Solved

Protecting Registry entries

Posted on 2011-09-19
11
294 Views
Last Modified: 2012-05-12
An application I am writing runs as a service on Windows Server 2008 and 2003 both 32 and 64 bit versions as well as on Windows 7 and Vista. I am trying to protect tampering of my application's registry entries by normal users and administrators alike and I use ACLs to achieve this.

So far I have been able to protect any tampering by normal users SID: S-1-5-32-545

What I would like to achieve is to allow Administrators(SID: S-1-3-0) the right to create the registry entries since the service is initially installed by an Administrator but disallow Administrators from either modifying or deleting any of the entries thereafter.
I understand Windows Vista has the Owner Rights SID which does not give an Administrator explicit rights to modify DACLs or ownership but I don't think I can use this.

Any help on how I can solve my problem?
0
Comment
Question by:trinitrotoluene
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 36568267
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 36569034
Fundamentally, an administrator can take ownership of any object and make any changes desired. A normal user would only have read access.
0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36569943
thanks guys for the info!

rick : I have already had a look at that link.

kevin : so is there no way I can restrict an administrator to just read access after the installation?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 42

Expert Comment

by:kevinhsieh
ID: 36570001
Well, you can change the permissions to just read, but an administrator can change them. You can have a separate service that just monitors the permissions (like some malware will do), but the administrator can take care of that as well if so inclined.
0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36570732
my intent is to prevent an unscruplous administrator from deleting the entries. is there something akin to using the TrustedInstaller account?
0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36571717
for eg. what I'm trying to do is reduce the damage an Administrator can do....say like remove just the "Change owner" access right or maybe remove just the "Modify DACL" access right.

Would this work?

0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36571867
Here's what I tried.

I set a DENY on the WRITE_DAC for the Creator Owner SID and I did see that this permission did get set on the registry key which I am trying to protect. However I then logged in as the Administrator who and then went ahead and changed the Owner. Windows did not prevent me from changing the owner. All i got was a useless popup which said something to the effect of

"You can't view the permissions but you can change them"

Any ideas??
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 36572189
Trinitro,

admins have the privilege to change the owner - you will not be able to change that.
If an admin cannot be trusted, don't make him an admin.
You can only use auditing to monitor changes/deletions. That way, changes get logged in the security event log and you could use an eventlog triggered task to reverse changes/deletions.

But really ask yourself why that person has admin rights in the first place.
0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36591927
>>>You can only use auditing to monitor changes/deletions

this looks like a possible way to deter administrators. How do I enable auditing for administrators?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 36592048
1) open a (test-) GPO and enter the computer config part ->Windows settings - sec. settings -> local policy ->audit policy ->audit object access ->select success or/and failure. Next, select the registry branch you would like to be monitored and rightclick it and select "permissions" ->advanced ->auditing. Now select what should be audited. Next, apply that policy to a test computer and try to change a key. It will of course still succeed if you are an admin but an event will get creatd at the local securioty event log.

Now you can setup event based tasks or event forwarding to alert yourself. I wrote "you could use an eventlog triggered task to reverse changes/deletions" - this is at possible, yes, but requires advanced scripting knowledge.
0
 
LVL 12

Author Closing Comment

by:trinitrotoluene
ID: 36901058
logical
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now