Re: Securing the Registry.
From: S. Pidgorny
Date: Tue, 25 Nov 2003 12:17:28 +1100
Yes. Also stop Remote Registry service and use Syskey in password-protected
mode for further protection of SAM (might cause problems with the hosting
company and their "passionate support"). Also use a firewall. And do not
-- Svyatoslav Pidgorny, MVP, MCSE -= F1 is the key =- "Stephen O'Sullivan" <steve@nospam_noway_dontyoudare.net> wrote in message news:#d5bjErsDHA.firstname.lastname@example.org... > G/day forum, > > I've been ploughing through documents and whitepapers on how to secure your > web server, the best resource of all was probably Improving Web Application > Security - Threats and Countermeasures, an absoloute bible for all ye web > admins out there. Before you read the part i'm querying, it i just want to > doublecheck that i'm not missing anything. Your thoughts please :) > > On Chapter 16: Securing Your Web Server, page 449, the following: > > Step 9. Registry > The registry is the repository for many vital server configuration settings. > As such,you must ensure that only authorized administrators have access to > it. If an attacker is able to edit the registry, he or she can reconfigure > and compromise the security of your server. > > During this step, you: > > ? Restrict remote administration of the registry. > > ? Secure the SAM (stand-alone servers only). > > Restrict Remote Administration of the Registry > > The Winreg key determines whether registry keys are available for remote > access. By default, this key is configured to prevent users from remotely > viewing most keys in the registry, and only highly privileged users can > modify it. On Windows 2000, remote registry access is restricted by default > to members of the Administrators and Backup operators group. Administrators > have full control and backup operators have readonly access. > > The associated permissions at the following registry location determine who > can remotely access the registry. > > HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg > > To view the permissions for this registry key, run Regedt32.exe, navigate to > the key, and choose Permissions from the Security menu. > > > > Secure the SAM (Stand-alone Servers Only) > > Stand-alone servers store account names and one-way (non-reversible) > password hashes (LMHash) in the local Security Account Manager (SAM) > database. The SAM is part of the registry. Typically, only members of the > Administrators group have access to the account information. > > Although the passwords are not actually stored in the SAM and password > hashes are not reversible, if an attacker obtains a copy of the SAM > database, the attacker can use brute force password techniques to obtain > valid user names and passwords. > > Restrict LMHash storage in the SAM by creating the key (not value) NoLMHash > in the registry as follows: > > HKLM\System\CurrentControlSet\Control\LSA\NoLMHash > > For more information, see Microsoft Knowledge Base article 299656, "New > Registry > > Key to Remove LM Hashes from Active Directory and Security Account Manager." > >