Protect the registry from anonymous access?

Printable View

August 29th, 2002, 11:30 AM
Azn_Acid02

Protect the registry from anonymous access?

This one is the one I don't get. I run a w2k prof.

I got confused at this point

Quote:

Select winreg, click the Security menu, and then click Permissions.

It told me to add a registry value and it was already there. The other thing was that the only way I could access what they (M$) told me is from a file and winreg is in a registry key. Im confused, I don't get on how I can apply that feature. Thx in advance.

Quote:

Protect the registry from anonymous access

The default permissions do not restrict remote access to the registry. Only administrators should have remote access to the registry, because the Windows 2000 registry editing tools support remote access by default. To restrict network access to the registry:

Add the following key to the registry:
Hive
HKEY_LOCAL_MACHINE \SYSTEM

Key
\CurrentControlSet\Control\SecurePipeServers

Value Name
\winreg

Select winreg, click the Security menu, and then click Permissions.
Set the Administrators permission to Full Control, make sure no other users or groups are listed, and then click OK.
The security permissions (ACLs) set on this key define which users or groups can connect to the system for remote registry access. In addition, the AllowedPaths subkey contains a list of keys to which members of the Everyone group have access, notwithstanding the ACLs on the winreg key. This allows specific system functions, such as checking printer status, to work correctly regardless of how access is restricted via the winreg registry key. The default security on the AllowedPaths registry key grants only Administrators the ability to manage these paths. The AllowedPaths key, and its proper use, is documented in Microsoft Knowledge Base article Q155363.
August 29th, 2002, 01:13 PM
SirDice

On NT, Win2K and XP you can also put ACL's on registry keys. The winreg value lets you restrict who can remotely access your registry.

NB use regedt32.exe instead off regedit.exe. The first will allow you to edit the ACL of the keys/values.
August 29th, 2002, 01:28 PM
nebulus200

Unless I am mistaken, in Win2k you can do it directly from your control panel (whereas in NT you had to do it in the registry). The way I have seen discussed is a way to tighten access to the registry, but when I have heard discussions of preventing anonymous access to the registry, I have always taken that to mean access through null sessions (ick, yes it can be possible). There are a couple of things you need to be sure of, first:

1) Control Panel -> Administrative Tools -> Services, Remote Registry --> set to disable

2) Control Panel -> Administrative Tools -> Local Security Policy (your domain could override this if you log into one, in which case you will have to talk to the domain admin)

Local Policies -> User Rights Assignment -> Deny Access to the computer from the network (make sure anonymous logon is there)

Local Policies -> Security Options -> Additional Restrictions for anonymous connections ->
No access without explicit permissions

It is my understanding that this should restrict anonymous access (null logon) to your registry.

Neb
August 29th, 2002, 05:54 PM
Azn_Acid02

Thank You very much to both of you, I learned something new and can fix one of my mistakes.