CSA Registry Access Control, allowed keys, DC and HKLM

Unanswered Question
Aug 14th, 2008

This is just an FYI for those of you struggling with the RAC rules. If you have the default RAC rule for Remote Clients, Any Key (Deny) enabled, then you know what I'm talking about.

Some solutions:

For the default rule, remove All Registry Keys, and create a new set (I call it Restricted Registry Keys):

Registry keys matching:

HKCC\**

HKCR\**

HKLM\**

HKU\**

but not:

HKLM\System\CurrentControlSet\Control\ProductOptions

HKLM\System\CurrentControlSet\Control\Server Applications

HKLM\Software\Microsoft\Windows NT\CurrentVersion

HKLM\System\CurrentControlSet\Control\Print\Printers

HKLM\System\CurrentControlSet\Services\Eventlog

HKLM\Software\Microsoft\OLAP Server

The exceptions are based on several remote registry hardening documents I've reviewed. My list is actually longer but I don't think it necessarily applies to your scenario.

If you have a DC, you'll notice that the Domain Machines accounts are accessing HKLM. This is necessary. An event looks like this:

TESTMODE: The process '<remote application>' (as user DOMAIN\MACHINE$) attempted to access the registry key '\REGISTRY\MACHINE' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied.

You can create a new module, and specify a User State Condition with a new set (I call mine Domain Computers). User matching will just be "*\*$" (without quotes). Or, you can find the specific SID that represents your Domain Computers, as it changes per domain (S-1-5-domain-515 where domain is a numeric ID). In this module create 1 rule that allows <Remote Clients> to access $All HKLM Keys.

The last suggestion is a quirky issue I don't think is specific to any one scenario. After I had all my default policies and exceptions in place, I was still hit with a read-access to the root of HKLM by domain users. It looks something like this:

TESTMODE: The process '<remote application>' (as user domain\user) attempted to access the registry key '\REGISTRY\MACHINE' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied.

I can't pinpoint what causes this but all my research shows it to be benign. With the way the RAC rules work, you can't create an exception just for the root of HKLM - there has to be at least one wildcard. After some digging I found that the subkeys immediately after the root is a short list. So now create a new registry set (I call mine HKLM Root Only):

Registry keys matching:

HKLM\*

but not:

HKLM\SAM\**

HKLM\Security\**

HKLM\Software\**

HKLM\System\**

Now you can create your exception rule. I suggest putting it in its own module with a user state set of Users.

Hope that helps someone.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion