Link to home
Start Free TrialLog in
Avatar of TheKenman
TheKenmanFlag for United States of America

asked on

How to lock-down the registry...

Mainly so webpages can't hijack your homepage, disable you from changing your homepage, or disable you from accessing your registry. Would prefer a .vbs solution.
Avatar of TheKenman
TheKenman
Flag of United States of America image

ASKER

P.S. Registry must still be accessible by adminstrator.
Use a policy:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/205.asp

...and write a script that will enable/disable the policy.
SOLUTION
Avatar of gemarti
gemarti
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also, the professional version of AD-AWARE has a program called AD-WATCH. It doesn't stop a change to the registry, but it does tell you exactly where the change occurred.

Ad-aware : http://www.webattack.com/download/dladaware.shtml 
Those are decent suggestions for a home user, but in a corporate setting they are not feasible. Also the reason I would prefer a .vbs- so I can easily mass-deploy the solution.

Thanks though!
Well BlackICE comes in a Corporate level configuration.

The other option is the Policy that I suggested above.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Locking down the registry completely can be a daunting task
http://www.uksecurityonline.com/husdg/windowsxp/registry.htm
or MS XP version http://support.microsoft.com/default.aspx?kbid=314837
Requires setting permissions on the registry key's themselves and can even lock user's out from installing software, depends on how many User's you have on your PC. I studied the above pages some time back and decided against it myself. I just keep mjy virus and firewall updated and have had no problem. I also use the above reg edit to prevent homepage changing. I keep that key in my fav's list in my JUmp2Reg program though just in case.

Bottom of the 1st page is this though;
Also if you have the Windows 2000/XP Resource Kit then you can consider using the SUBINACL command to just replace the EVERYONE group wherever it is found with Authenticated Users.
Thanks guys, sorry it took so long to get back to this.