I created a rule that logs whenever changes are made to any registry key.
After a day, I'm looking at what was triggered and for the most part its doing exactly what I wanted it do. But I'm thinking I want to get more specific with this rule to cut out legit changes.
What I'm thinking is a rule that triggers when any registry change is made only by regedit, reg, and regedt32. But if I had some kind of trojan or worm accessing the registry, they don't necessarily use these files. So what else can I do?
The user base we're working with is such that we want to block any complicated sounding queries. As such, queries involving writing registry keys will probably be denied. However, if we set the rule to just deny the writing of keys, this will block several legit writes from IE and other applications. I will again attempt to see if this causes problems, but I believe it would.
I guess my question is how did the rest of the CSA admins protect the registry? Obviously allowing write access outright is not an option, but is there any way to selectivley allow access to legit apps while blocking shady access?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...