Solved

How to lock-down the registry...

Posted on 2004-04-07
9
6,018 Views
Last Modified: 2008-01-16
Mainly so webpages can't hijack your homepage, disable you from changing your homepage, or disable you from accessing your registry. Would prefer a .vbs solution.
0
Comment
Question by:TheKenman
  • 4
  • 3
  • 2
9 Comments
 
LVL 7

Author Comment

by:TheKenman
Comment Utility
P.S. Registry must still be accessible by adminstrator.
0
 
LVL 21

Expert Comment

by:gemarti
Comment Utility
Use a policy:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/205.asp

...and write a script that will enable/disable the policy.
0
 
LVL 21

Assisted Solution

by:gemarti
gemarti earned 150 total points
Comment Utility
Okay...the first time I read this I really just looked at the title.

I would suggest that instead of writing a script I would purchase a piece of software that does this for you instead of trying to reinvent the wheel.

BlackICE is a very good application that will monitor your system for any attempted registry changes. You will be notified by a pop-up window when a change to the registry is attempted or if an unknow application trys to start up.
http://blackice.iss.net/
0
 
LVL 21

Expert Comment

by:gemarti
Comment Utility
Also, the professional version of AD-AWARE has a program called AD-WATCH. It doesn't stop a change to the registry, but it does tell you exactly where the change occurred.

Ad-aware : http://www.webattack.com/download/dladaware.shtml
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 7

Author Comment

by:TheKenman
Comment Utility
Those are decent suggestions for a home user, but in a corporate setting they are not feasible. Also the reason I would prefer a .vbs- so I can easily mass-deploy the solution.

Thanks though!
0
 
LVL 21

Expert Comment

by:gemarti
Comment Utility
Well BlackICE comes in a Corporate level configuration.

The other option is the Policy that I suggested above.
0
 
LVL 4

Accepted Solution

by:
Veegertx earned 350 total points
Comment Utility
Save all below to Enable Disable Homepage Change.vbs

'Enable Disable Homepage Change.vbs
'© Veegertx - 4/7/2004
'This code may be freely distributed/modified
Option Explicit
Dim WSHShell, RegKey, ValueA, Result
On Error Resume Next
Set WSHShell = CreateObject("WScript.Shell")
RegKey = "HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"
ValueA = WSHShell.RegRead (regkey & "HomePage")

If ValueA = 0 Then 'Change Homepage is Enabled.
   Result = MsgBox("Ability to Change Homepage is currently [Enabled]." & _
        vbNewLine & "Would you like to Disable?" & _
        vbNewLine & "Will lock and Gray it out." & _
        vbNewLine & "May need to Log-off for effect.", 36)
   If Result = 6 Then 'clicked yes
      WSHShell.RegWrite regkey & "HomePage", 1
   End If
Else 'Change Homepage is Disabled
   Result = MsgBox("Ability to Change Homepage is currently [Disabled]." & _
        vbNewLine & "Would you like to Enable?", 36)
   If Result = 6 Then 'clicked yes
      WshShell.RegDelete "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage"
      'Delete Key cause it don't exist normally
   End If
End If
0
 
LVL 4

Expert Comment

by:Veegertx
Comment Utility
Locking down the registry completely can be a daunting task
http://www.uksecurityonline.com/husdg/windowsxp/registry.htm
or MS XP version http://support.microsoft.com/default.aspx?kbid=314837
Requires setting permissions on the registry key's themselves and can even lock user's out from installing software, depends on how many User's you have on your PC. I studied the above pages some time back and decided against it myself. I just keep mjy virus and firewall updated and have had no problem. I also use the above reg edit to prevent homepage changing. I keep that key in my fav's list in my JUmp2Reg program though just in case.

Bottom of the 1st page is this though;
Also if you have the Windows 2000/XP Resource Kit then you can consider using the SUBINACL command to just replace the EVERYONE group wherever it is found with Authenticated Users.
0
 
LVL 7

Author Comment

by:TheKenman
Comment Utility
Thanks guys, sorry it took so long to get back to this.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Most of the time we are in fix when all of sudden our systems behave weirdly.  Such problems cost time and effort... so it's best to take some preventive actions so that we can avoid such issues or overcome such problems more easily. Preventive M…
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now