RE: Registry Lockdown

From: Ralph M. Los (ralph@boundariez.com)
Date: 01/21/02


Date: Mon, 21 Jan 2002 00:27:53 -0500
From: "Ralph M. Los" <ralph@boundariez.com>
To: "Chris Savage" <chris.savage@weblinkwireless.com>, "Darren W. MacDonald" <darrydoo@aci.on.ca>

Have any of you guys read last fall's Hacker's Quarterly? It describes
how to take down a Fortress 101. Just something you should know, the
script-kiddieZ *do* read that you know.

Cheers,
  --rL

./
./
*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*
*-=- --rL \Ralph Los
*-=- \Information Security
*-=- \ralph@boundariez.com
*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*-=-*

::-----Original Message-----
::From: Chris Savage [mailto:chris.savage@weblinkwireless.com]
::Sent: Thursday, January 17, 2002 12:12 PM
::To: Darren W. MacDonald
::Cc: 'Nick Patellis'; focus-ms@securityfocus.com
::Subject: Re: Registry Lockdown
::
::
::Try Fortres Software Fortress 101. We use it at our school
::campuses to lock down computer labs for k-12 classes. Works
::like a charm. I rarely have to reload a computer anymore, and
::when I do it's usually due to a bad HD.
::
::"Darren W. MacDonald" wrote:
::>
::> To prevent users from updating HKCU, use mandatory user
::profiles -- I
::> know of no easier way.
::>
::> Have you examined your registry security to see where you're at
::> currently? DumpSec/DumpACL will do that for you. Then,
::close up as you
::> see fit, test, and open up as required. I can't really make
::specific
::> suggestions, as every environment is different.
::>
::> Are any of your users Power Users or local Admins? If so,
::you've got a
::> bit of work ahead of you, and local Admins can go in and change the
::> ACLs after taking ownership.
::>
::> This should be coupled with filesystem security (of course,
::users can
::> still throw apps in %TEMP%, or anywhere else they have write
::> access...). To prevent MSI's from running, use the MSI security
::> features via AD, policies, or registry settings, based on your
::> situation. See the Windows Installer SDK for details.
::>
::> Keep in mind that you'll never stop everything unless you specify
::> "approved applications" to run via policy or AD -- and this is just
::> ugly. There are lots of apps out there that don't use the registry,
::> just .INI files or their own proprietary settings file.
::Finally, lots
::> don't require setup to be run -- WinZip is an example of an
::app where
::> you can copy in the folder to anywhere, run the executable,
::and it's
::> installed. <sigh>
::>
::> Good luck!
::>
::> HTH
::> Darren
::>
::> > -----Original Message-----
::> > From: Nick Patellis [mailto:npatellis@thefund.com]
::> > Sent: Wednesday, January 16, 2002 1:30 PM
::> > To: focus-ms@securityfocus.com
::> > Subject: Registry Lockdown
::> >
::> >
::> >
::> > We are researching locking down the registry
::> > (primarily HKEY_LOCAL_MACHINE) on our user
::> > Win2K desktops. I would like to get some feedback
::concerning others
::> > who maybe doing this and which keys are being locked down. Our
::> > primary reason for this is to prevent unauthorized (MSI, web and
::> > home
::> > grown) SW from being installed.
::> >
::> > Thanks
::