Solved

Protecting Registry entries

Posted on 2011-09-19
11
295 Views
Last Modified: 2012-05-12
An application I am writing runs as a service on Windows Server 2008 and 2003 both 32 and 64 bit versions as well as on Windows 7 and Vista. I am trying to protect tampering of my application's registry entries by normal users and administrators alike and I use ACLs to achieve this.

So far I have been able to protect any tampering by normal users SID: S-1-5-32-545

What I would like to achieve is to allow Administrators(SID: S-1-3-0) the right to create the registry entries since the service is initially installed by an Administrator but disallow Administrators from either modifying or deleting any of the entries thereafter.
I understand Windows Vista has the Owner Rights SID which does not give an Administrator explicit rights to modify DACLs or ownership but I don't think I can use this.

Any help on how I can solve my problem?
0
Comment
Question by:trinitrotoluene
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 36568267
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 36569034
Fundamentally, an administrator can take ownership of any object and make any changes desired. A normal user would only have read access.
0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36569943
thanks guys for the info!

rick : I have already had a look at that link.

kevin : so is there no way I can restrict an administrator to just read access after the installation?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 42

Expert Comment

by:kevinhsieh
ID: 36570001
Well, you can change the permissions to just read, but an administrator can change them. You can have a separate service that just monitors the permissions (like some malware will do), but the administrator can take care of that as well if so inclined.
0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36570732
my intent is to prevent an unscruplous administrator from deleting the entries. is there something akin to using the TrustedInstaller account?
0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36571717
for eg. what I'm trying to do is reduce the damage an Administrator can do....say like remove just the "Change owner" access right or maybe remove just the "Modify DACL" access right.

Would this work?

0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36571867
Here's what I tried.

I set a DENY on the WRITE_DAC for the Creator Owner SID and I did see that this permission did get set on the registry key which I am trying to protect. However I then logged in as the Administrator who and then went ahead and changed the Owner. Windows did not prevent me from changing the owner. All i got was a useless popup which said something to the effect of

"You can't view the permissions but you can change them"

Any ideas??
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 36572189
Trinitro,

admins have the privilege to change the owner - you will not be able to change that.
If an admin cannot be trusted, don't make him an admin.
You can only use auditing to monitor changes/deletions. That way, changes get logged in the security event log and you could use an eventlog triggered task to reverse changes/deletions.

But really ask yourself why that person has admin rights in the first place.
0
 
LVL 12

Author Comment

by:trinitrotoluene
ID: 36591927
>>>You can only use auditing to monitor changes/deletions

this looks like a possible way to deter administrators. How do I enable auditing for administrators?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 36592048
1) open a (test-) GPO and enter the computer config part ->Windows settings - sec. settings -> local policy ->audit policy ->audit object access ->select success or/and failure. Next, select the registry branch you would like to be monitored and rightclick it and select "permissions" ->advanced ->auditing. Now select what should be audited. Next, apply that policy to a test computer and try to change a key. It will of course still succeed if you are an admin but an event will get creatd at the local securioty event log.

Now you can setup event based tasks or event forwarding to alert yourself. I wrote "you could use an eventlog triggered task to reverse changes/deletions" - this is at possible, yes, but requires advanced scripting knowledge.
0
 
LVL 12

Author Closing Comment

by:trinitrotoluene
ID: 36901058
logical
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question