Tuesday, October 24, 2006

Changing Registry ACL's EnMasse

Securing the Windows 2000 Registry

Here is an interesting way to modify security permissions (ACL) on computer/servers through GPO policies.

Active Directory administrators that are using a group policy security template can add the following lines to their .inf template file:


[Registry Keys]

"CLASSES_ROOT",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)"
"MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Services\EventLog",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers",2,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Computername",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\Software\Microsoft\Windows NT\CurrentVersion",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SOFTWARE\Classes\.hlp",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SOFTWARE\Classes\helpfile",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\Software\Classes",0,"D:AR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\Software",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"

We have some bad permission policies that were created when we still had Windows 98 and Windows NT. Back then, modifying the default permissions was a strong security stance but today it is giving us more grief than benefit. Especially since Microsoft has improved it's default configuration in regards to security.

We had an issue a few months ago when a Windows Update assumed that we had "Bypass Traverse checking" enabled for Everyone in secpol.msc. If you didn't have bypass traverse checking enabled for a user account, then you wouldn't see your desktop.

Automatically log off users


How to create an ADM file for winexit.scr


;; Remember in GPMC to go View->Filtering
;; and uncheck "Only show policy settings that can be fully managed"
;;
;; David Carlin (djc6@case.edu) 2/25/2005
;;
;; WINEXIT.SCR is located in the Windows Server 2003 Resource Kit

CLASS USER

CATEGORY !!Screen_Saver_Policy

POLICY !!TERMINATE_APPS
KEYNAME "Control Panel\Screen Saver.Logoff"
VALUENAME ForceLogoff
VALUEON "1" VALUEOFF "0"
END POLICY

POLICY !!COUNTDOWN_TIMEOUT
KEYNAME "Control Panel\Screen Saver.Logoff"
VALUENAME CountDownTimer
VALUEON "300"
END POLICY

POLICY !!ENTER_DIALOG_MESSAGE
KEYNAME "Control Panel\Screen Saver.Logoff"
PART !!ENTER_DIALOG_MESSAGE
EDITTEXT
DEFAULT !!DEFAULT_MESSAGE
VALUENAME DialogMessage
END PART
END POLICY

END CATEGORY

[strings]
Screen_Saver_Policy="Winexit.scr Policy settings"
TERMINATE_APPS="Terminate running applications"
COUNTDOWN_TIMEOUT="Enable 5 minute warning logoff notice"
ENTER_DIALOG_MESSAGE="Warning message about being logged off"
DEFAULT_MESSAGE="You are about to be logged out. Press the cancel button to stop this process."