You can protect a Windows registry entry, and so provide additional protection to Windows operations.
To protect a Windows registry entry
Note: Use the full registry path name to specify the key or value. You can use a wildcard to specify all sub-keys or sub-key values that are nested under a key.
The registry entry is now protected with the default access that CA ControlMinder provides for the record.
Example: Provide default access of NONE to a Registry Key
The following selang command provides default access of NONE to a registry key:
er REGKEY HKEY_LOCAL_MACHINE\SOFTWARE\Test\Key1 defacc(NONE) owner(nobody)
As a result, the default access to key1 is as follows:
|
Action |
Systems earlier than Windows Server 2003 |
Windows Server 2003 systems and later |
Windows Server 2008 systems and later |
|---|---|---|---|
|
Enumerate sub-keys |
Deny |
Deny |
Deny |
|
Query, modify, rename, or delete key |
Deny |
Deny |
Deny |
|
Load or unload hive to key |
Deny |
Deny |
Deny |
|
Enumerate values |
Deny |
Deny |
Permit |
|
Read, create, rename, or delete values |
Deny |
Permit |
Permit |
|
Enumerate sub-keys of sub-keys |
Deny |
Permit |
Permit |
|
Create sub-keys |
Permit |
Permit |
Permit |
|
Query, modify, rename, or delete sub-keys |
Permit |
Permit |
Permit |
|
Load or unload hive to sub-keys |
Permit |
Permit |
Permit |
Example: Provide default access of READ to a Registry Key
The following selang command provides default READ access to a registry key:
er REGKEY HKEY_LOCAL_MACHINE\SOFTWARE\Test\Key1 defacc(READ) owner(nobody)
As a result, the default access to Key 1 is as follows:
|
Action |
Systems earlier than Windows Server 2003 |
Windows Server 2003 and later |
Windows Server 2008 and later |
|---|---|---|---|
|
Enumerate sub-keys |
Permit |
Permit |
Permit |
|
Read key |
Permit |
Permit |
Permit |
|
Modify, rename, or delete key |
Deny |
Deny |
Deny |
|
Load or unload hive to key |
Deny |
Deny |
Deny |
|
Enumerate values |
Permit |
Permit |
Permit |
|
Read values |
Permit |
Permit |
Permit |
|
Create, rename, or delete values |
Deny |
Permit |
Permit |
|
Enumerate sub-keys of sub-keys |
Permit |
Permit |
Permit |
|
Create sub-keys |
Permit |
Permit |
Permit |
|
Query, modify, rename, or delete sub-keys |
Permit |
Permit |
Permit |
|
Load or unload hive to sub-keys |
Permit |
Permit |
Permit |
|
Enumerate sub-key values |
Permit |
Permit |
Permit |
|
Create sub-key values |
Permit |
Permit |
Permit |
Example: Provide default access of NONE to a Registry Key Wildcard
The following selang command provides default access of NONE to all subkeys in a registry key:
er REGKEY HKEY_LOCAL_MACHINE\SOFTWARE\Test\Key1\* defacc(NONE) owner(nobody)
The wildcard (*) does not apply to Key1, but to all subkeys of Key1; this means that any form of access is denied to all subkeys of Key1. Access is also denied to rename or delete Key1, due to the parent protection rule.
This command permits access to the values of Key1. The access to values of subkeys of Key1 (for example values of Key1\subkey1\) varies between different Windows systems:
Example: Provide default access of NONE to a Registry Value
The following selang command protects a specific registry value with access NONE on Windows Server 2003 and subsequent systems:
er REGVAL HKEY_LOCAL_MACHINE\SOFTWARE\TestKey\value1 defacc(NONE) owner(nobody)
Note: On Windows Server 2008 and subsequent systems, CA ControlMinder returns a value of REG_NONE if an accessor tries to access a protected registry value with access NONE. A value of REG_NONE confirms that a value is present but does not specify what the value is.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|