11-02-2005 06:05 AM - edited 03-10-2019 01:43 AM
has anyone seen the below before on a Windows Domain Controller.
TESTMODE: The process '<remote application>' (as user NT AUTHORITY\SYSTEM) attempted to access the registry key '\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied.
11-02-2005 08:26 AM
I have not seen this on my domain controllers (Win2k3).
Do you have any other applications running (besides those specific to AD like DNS)?
11-21-2005 07:33 AM
I have seen a few variations of this, it seems to occur for us on print servers when printing to specific printers. The errors I've been seeing are:
TESTMODE: The process '
TESTMODE: The process '
TESTMODE: The process '
11-21-2005 10:15 AM
We're seeing the exact same thing. It's rule number 124 of the system hardening module which blocks all registry access from remote clients. We haven't yet been able to create an exception rule to allow this without allowing remote clients all access to the registry. If anyone has been able to create a exception rule please pass on the info.
Thanks,
Bill
11-22-2005 04:40 AM
I had the above event and i copied the policy rename the policy and disabled the event because it is a false positive.
11-22-2005 08:19 AM
Yeah, I guess technically you could call this a "false positive" although the rule is doing what it is set up to do. That is, block all remote clients from attempting to access the registry. I have a TAC case opened on this issue. CISCO pretty much suggests doing what I have already done. Disable this rule altogether. There are other rules in place that will block an attacker from writing to certain registry keys like HKLM/microsoft/software/windows/currentversion/run. Since this rule is part of the system hardening module you have to balance functionalilty with security. Although disabling this rule opens up security holes I don't think it's a major risk.
11-22-2005 01:27 PM
Since the server host is processing the print job or whatever it's doing for the remote client, there could be a local process you could use in a dynamic application class.
Then when the remote client process triggers the local process, an allow registry access rule could be used as an exception for those remote clients while denying all others.
Might be more trouble to investigate than it's worth but it would be interesting to find out.
Tom S
11-22-2005 03:48 PM
I've been e-mailing back and forth with TAC on this. From what I was told there is no way to determine exactly what application is attempting to access the registry. CSA only knows that it is a remote application but can't determine what the exact application is. In order to create an exception rule you would have to allow registry access to all remote clients. I've been told that this has been changed in CSA 5.0 which is scheduled to come out in the first quarter of 2006.
I'm curious though, would setting up an exception rule using a local process in a dynamic application class work if CSA is unable to determine what remote application is trying to access the registry? Would you still have to set up the exception rule to allow all remote clients access?
11-22-2005 05:01 PM
No, I don't think so. I think it would be feasable only if:
- there was a local process associated with the remote client access.
and
- it could distinguish which remote client was triggering the process.
That would be the tough investigative part.
I'm not sure it's savvy enough to do that and it sounds like you and they came to the same conclusion.
Tom S
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide