Everhart, Glenn (FUSA) From: Davis, Thomas R. [tdavis@indiana.edu] Sent: Tuesday, April 13, 1999 3:38 PM To: 'ntsecurity@iss.net' Subject: [NTSEC] Restricting Registry Access TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- Greetings, I have a question about the AllowedPaths key under HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg (see http://support.microsoft.com//support/kb/articles/q153/1/83.asp for the gory details). It mentions in this article that the default data for the Machine value is: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\Windows NT\CurrentVersion System\CurrentControlSet\Services\Replicator In short, these provide a way to bypass the remote registry access restriction place on winreg as long as the permissions on these keys allow the access. I've been doing some investigation into what these are used for and why they are included as defaults, and here's what I've came up with so far: HKLM\System\CurrentControlSet\Control\Print\Printers ==================================================== It mentions in Microsoft KB article Q153183 http://support.microsoft.com/support/kb/articles/q153/1/83.asp that the Spooler service needs access to this when connecting to a printer over the network. I'm assuming that if the server doesn't have a network printer, this entry in AllowedPaths should not be required. HKLM\Software\Microsoft\Windows NT\CurrentVersion ================================================= If the machine is setup to auto-logon (bad idea), then the username and password are stored in this subkey. Since AllowedPaths gives Everyone access by default, it would be exposing the username and password. Haven't heard of a good reason why this should be listed in AllowedPaths (yet). HKLM\System\CurrentControlSet\Service\Replicator ================================================ This would only need to be included in AllowedPaths if the server is using Directory Replication to export files. There is a Microsoft KB article Q168464 at http://support.microsoft.com/support/kb/articles/q168/4/64.asp that makes explicit reference to this key. - Anyone know why the other keys (ProductOptions and Eventlog) are listed by default? - Anyone know why CurrentVersion is listed as a default, especially since there is a *remote* possibility of exposing a username and password? - Anyone want to add anything to my observations above? Thank you, Tom Davis IT Security Office Indiana University