[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Protecting Registry entries

Posted on 2011-09-19
11
Medium Priority
?
301 Views
Last Modified: 2012-05-12
An application I am writing runs as a service on Windows Server 2008 and 2003 both 32 and 64 bit versions as well as on Windows 7 and Vista. I am trying to protect tampering of my application's registry entries by normal users and administrators alike and I use ACLs to achieve this.

So far I have been able to protect any tampering by normal users SID: S-1-5-32-545

What I would like to achieve is to allow Administrators(SID: S-1-3-0) the right to create the registry entries since the service is initially installed by an Administrator but disallow Administrators from either modifying or deleting any of the entries thereafter.
I understand Windows Vista has the Owner Rights SID which does not give an Administrator explicit rights to modify DACLs or ownership but I don't think I can use this.

Any help on how I can solve my problem?
0
Comment
Question by:trinitrotoluene
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 36568267
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 36569034
Fundamentally, an administrator can take ownership of any object and make any changes desired. A normal user would only have read access.
0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36569943
thanks guys for the info!

rick : I have already had a look at that link.

kevin : so is there no way I can restrict an administrator to just read access after the installation?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 42

Expert Comment

by:kevinhsieh
ID: 36570001
Well, you can change the permissions to just read, but an administrator can change them. You can have a separate service that just monitors the permissions (like some malware will do), but the administrator can take care of that as well if so inclined.
0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36570732
my intent is to prevent an unscruplous administrator from deleting the entries. is there something akin to using the TrustedInstaller account?
0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36571717
for eg. what I'm trying to do is reduce the damage an Administrator can do....say like remove just the "Change owner" access right or maybe remove just the "Modify DACL" access right.

Would this work?

0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36571867
Here's what I tried.

I set a DENY on the WRITE_DAC for the Creator Owner SID and I did see that this permission did get set on the registry key which I am trying to protect. However I then logged in as the Administrator who and then went ahead and changed the Owner. Windows did not prevent me from changing the owner. All i got was a useless popup which said something to the effect of

"You can't view the permissions but you can change them"

Any ideas??
0
 
LVL 57

Accepted Solution

by:
McKnife earned 2000 total points
ID: 36572189
Trinitro,

admins have the privilege to change the owner - you will not be able to change that.
If an admin cannot be trusted, don't make him an admin.
You can only use auditing to monitor changes/deletions. That way, changes get logged in the security event log and you could use an eventlog triggered task to reverse changes/deletions.

But really ask yourself why that person has admin rights in the first place.
0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36591927
>>>You can only use auditing to monitor changes/deletions

this looks like a possible way to deter administrators. How do I enable auditing for administrators?
0
 
LVL 57

Expert Comment

by:McKnife
ID: 36592048
1) open a (test-) GPO and enter the computer config part ->Windows settings - sec. settings -> local policy ->audit policy ->audit object access ->select success or/and failure. Next, select the registry branch you would like to be monitored and rightclick it and select "permissions" ->advanced ->auditing. Now select what should be audited. Next, apply that policy to a test computer and try to change a key. It will of course still succeed if you are an admin but an event will get creatd at the local securioty event log.

Now you can setup event based tasks or event forwarding to alert yourself. I wrote "you could use an eventlog triggered task to reverse changes/deletions" - this is at possible, yes, but requires advanced scripting knowledge.
0
 
LVL 12

Author Closing Comment

by:trinitrotoluene
ID: 36901058
logical
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question