cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
228
Views
0
Helpful
1
Replies

CSA - <Remote Clients> and Loopback

RichardSW
Level 1
Level 1

I'm using a copy of the sample System Hardening module, and one of the rules is "Remote Clients, All Registry Keys". This is a Registry access control rule that Denies when <Remote Clients> attempt to write to All Registry Keys.

The problem I'm having is that many machines will talk to themselves over their own loopback or IP address. So I have events tripped by this rule - an example is:

TESTMODE: The process '<remote application>' (as user MYDOMAIN\THEMACHINE1$) attempted to access the registry key '\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied.

<Remote Clients> is supposed to be: This application class refers to any process that is running on a different host than the one on which the agent is resident, and is remotely accessing resources protected by the agent. The actual remote application that is used to open the resource in question cannot be determined on the local system.

The agent doesn't seem to be tracking the local host's network name so of course it sees this as an external host. Has anyone else come across this, and is there a workaround? Is there another Application Class I can use to accomplish nearly the same thing? I'm wondering if I can change this to <Network Applications>, because it notes: a network connection to or from another process on the same system will not cause a process to be included in this application class.

Thanks for any help.

1 Reply 1

RichardSW
Level 1
Level 1

Ah, nevermind the idea. I think that would fix the example event but then it will kill all other registry access for anything else that talks to the network - including web services.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: