Read access only to Registry and servers

Our Infosec team is looking to have read only access to the C drive and registry of all our servers including the Domain Controllers. What is the best way to do this?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

By default, they have read access to the registry already (HKLM).  If they want read access to the user hives, that is much trickier.  An Administrative user will have read/write access to all the hive.  You would need to delegate access in AD to a specific group to grant them read access to the user hives (I haven't tested this).  This does require administrative access to get this remotely.  Theoretically, you may be able to set up powershell remoting for them that doesn't require administrative access, but that is not a simple task.  If this is purely an auditing type thing, you could theoretically set up a scheduled task to use reg.exe to dump the registry to a text file (it will be large) that they can examine at will.  

As for the C: drives, that is easy enough.  You can set up the servers to create a new share to the C: drive with read only access at the Share permission level for that group.  I would name it something like C_Audit$ (obvious what the purpose is, short to type, and "generally" hidden.

Windows 2012 offers the new-smbshare command to set this up.  (You can set this as a start up script in a GPO for the machines).
New-SMBShare -CachingMode None -Name C_Audit$ -Path C:\ -ReadAccess 'domain\infosecgroup'

Open in new window

If you don't want to have it as a startup script, you can run it one time by using the -CIMSession parameter followed by the name of the computer.  

If you don't have Win2012, then it is tougher, but absolutely doable.  For those older machines, you can use a startup script (a batch file/cmd file) (this also would work with 2012 and newer also).  As an administrator, you can also use psexec.exe or powershell remoting to do this also.

net share C_Audit$=c:\ /grant:<domain\infosecgroup>,read /cache:none

Open in new window


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
@Coralon, jJust granting read access to the share is will not be sufficient, there are NTFS permissions to be considered as well...

Rather than having direct read access, I would suggest using a product such as tripwire for monitoring changes,
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

-- Coralon (https:#a42454250)
-- ArneLovius (https:#a42454717)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.