Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

CSA - Huge number of Registry OPEN/WRITEs

I am seeing a huge number (almost 1000/day) of attempts to read/write registry keys. This is from random nodes everywhere. When running through the event wizard, I can configure a rule to allow access to those registry keys - the event wizard suggests allowing dozens of sources to access 200+ registry keys. These events are all grouped under "similar events".

What is the best practice for determining the proper rules to put in place for registry accesses? It would be impossible to understand each registry access to make a decision based on proper protocol operation, so there must be a better way. Of course, we don't want to simply allow all registry accesses, since this would put a dent in the armor of CSA.

Any suggestions?

Thanks in advance!

1 REPLY
Blue

Re: CSA - Huge number of Registry OPEN/WRITEs

From what I've seen, this mostly involves shares on Windows hosts whether it be printers or files. The host keeps a record of access in MRU keys for caching, access tracking, etc.. If you allowed (or denied) access to the root keys from trusted nodes and didn't log you might cut down on the number of messages.

Has it caused anything to stop working? If not, I'd simply stop logging it. If it's denying things and nothing is affected, why see it?

You might also look at the host access security logging and see if that can be tuned to cut down on the messages.

90
Views
0
Helpful
1
Replies
CreatePlease to create content