securing windows registry?
Results 1 to 4 of 4

Thread: securing windows registry?

  1. #1
    Senior Member
    Join Date
    Feb 2005
    Posts
    153

    securing windows registry?

    I've got a new program I'm about to release, but first I need some clarification and insight on a particular subject:

    How can the registry structure be protected against modifications without the use of 3rd party monitoring software? Let's say I alter a specific registry DWORD and need that to NEVER be altered, how would I go about doing that?
    \"It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.\"
    - Charles Darwin

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Well... I suppose you could modify the permission for that key giving users read only access. Then give "system" full access if it needs it. It does need it in *most* cases, right?

    But... all someone would have to do is gain "system" privledges... and run regedit to modify the settings... System privledges is not very difficult to get either... especially if you are admin on the box already.

    This is software that is going to installed on boxes out of your control?

    If in a domain environment... you could use group policy?

    One of the ways in which you can protect your Windows registry is to configure permissions. You can do so by opening the registry and using the Permissions option. An alternate method is to set the registry permissions using Group Policy. You can easily accomplish this using the steps outlined below.

    1. Open the GPO you want to use for implementing registry permissions.
    2. Expand Computer Configuration | Windows Settings | Security Settings | Registry.
    3. Right click the Registry and select Add Key.
    4. Locate the Registry key you want to configure permissions for. Select the Registry key and Click OK.
    5. Configure the appropriate permissions and Click OK.
    6. Make the appropriate selection from the Add Object dialog box and Click OK.
    http://www.google.com/search?q=group...ry+permissions

    Google's first link

    You would have to give the user *some* way to control it. What if they want to uninstall it?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Senior Member
    Join Date
    Feb 2005
    Posts
    153
    Guess I had better explain my project so you have an idea of what I am trying to accomplish:

    Even by using firefox on a Windows system, IE remains a security hole purley by design. Even if the user never opens up IE, 3rd party programs can still call IE instructions to preform their dirty work of drive-by installations. Granted that would require the user to have made a dumb move or installation of a shadey program, but the threat still exists.

    So, let's plug up that hole at the source. I'm creating a basic program which when installed will preform 3 basic functions:

    1. - Completed Place a graphical image and .html file in the C:\Program Files\IELockdown directory. This html file will become IE's locked homepage that shows a message similar to:

    "IELockdown has been installed on this computer. This means that the security levels of Internet Explorer have been placed at the highest possible configuration to offer additional protection to the computer. Windows Update (http://www.windowsupdate.com) and Mozilla Firefox (http://********firefox) are the only two domains that are given complete trust with the Internet Explorer browser. It is highly recommended to use a browser that offers a greater level of security than Internet Explorer.

    -links to other browser download locations-"

    2. - Completed After the .html and image have been installed, this registry configuration will be added:
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "CurrentLevel"=dword:00012000
    "MinLevel"=dword:00012000
    "RecommendedLevel"=dword:00012000
    "1A10"=dword:00000003
    "{AEBA21FA-782A-4A90-978D-B72164C80120}"=hex:1a,37,61,59,23,52,35,0c,7a,5f,20,\
      17,2f,1e,1a,19,0e,2b,01,73,13,37,13,12,14,1a,15,39
    "{A8A88C49-5EB2-4990-A1A2-0876022C854F}"=hex:1a,37,61,59,23,52,35,0c,7a,5f,20,\
      17,2f,1e,1a,19,0e,2b,01,73,13,37,13,12,14,1a,15,39
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\windowsupdate.com]
    "http"=dword:00000002
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\microsoft.com\*.windowsupdate]
    "http"=dword:00000002
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mozilla.org]
    "http"=dword:00000002
    What this will do is first set the IE internet security level to HIGH, and set the recommended level to HIGH. If it is ever attempted to be switched lower than HIGH a warning will pop up and the option will not be allowed to change until IELockdown is uninstalled. This will also set the cookie level to BLOCK all cookies on the Internet Zone, and ALLOW cookies on the Trusted Zone. The next few lines are to add the windowsupdate website and the mozilla/firefox download website to the Trusted IE Zone, allowing for them to download a different browser on the new homepage offered by IELockdown.

    3. - Incomplete Set permissions that somehow deny the system to change the IE internet zone security level and deny the system to change the homepage. These permissions are returned back to normal functionality when IELockdown is uninstalled.


    This is very similar to Windows 2003 IE security program, but meant for 98-XP. Granted all of this can be done manually, but I wanted something simple for people/techs to install on systems that involved minimum hassle. So, step 3 is what I need help with.
    \"It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.\"
    - Charles Darwin

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    I am not completely sure, what you try to achieve. I'd have answered
    similiar to Phish . Since it seems you need some more information, here
    are a few, which might be relevant.

    When you create your registry keys using RegCreateKeyEx[1] (with whatever
    language), you can set the security options as a parameter[2]. If the key exists
    and you want to alter the key security, RegSetKeySecurity[3] will do the job.
    However, as an administrator, you can take ownership of the registry key (by
    first giving yourself the necessary priviledge), modify its security settings and
    change the entry (I should test this, before writing it ... ). Users, with limited
    accounts, are "safe" using your tool though. Not sure about Win98-capabilities...

    You also could alter the permissions using regini.exe[4] from the resource tool kit.
    But then, this should be part of your program.

    If you have troubles with stage 3, I am willing to help you.
    However, this will have to wait till next Monday (travelling - again - pfff).

    Cheers.


    [1] http://msdn.microsoft.com/library/de...reatekeyex.asp
    [2] http://msdn.microsoft.com/library/de...ess_rights.asp
    [3] http://msdn.microsoft.com/library/de...eysecurity.asp
    [4] http://support.microsoft.com/kb/237607/en-us
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •