Click here to get back home

Hardening Windows Registry
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Hardening Windows Registry Will 08-02-2006
Get Chitika Premium
Posted by Will on August 2, 2006, 10:31 pm
Please log in for more thread options
 Does Microsoft publish any documents that give an alternative for hardening
of the Windows 2000 or Windows 2003 registries? There are a lot of
default permissions with "Everyone" and I would like to tighten that up.

--
Will



Posted by Adam Joseph Cook on August 2, 2006, 10:51 pm
Please log in for more thread options
 wrote:

>Does Microsoft publish any documents that give an alternative for hardening
>of the Windows 2000 or Windows 2003 registries? There are a lot of
>default permissions with "Everyone" and I would like to tighten that up.


Hey Will,

When ever I fresh install a copy of Windows 2000/XP or Windows 2003
Server I always take a look at the NSA security guides. These are US
governement approved policy settings for permissions regarding the
Windows registry and other security (logon, network,...etc.) policies.
I have always been very happy with these security templates, but
always ALWAYS go over the documents and templates very carefully
before apply any of the security templates to your system. I usually
have to modify some of the settings to match my network setup. The
documents on the following link are worth a read to any security bound
user anyways.

Windows 2000 Professional:

http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1

Windows 2003 Professional:

http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1


I hope this helps.


--Adam Joseph Cook, Mechanical Engineer

Posted by karl levinson, mvp on August 3, 2006, 10:00 am
Please log in for more thread options


> When ever I fresh install a copy of Windows 2000/XP or Windows 2003
> Server I always take a look at the NSA security guides.

> Windows 2000 Professional:
>
> http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1
>
> Windows 2003 Professional:
>
> http://www.nsa.gov/snac/downloads_win2003.cfm?MenuID=scg10.3.1.1

I think you mean "Windows Server 2003."

Actually, starting with Windows XP and 2003, NSA no longer publishes their
own hardening guidance. What they've posted there is just the Microsoft
Windows 2003 Security Guide, and I'd recommend getting the latest version
directly from Microsoft instead of NSA: www.microsoft.com/technet/security
Also, when you download it from Microsoft, I think you get other stuff like
tools.

For Windows 2000, I absolutely agree that the NSA document is a good one.
I'd also consider downloading the Windows 2000 Security Guide at the above
link as well.




Posted by karl levinson, mvp on August 3, 2006, 10:10 am
Please log in for more thread options

> Does Microsoft publish any documents that give an alternative for
> hardening
> of the Windows 2000 or Windows 2003 registries? There are a lot of
> default permissions with "Everyone" and I would like to tighten that up.

I think you're trying to do something that most people do not do. The NSA
hardening guide for Windows 2000 suggests changing permissions on a few
registry values only, and I would agree with their recommendation. The
Windows 2003 defaults are very secure for most purposes. I'm not sure the
Microsoft Windows 2003 Security Guide recommends changing any of the default
registry permissions, and it was vetted by the NSA. Changing lots of
permissions increases your chance of problems, without necessarily
increasing security very much.

You might also want to look at these articles by Jesper Johansson and Steve
Riley, where they argue against the need to make a lot of registry tweaks:

www.microsoft.com/technet/community/columns/secmgmt/sm0305_2.mspx
www.microsoft.com/technet/community/columns/secmgmt/sm0405.mspx

I would assert that removing the "Everyone" group from registry primarily
affects locally logged in users, not remote attackers. On most servers like
Windows 2003 [that are not offering Terminal Services], the only people
logging in locally and/or have any access to the registry are going to be
Administrators already anyways. If you're trying to harden a system against
local privilege escalation by your authenticated users, there are guides out
there to direct you on that. I think it's pretty challenging to
successfully harden Windows 2000 against local privilege escalation,
especially where there are multiple users logging in.

Even though your normal users may be in the "everyone" group, I believe they
will not have remote access to the registry on your servers by default.

--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info



Posted by Will on August 3, 2006, 6:15 pm
Please log in for more thread options


--
Will

>
> > Does Microsoft publish any documents that give an alternative for
> > hardening
> > of the Windows 2000 or Windows 2003 registries? There are a lot of
> > default permissions with "Everyone" and I would like to tighten that up.
>
> I think you're trying to do something that most people do not do. The NSA
> hardening guide for Windows 2000 suggests changing permissions on a few
> registry values only, and I would agree with their recommendation. The
> Windows 2003 defaults are very secure for most purposes. I'm not sure the
> Microsoft Windows 2003 Security Guide recommends changing any of the
default
> registry permissions, and it was vetted by the NSA. Changing lots of
> permissions increases your chance of problems, without necessarily
> increasing security very much.
>
> You might also want to look at these articles by Jesper Johansson and
Steve
> Riley, where they argue against the need to make a lot of registry tweaks:
>
> www.microsoft.com/technet/community/columns/secmgmt/sm0305_2.mspx
> www.microsoft.com/technet/community/columns/secmgmt/sm0405.mspx
>
> I would assert that removing the "Everyone" group from registry primarily
> affects locally logged in users, not remote attackers. On most servers
like
> Windows 2003 [that are not offering Terminal Services], the only people
> logging in locally and/or have any access to the registry are going to be
> Administrators already anyways. If you're trying to harden a system
against
> local privilege escalation by your authenticated users, there are guides
out
> there to direct you on that. I think it's pretty challenging to
> successfully harden Windows 2000 against local privilege escalation,
> especially where there are multiple users logging in.
>
> Even though your normal users may be in the "everyone" group, I believe
they
> will not have remote access to the registry on your servers by default.
>
> --
> kind regards,
> Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
> --------------------------------
> Microsoft Security FAQ:
> http://securityadmin.info
>
>



Similar ThreadsPosted
64 bit windows server 2003 ent sp2 remote registry security November 11, 2008, 5:50 am
MSS tcp registry values in windows 2003 server security guide August 20, 2006, 7:23 am
How to Add 'MyFile.exe' to the 'Run only allowed Windows applications', using a Script / Registry / WMI / API or whatever ? July 16, 2007, 3:24 am
hisecweb.inf hardening June 5, 2005, 8:57 pm
Server Hardening July 5, 2005, 9:34 am
Security Hardening May 16, 2007, 9:00 pm
Lockdown/Hardening Tool March 21, 2006, 3:53 pm
Registry change June 19, 2006, 11:30 am
Applications to Protect Against and Inspect Registry Changes? December 11, 2006, 3:36 pm
How to use registry to lock the Audit Policy October 5, 2008, 8:07 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap