Methods of Restricting Registry Access phần 4

Chia sẻ: Nghia Tuan | Ngày: | Loại File: PDF | Số trang:6

0
42
lượt xem
6
download

Methods of Restricting Registry Access phần 4

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

/log log_filename-specifies a file in which to log the status of the import process. If not specified, the import-processing information is logged in the scesrv.log file which is located in the %windir%\security\logs directory

Chủ đề:
Lưu

Nội dung Text: Methods of Restricting Registry Access phần 4

  1. /log log_filename-specifies a file in which to log the status of the import process. If not specified, the import-processing information is logged in the scesrv.log file which is located in the %windir%\security\logs directory. /quiet-specifies that the import process should take place without prompting the user for any confirmation. Secedit /export-allows you to export security settings stored in the database. The syntax of this command is: secedit /export /db db_filename [tablename] /cfg cfg_filename [/areas area1 area2...] [/log log_filename] /db db_filename-specifies the database used to perform the security configuration. /cfg cfg_filename-specifies a security template to export the database contents to. tablename-specifies the table to export data from. If no argument is specified, the configuration table data is exported. /areas-specifies the security areas to export. If this parameter is not specified, all security settings defined in the database are exported. To export specific areas, separate each area by a space. The following security areas are exported: SECURITYPOLICY-Account Policies, Audit Policies, Event Log Settings and Security Options. GROUP_MGMT-Restricted Group settings USER_RIGHTS-User Rights Assignment REGKEYS-Registry Permissions FILESTORE-File System permissions SERVICES-System Service settings /log log_filename-specifies a file in which to log the status of the export process. If not specified, the export-processing information is logged in the scesrv.log file which is located in the %windir%\security\logs directory. Secedit /generaterollback-allows you to generate a rollback template with respect to a configuration template. The syntax of this command is: secedit /generaterollback /cfg cfg_filename /rbk filename [/log log_filename] [/quiet] /db db_filename-specifies the database used to perform the rollback. /cfg cfg_filename-specifies a security template with respect to which a rollback template is generated. Security templates are created using the Security Templates snap-in. /rbkfilename-specifies a security template into which the rollback information is written. Security templates are created using the Security Templates snap-in.
  2. /log log_filename-specifies a file in which to log the status of the rollback process. If not specified, the rollback-processing information is logged in the Scesrv.log file, which is located in the %windir%\security\logs directory. /quiet-specifies that the rollback process should take place without prompting the user for any confirmation. In addition, secedit.exe can be used to apply a single node from a security template. Thus, to reapply your preferred file permissions, you can use a single command-line command. To reapply your preferred registry permissions, you can use another line. Put both commands in a batch file or write a simple script, and you can reapply both file permissions and registry permissions across multiple servers. And you can use the scheduling service (schtasks.exe) to periodically refresh these settings without any replication burden. After testing the statements, you can schedule a periodic refresh by putting both commands (or the combination line) in a batch file. Test the batch file. If successful, use the task scheduler or schtasks.exe to schedule the refresh. Table 9.1 provides an explanation of the most useful schtasks.exe command-line switches; additional switches are available. Table 9.1: The Switches for schtasks.exe Switch Description /create Create a task /tn The name of the new task /tr The name of the batch file or command to run /sc When to schedule the repetitive event (once, every n times a month, every month, every n times a day, at this time every day, and so on) /d Which day of the week; Monday is the default, so I could have left out this switch in the example; /d * runs the process every day /ru Under whose authority; if a user account name is entered here (use the domainname\username format), the password is entered using the /rp switch; to use a local computer account use the \machine switch and \u and \p parameters (when the SYSTEM account is used, no password is entered) The Most Important Registry Keys that Need Protection Microsoft officially recommends that system administrators restrict user access to certain subkeys under HKEY_LOCAL_MACHINE\SOFTWARE. The purpose of this restriction is to prevent unauthorized access to the software settings. Note Microsoft officially recommends that system administrators restrict user access to
  3. the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. For all earlier versions of Windows NT-based systems, including Windows 2000, it is recommended that the user restrict the Everyone group (note that in Windows XP and Windows Server 2003 the Everyone group has been restricted by default). For the Everyone group, it's sufficient to have the Query Value, Enumerate Subkeys, Notify, and Read Control rights to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion registry key and the following subkeys under this key: AeDebug, Compatibility, Drivers, Embedding, Font Drivers, FontCache, FontMapper, Fonts, FontSubstitutes, GRE_Initialize, MCI, MCI Extensions, Ports (and all its subkeys), Type 1 Installer, Windows 3.1 MigrationStatus (and all its subkeys), WOW (and all its subkeys). The same set of access rights (Query Value, Enumerate Subkeys, Notify, and Read Control) needs to be assigned to the Everyone group for the Uninstall, Run, and RunOnce subkeys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. Microsoft also recommends that you restrict user access to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib key that stores the data, which governs system performance. In Windows NT 4.0, the Everyone group by default has Read access to this key (it's recommended that you delete this group from the Perflib ACL). As shown in Fig. 9.15, in Windows Server 2003, the Everyone group by default has no access to this key.
  4. Figure 9.15: Restricting access to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib registry key The Everyone group has restricted access rights (only Query Value, Enumerate Subkeys, Notify, and Read Control) to other registry keys, including HKEY_CLASSES_ROOT root key and all its subkeys, and for the HKEY_USERS\.DEFAULT key. By protecting these keys, you protect important system settings from changes (for example, this will prevent users from changing the filename extension associations or specifying new security settings for Internet Explorer). Furthermore, it's necessary to restrict the Everyone group access to keys such as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shar es and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS. The Everyone group only needs the following rights to these keys: Query Value, Enumerate Subkeys, Notify and Read Control. By setting these restrictions, you'll prevent unauthorized access to shared system resources and to using the ImagePath setting under the UPS key for starting undesirable software. Only the operating system (System) and members of the Administrators group need Full Control access to these keys. Finally, it is necessary to provide a tip, universal for all Windows NT-based systems. Pay close attention to the Run, RunOnce, and RunOnceEx registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion. For example, the system runs all the programs listed under the RunOnceEx key only once, and then deletes the settings specifying the starting parameters for these programs. It's easy to see that these registry settings may allow users to run undesirable software on the local computer. Thus, Full Control access to this key should only be provided to the operating system (System) and members of the Administrators group. The list of registry
  5. keys, which are used most often for installing worms, viruses, and Trojans, is provided below: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\R un HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\R unServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\R unOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\R unServicesOnce HKEY_USERS\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru nServices HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru nOnce HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru nServicesOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\R unOnceEx Therefore, if you suspect that your computer is infected, these registry keys must be checked first. Furthermore, the list of such keys is constantly being supplemented. Since recently, the following keys have been included into this list: HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths HKLM\Software\Microsoft\Windows\CurrentVersion\Controls Folder HKLM\Software\Microsoft\Windows\CurrentVersion\DeleteFiles HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer HKLM\Software\Microsoft\Windows\CurrentVersion\Extensions HKLM\Software\Microsoft\Windows\CurrentVersion\ExtShellViews HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage HKLM\Software\Microsoft\Windows\CurrentVersion\RenameFiles HKLM\Software\Microsoft\Windows\CurrentVersion\Setup HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers
  6. HKLM\Software\Microsoft\Windows NT\CurrentVersion\drivers.desc HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\0 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Embedding HKLM\Software\Microsoft\Windows NT\CurrentVersion\MCI HKLM\Software\Microsoft\Windows NT\CurrentVersion\MCI Extensions HKLM\Software\Microsoft\Windows NT\CurrentVersion\Ports HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList HKLM\Software\Microsoft\Windows NT\CurrentVersion\WOW Note It's necessary to mention one more registry key, which is also very important in terms of security. When you work with the Remote Access Service (RAS), the system sometimes displays dialogs prompting you to enter a login name and password. These dialogs often contain checkboxes, which allow you to save the password (for example, Save This Password or Remember This Password). Although this feature is very convenient for end users, it can possibly be very dangerous, because the passwords are stored in such a way that they can be easily retrieved by the system (and, for that matter, by anyone else). This is especially important for those of you working with laptops and other portable computers, because if your machine is lost or stolen, the person who finds (or steals) it will have access to all your networks. The easiest way to protect yourself against this risk is to disable the feature for saving RAS passwords on RAS clients. Open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Para meters key and add the REG_DWORD setting named DisableSavePassword. Now the system won't prompt you to save your RAS password.
Đồng bộ tài khoản