The exceptions are based on several remote registry hardening documents I've reviewed. My list is actually longer but I don't think it necessarily applies to your scenario.
If you have a DC, you'll notice that the Domain Machines accounts are accessing HKLM. This is necessary. An event looks like this:
TESTMODE: The process '<remote application>' (as user DOMAIN\MACHINE$) attempted to access the registry key '\REGISTRY\MACHINE' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied.
You can create a new module, and specify a User State Condition with a new set (I call mine Domain Computers). User matching will just be "*\*$" (without quotes). Or, you can find the specific SID that represents your Domain Computers, as it changes per domain (S-1-5-domain-515 where domain is a numeric ID). In this module create 1 rule that allows <Remote Clients> to access $All HKLM Keys.
The last suggestion is a quirky issue I don't think is specific to any one scenario. After I had all my default policies and exceptions in place, I was still hit with a read-access to the root of HKLM by domain users. It looks something like this:
TESTMODE: The process '<remote application>' (as user domain\user) attempted to access the registry key '\REGISTRY\MACHINE' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied.
I can't pinpoint what causes this but all my research shows it to be benign. With the way the RAC rules work, you can't create an exception just for the root of HKLM - there has to be at least one wildcard. After some digging I found that the subkeys immediately after the root is a short list. So now create a new registry set (I call mine HKLM Root Only):
Registry keys matching:
Now you can create your exception rule. I suggest putting it in its own module with a user state set of Users.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...