Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSA Registry Access Control, allowed keys, DC and HKLM

This is just an FYI for those of you struggling with the RAC rules. If you have the default RAC rule for Remote Clients, Any Key (Deny) enabled, then you know what I'm talking about.

Some solutions:

For the default rule, remove All Registry Keys, and create a new set (I call it Restricted Registry Keys):

Registry keys matching:





but not:


HKLM\System\CurrentControlSet\Control\Server Applications

HKLM\Software\Microsoft\Windows NT\CurrentVersion



HKLM\Software\Microsoft\OLAP Server

The exceptions are based on several remote registry hardening documents I've reviewed. My list is actually longer but I don't think it necessarily applies to your scenario.

If you have a DC, you'll notice that the Domain Machines accounts are accessing HKLM. This is necessary. An event looks like this:

TESTMODE: The process '<remote application>' (as user DOMAIN\MACHINE$) attempted to access the registry key '\REGISTRY\MACHINE' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied.

You can create a new module, and specify a User State Condition with a new set (I call mine Domain Computers). User matching will just be "*\*$" (without quotes). Or, you can find the specific SID that represents your Domain Computers, as it changes per domain (S-1-5-domain-515 where domain is a numeric ID). In this module create 1 rule that allows <Remote Clients> to access $All HKLM Keys.

The last suggestion is a quirky issue I don't think is specific to any one scenario. After I had all my default policies and exceptions in place, I was still hit with a read-access to the root of HKLM by domain users. It looks something like this:

TESTMODE: The process '<remote application>' (as user domain\user) attempted to access the registry key '\REGISTRY\MACHINE' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied.

I can't pinpoint what causes this but all my research shows it to be benign. With the way the RAC rules work, you can't create an exception just for the root of HKLM - there has to be at least one wildcard. After some digging I found that the subkeys immediately after the root is a short list. So now create a new registry set (I call mine HKLM Root Only):

Registry keys matching:


but not:





Now you can create your exception rule. I suggest putting it in its own module with a user state set of Users.

Hope that helps someone.