Abstract
This chapter contains registry tips that let you secure your
Windows NT system. You can monitor all the activities that
users can perform as well as limit who can view sensitive
information on your systems. The chapter also gives you
default values for permissions on your registry, so that as
you explore and modify, you will always have a reference point
to which you can return.
NT PERMISSIONS
Windows NT Security is a popular topic of discussion these
days. Modifying these registry entries lets you set security
as tightly or as loosely as you need to.
For each of the following keys, set the following
permission.
| Group: |
Permission |
| Everyone: |
QueryValue, Enumerate Subkeys, Notify, Read Control
|
To see the permissions that are already set, select the key in
Regedt32.exe and go to the Security menu.
| V-1 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\
|
I strongly recommend setting this parameter. It determines who
can install software. However, I don’t recommend locking
the entire subtree using this setting because that can render
certain software unusable. Here is a list of each individual
subtree. Changing each subtree lets you exert greater control
over each individual software component.
| V-2 | |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\RPC |
|
| V-3 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion |
|
| V-4 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\Profile
List |
|
| V-5 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\AeDebug |
|
| V-6 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\Compatibility<
/TD>
|
|
| V-7 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\Drivers |
|
| V-8 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\Embedding |
|
| V-9 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\Fonts |
|
| V-10 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\
FontSubstitutes |
|
| V-11 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\Font
Drivers |
|
| V-12 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\Font
Mapper |
|
| V-13 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\Font
Cache |
|
| V-14 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\
GRE_Initialize |
|
| V-15 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\MCI |
|
| V-16 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\ MCI
Extensions |
|
| V-17 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\PerfLib |
|
If you remove the Read permissions for the Everyone group,
remote users cannot see performance data on the machine.
| V-18 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\Port (and all
subkeys) |
|
| V-19 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\Type1
Installer |
|
| V-20 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\WOW (and all
subkeys) |
|
| V-21 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
Software\Microsoft\WindowsNT\CurrentVersion\
Windows3.1MigrationStatus (and all subkeys) |
|
| V-22 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
System\CurrentControlSet\Services\LanmanServer\Shares
|
| V-23 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
System\CurrentControlSet\Services\UPS |
|
Note that besides setting security on this key, you must also
secure any batch or command file associated with the UPS
service. Generally, if you allow administrators full control
and system full control, everything should function normally.
EVENT
LOG
By default, anyone can read your event logs; however, you
might not want everyone reading some of the information in
your logs. These registry entries let you restrict access to
these logs from Guest and Null Logons accounts. A value of 1
restricts guest access and a value of 0 permits it. You must
set these values for each log type: Application, Security, and
System.
| V-24 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
System\CurrentControlSet\Services\EventLog\Application |
| |
Value Name: |
RestrictGuessAccess |
| |
Data Type: |
Dword |
| |
Value: |
1
|
This value controls guest access to the Application Log file.
| V-25 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
System\CurrentControlSet\Services\EventLog\Security |
| |
Value Name: |
RestrictGuessAccess |
| |
Data Type: |
Dword |
| |
Value: |
1
|
This value controls guest access to the Security Log file.
| V-26 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
System\CurrentControlSet\Services\EventLog\System |
| |
Value Name: |
RestrictGuestAccess |
| |
Data Type: |
Dword |
| |
Value: |
1
|
This value controls guest access to the System Log file. Make
sure you change the security on this key to allow only
Administrator and System access to these values.
PRINT DRIVER
INSTALLATION
| V-27 |
Hive: |
HKEY_LOCAL_MACHINE |
| |
Key: |
System\CurrentControlSet\Control\Print\Providers\ LanMan
Print Services |
| |
Value Name: |
AddPrinterDrivers |
| |
Data Type: |
Dword |
| |
Value: |
1
|
This value prevents users from adding printers on the local
machine. It does not prevent additions from the network.
REMOVABLE
MEDIA
V-28 This registry entry restricts access to the floppy
disk drives on a system to only those users who are logged on
interactively.
| Hive: |
HKEY_LOCAL_MACHINE |
| Key: |
SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ Winlogon
|
Add the following value under the WinLogon key:
| |
Value Name: |
AllocateFloppies |
| |
Data Type: |
REG_SZ |
| |
Value: |
1
|
V-29 You can restrict the CD-ROMs as well.
| Hive: |
HKEY_LOCAL_MACHINE |
| Key: |
SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ Winlogon
|
Add the following value under the WinLogon key:
| |
Value Name: |
AllocateCDRoms |
| |
Data Type: |
REG_SZ |
| |
Value: |
1
|
If either of these registry entries doesn’t exist or is
set to a value other than 1, all floppy and CD-ROM devices are
available for shared use to all processes on the system.
AUDITING BASE SYSTEM
OBJECTS
V-30 If you need to audit the base system objects on
your Windows NT Server or Workstation, add the following
registry value.
| Hive: |
HKEY_LOCAL_MACHINE |
| Key: |
System\CurrentControlSet\Control\Lsa:
|
Add the following value under the Lsa key:
| |
Value Name: |
AuditBaseObjects |
| |
Data Type: |
REG_DWORD |
| |
Value: |
1
|
You need to turn on auditing in User Manager for the
“Object Access” category to actually begin auditing.
FULL PRIVILEGE
AUDITING
V-31 Not all privileges are audited by Windows NT by
default. Modifying this registry entry lets you audit these
additional privileges.
| Hive: |
HKEY_LOCAL_MACHINE |
| Key: |
System\CurrentControlSet\Control\Lsa:
|
Add the following value under the Lsa key:
| |
Value Name: |
FullPrivilegeAuditing |
| |
Data Type: |
REG_BINARY |
| |
Value: |
1
|
The additional privileges audited are bypass traverse
checking, debug programs, create a token object, replace
process level token, generate security audits, back up files
and directories, and restore files and directories.
SHUTDOWN ON FULL
AUDIT LOG
V-32 If you monitor your logs closely, you may want to
enable this feature. When the security log is full, Windows NT
shuts down. The registry value is then set to 2, and when the
system reboots, only administrators can log on. The
administrator must clean out the log, reset the value to 1,
and reboot the system before users can log on.
| Hive: |
HKEY_LOCAL_MACHINE |
| Key: |
System\CurrentControlSet\Control\Lsa:
|
Add the following value under the Lsa key:
| |
Value Name: |
CrashOnAuditFail |
| |
Data Type: |
REG_DWORD |
| |
Value: |
1
|
|