Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA and remote registry access (RAC) rules by group?

CSA V4.5.1 B616..

We're seeing a fair number of the following alerts:

Alert The process '<remote application>' (as user DomainName\SomeUser) attempted to access the registry key '\REGISTRY\MACHINE', value ''. The attempted access was an open (operation = OPEN/KEY).

The operation was denied.

I complete understand the RAC rule that's controlling this - It's basically denying all <remote applications> write access to any of the registry - Generally, a good idea..

My problem lies, with Remote Windows administrion - Aka, remote stop/start of services, viewing event logs, etc - Pretty much any thing useful in the "Manage Computer" MMC snapin..

Given the alert above, specifices the remote domain/user, I ideally want to just allow "some given AD administrators" group remote registry access, and deny everyone else.. I just can't figure any way to specific that...

Any user state-set stuff is trigger off the "loggin-in" user, not a "remote registry accessing user". The applications class is a Cicso built in <Remote Application> - Not something I have alot of control over?

Any thoughts on ways to "override" and just allow a specific folks remote registry access for administration purposes - but deny "all the bad stuff" and folks that "shouldn't be doing remote administration"??

Seems/feels like I should be able to do SOMETHING with the Domain/User in the alert...

New Member

Re: CSA and remote registry access (RAC) rules by group?

I've done this in my deployment. What you will need to do is clone the System Hardening Module twice. One will be a "base" set of rules that apply to everyone (Network shield rules must be applied without user states).

The other two will be applied depending on user state. I actually made a specific user state that included all the Administrators and had one Hardening module which Prioty Allows registry changes by remote clients. Then, the other one is any user state EXCEPT my Administrators and will priority deny all registry changes by remote clients.

If this isn't clear enough, I can post some documentation on what I did, but it does work now so that admin users are able to make registry changes remotely.

This was on 5.0 Build 187, so maybe User States aren't the same in 4.5.1, but I'd imagine there's something similar if not the same.

New Member

Re: CSA and remote registry access (RAC) rules by group?

OK - I think I've got the idea here.. My only question is will this work with "strictly remote" clients??

Aka - Unprivileged/non-admin Bob is logged in doing his job on a machine with CSA

And I (Mr Admin) want to remotely "touch" his machines registry, review an event log, etc, while Bob is logged in..

The UserState will really "Trigger" that I'm an admin (even though I'm remote, and NOT "logged in") and apply the correct module rules? - That really works, huh?

Also - assuming this user-state stuff works on remote "touching", isn't just one "ALLOW" needed for the "users in the ADMIN" group - and just leave the base "Deny" not conditionalized by the user states.. - Then just let the precedence of the ALLOW RAC "to win" for admins and "override" the DENY RAC "for everyone"

I'm somewhat suprised the "remote bit works", but I honestly haven't tried it - So if you've done it and say it works - that's enough for me to "give it a shot"...

New Member

Re: CSA and remote registry access (RAC) rules by group?

The reason I say you need three is because, from what I've found, Priority Denies enforced by Rule Modules without State considerations will override State consideration Modules. However, I recently discovered a flaw in some Administrator testing I had been doing, so it may be possible to do this with just one clone...

As far as Remote states, how do you do your remote administration? That is, how do you remotely access registry information? I tested this mostly through Remote Control in SMS and through Remote Desktop. Both of those did trigger the Admin rule.

New Member

Re: CSA and remote registry access (RAC) rules by group?

actually, to be fair, I can't say that it's been effectivley tested that a non-user can be Remote Controlled and have an admin client make changes through their logon. Our Windows policy blocks registry editing by anyone not a Domain Administrator or PC Admin, and my CSA Admin group is anyone in PC Admin or Domain Admins. So, to test remote regedit, I've had to have a CSA Admin logged in anyway...

Let me see if I can try removing PC Admins from CSA Admins and have a Domain Admin try regedits through my PC Admin account.

New Member

Re: CSA and remote registry access (RAC) rules by group?

I tested SMS functions like Event Viewer and Diagnostics...Admin account was using SMS to get into a machine logged in with regular account and the rule to allow was triggered. So, unless you use something other than SMS or Remote Desktop, it seems like this should work.

New Member

Re: CSA and remote registry access (RAC) rules by group?

Ok - Thanks - We'll give it a try.. You pointed us in the right direction. I'll reply if we get stuck..

Let the testing begin!! - Thanks Again..

CreatePlease login to create content