Protecting Registry entries

An application I am writing runs as a service on Windows Server 2008 and 2003 both 32 and 64 bit versions as well as on Windows 7 and Vista. I am trying to protect tampering of my application's registry entries by normal users and administrators alike and I use ACLs to achieve this.

So far I have been able to protect any tampering by normal users SID: S-1-5-32-545

What I would like to achieve is to allow Administrators(SID: S-1-3-0) the right to create the registry entries since the service is initially installed by an Administrator but disallow Administrators from either modifying or deleting any of the entries thereafter.
I understand Windows Vista has the Owner Rights SID which does not give an Administrator explicit rights to modify DACLs or ownership but I don't think I can use this.

Any help on how I can solve my problem?
LVL 12
trinitrotolueneDirector - Software EngineeringAsked:
Who is Participating?
 
McKnifeConnect With a Mentor Commented:
Trinitro,

admins have the privilege to change the owner - you will not be able to change that.
If an admin cannot be trusted, don't make him an admin.
You can only use auditing to monitor changes/deletions. That way, changes get logged in the security event log and you could use an eventlog triggered task to reverse changes/deletions.

But really ask yourself why that person has admin rights in the first place.
0
 
Rick HobbsRETIREDCommented:
0
 
kevinhsiehCommented:
Fundamentally, an administrator can take ownership of any object and make any changes desired. A normal user would only have read access.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
trinitrotolueneDirector - Software EngineeringAuthor Commented:
thanks guys for the info!

rick : I have already had a look at that link.

kevin : so is there no way I can restrict an administrator to just read access after the installation?
0
 
kevinhsiehCommented:
Well, you can change the permissions to just read, but an administrator can change them. You can have a separate service that just monitors the permissions (like some malware will do), but the administrator can take care of that as well if so inclined.
0
 
trinitrotolueneDirector - Software EngineeringAuthor Commented:
my intent is to prevent an unscruplous administrator from deleting the entries. is there something akin to using the TrustedInstaller account?
0
 
trinitrotolueneDirector - Software EngineeringAuthor Commented:
for eg. what I'm trying to do is reduce the damage an Administrator can do....say like remove just the "Change owner" access right or maybe remove just the "Modify DACL" access right.

Would this work?

0
 
trinitrotolueneDirector - Software EngineeringAuthor Commented:
Here's what I tried.

I set a DENY on the WRITE_DAC for the Creator Owner SID and I did see that this permission did get set on the registry key which I am trying to protect. However I then logged in as the Administrator who and then went ahead and changed the Owner. Windows did not prevent me from changing the owner. All i got was a useless popup which said something to the effect of

"You can't view the permissions but you can change them"

Any ideas??
0
 
trinitrotolueneDirector - Software EngineeringAuthor Commented:
>>>You can only use auditing to monitor changes/deletions

this looks like a possible way to deter administrators. How do I enable auditing for administrators?
0
 
McKnifeCommented:
1) open a (test-) GPO and enter the computer config part ->Windows settings - sec. settings -> local policy ->audit policy ->audit object access ->select success or/and failure. Next, select the registry branch you would like to be monitored and rightclick it and select "permissions" ->advanced ->auditing. Now select what should be audited. Next, apply that policy to a test computer and try to change a key. It will of course still succeed if you are an admin but an event will get creatd at the local securioty event log.

Now you can setup event based tasks or event forwarding to alert yourself. I wrote "you could use an eventlog triggered task to reverse changes/deletions" - this is at possible, yes, but requires advanced scripting knowledge.
0
 
trinitrotolueneDirector - Software EngineeringAuthor Commented:
logical
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.