I'm using a copy of the sample System Hardening module, and one of the rules is "Remote Clients, All Registry Keys". This is a Registry access control rule that Denies when <Remote Clients> attempt to write to All Registry Keys.
The problem I'm having is that many machines will talk to themselves over their own loopback or IP address. So I have events tripped by this rule - an example is:
TESTMODE: The process '<remote application>' (as user MYDOMAIN\THEMACHINE1$) attempted to access the registry key '\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied.
<Remote Clients> is supposed to be: This application class refers to any process that is running on a different host than the one on which the agent is resident, and is remotely accessing resources protected by the agent. The actual remote application that is used to open the resource in question cannot be determined on the local system.
The agent doesn't seem to be tracking the local host's network name so of course it sees this as an external host. Has anyone else come across this, and is there a workaround? Is there another Application Class I can use to accomplish nearly the same thing? I'm wondering if I can change this to <Network Applications>, because it notes: a network connection to or from another process on the same system will not cause a process to be included in this application class.
Thanks for any help.