Solved

Protecting Registry entries

Posted on 2011-09-19
11
292 Views
Last Modified: 2012-05-12
An application I am writing runs as a service on Windows Server 2008 and 2003 both 32 and 64 bit versions as well as on Windows 7 and Vista. I am trying to protect tampering of my application's registry entries by normal users and administrators alike and I use ACLs to achieve this.

So far I have been able to protect any tampering by normal users SID: S-1-5-32-545

What I would like to achieve is to allow Administrators(SID: S-1-3-0) the right to create the registry entries since the service is initially installed by an Administrator but disallow Administrators from either modifying or deleting any of the entries thereafter.
I understand Windows Vista has the Owner Rights SID which does not give an Administrator explicit rights to modify DACLs or ownership but I don't think I can use this.

Any help on how I can solve my problem?
0
Comment
Question by:trinitrotoluene
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 22

Expert Comment

by:rickhobbs
Comment Utility
0
 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
Fundamentally, an administrator can take ownership of any object and make any changes desired. A normal user would only have read access.
0
 
LVL 12

Author Comment

by:trinitrotoluene
Comment Utility
thanks guys for the info!

rick : I have already had a look at that link.

kevin : so is there no way I can restrict an administrator to just read access after the installation?
0
 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
Well, you can change the permissions to just read, but an administrator can change them. You can have a separate service that just monitors the permissions (like some malware will do), but the administrator can take care of that as well if so inclined.
0
 
LVL 12

Author Comment

by:trinitrotoluene
Comment Utility
my intent is to prevent an unscruplous administrator from deleting the entries. is there something akin to using the TrustedInstaller account?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 12

Author Comment

by:trinitrotoluene
Comment Utility
for eg. what I'm trying to do is reduce the damage an Administrator can do....say like remove just the "Change owner" access right or maybe remove just the "Modify DACL" access right.

Would this work?

0
 
LVL 12

Author Comment

by:trinitrotoluene
Comment Utility
Here's what I tried.

I set a DENY on the WRITE_DAC for the Creator Owner SID and I did see that this permission did get set on the registry key which I am trying to protect. However I then logged in as the Administrator who and then went ahead and changed the Owner. Windows did not prevent me from changing the owner. All i got was a useless popup which said something to the effect of

"You can't view the permissions but you can change them"

Any ideas??
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
Comment Utility
Trinitro,

admins have the privilege to change the owner - you will not be able to change that.
If an admin cannot be trusted, don't make him an admin.
You can only use auditing to monitor changes/deletions. That way, changes get logged in the security event log and you could use an eventlog triggered task to reverse changes/deletions.

But really ask yourself why that person has admin rights in the first place.
0
 
LVL 12

Author Comment

by:trinitrotoluene
Comment Utility
>>>You can only use auditing to monitor changes/deletions

this looks like a possible way to deter administrators. How do I enable auditing for administrators?
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
1) open a (test-) GPO and enter the computer config part ->Windows settings - sec. settings -> local policy ->audit policy ->audit object access ->select success or/and failure. Next, select the registry branch you would like to be monitored and rightclick it and select "permissions" ->advanced ->auditing. Now select what should be audited. Next, apply that policy to a test computer and try to change a key. It will of course still succeed if you are an admin but an event will get creatd at the local securioty event log.

Now you can setup event based tasks or event forwarding to alert yourself. I wrote "you could use an eventlog triggered task to reverse changes/deletions" - this is at possible, yes, but requires advanced scripting knowledge.
0
 
LVL 12

Author Closing Comment

by:trinitrotoluene
Comment Utility
logical
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Article by: Lee
Windows 7 Ultimate and Enterprise (and 2008 R2) introduced a new feature you may not be aware of - Boot from VHD.   Boot from VHD (or what Microsoft refers to asNative Boot allows you to install Windows to a VHD (Virtual Hard Disk) file that is t…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now