-processing information is logged in the scesrv.log file which is located in the %windir%\security\logs directory
Nội dung trích xuất từ tài liệu:
Methods of Restricting Registry Access phần 4 /log log_filename-specifies a file in which to log the status of the import process. If not specified, the import-processing information is logged in the scesrv.log file which is located in the %windir%\security\logs directory. /quiet-specifies that the import process should take place without prompting the user for any confirmation.Secedit /export-allows you to export security settings stored in the database. The syntaxof this command is: secedit /export /db db_filename [tablename] /cfg cfg_filename [/areas area1 area2...] [/log log_filename] /db db_filename-specifies the database used to perform the security configuration. /cfg cfg_filename-specifies a security template to export the database contents to. tablename-specifies the table to export data from. If no argument is specified, the configuration table data is exported. /areas-specifies the security areas to export. If this parameter is not specified, all security settings defined in the database are exported. To export specific areas, separate each area by a space. The following security areas are exported: SECURITYPOLICY-Account Policies, Audit Policies, Event Log Settings and Security Options. GROUP_MGMT-Restricted Group settings USER_RIGHTS-User Rights Assignment REGKEYS-Registry Permissions FILESTORE-File System permissions SERVICES-System Service settings /log log_filename-specifies a file in which to log the status of the export process. If not specified, the export-processing information is logged in the scesrv.log file which is located in the %windir%\security\logs directory.Secedit /generaterollback-allows you to generate a rollback template with respect to aconfiguration template. The syntax of this command is: secedit /generaterollback /cfg cfg_filename /rbk filename [/log log_filename] [/quiet] /db db_filename-specifies the database used to perform the rollback. /cfg cfg_filename-specifies a security template with respect to which a rollback template is generated. Security templates are created using the Security Templates snap-in. /rbkfilename-specifies a security template into which the rollback information is written. Security templates are created using the Security Templates snap-in. /log log_filename-specifies a file in which to log the status of the rollback process. If not specified, the rollback-processing information is logged in the Scesrv.log file, which is located in the %windir%\security\logs directory. /quiet-specifies that the rollback process should take place without prompting the user for any confirmation.In addition, secedit.exe can be used to apply a single node from a security template. Thus,to reapply your preferred file permissions, you can use a single command-line command.To reapply your preferred registry permissions, you can use another line. Put bothcommands in a batch file or write a simple script, and you can reapply both filepermissions and registry permissions across multiple servers. And you can use thescheduling service (schtasks.exe) to periodically refresh these settings without anyreplication burden. After testing the statements, you can schedule a periodic refresh byputting both commands (or the combination line) in a batch file. Test the batch file. Ifsuccessful, use the task scheduler or schtasks.exe to schedule the refresh. Table 9.1provides an explanation of the most useful schtasks.exe command-line switches;additional switches are available. Table 9.1: The Switches for schtasks.exeSwitch Description/create Create a task/tn The name of the new task/tr The name of the batch file or command to run/sc When to schedule the repetitive event (once, every n times a month, every month, every n times a day, at this time every day, and so on)/d Which day of the week; Monday is the default, so I could have left out this switch in the example; /d * runs the process every day/ru Under whose authority; if a user account name is entered here (use the domainname\username format), the password is entered using the /rp switch; to use a local computer account use the \machine switch and \u and \p parameters (when the SYSTEM account is used, no password is entered)The Most Important Registry Keys that Need ProtectionMicrosoft officially recommends that system administrators restrict user access to certainsubkeys under HKEY_LOCAL_MACHINE\SOFTWARE. The purpose of this restrictionis to prevent unauthorized access to the software settings.Note Microsoft officially recommends that system administrators restrict user access to the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. For all earlier versions of Windows NT-based systems, including Windows 2000, it is recommended that the user restrict the Everyone group (note that in Windows XP and Windows Server 2003 the Everyone group has been restricted by default). For the Everyone group, its sufficient to have the Query Value, Enumerate Subkeys, Notify, and Read Control rights to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion registry key and the following subkeys under this key: AeDebug, Compatibility, Drivers, Embedding, Font Drivers, FontCache, FontMapper, Fonts, FontSubstitutes, GRE_Initialize, MCI, MCI Extensions, Ports (and all its subkeys), Type 1 Installer, Windows 3.1 MigrationStatus (and all its subkeys), WOW (and all its subkeys). ...