CSA and registry access

Zanne001 · ‎03-30-2006

We are still fine-tuning CSA prior to a rollout, and are having issues with CSA blocking all access to the registry on our servers. This is a learning curve for us, and we are still trying to determine why the machine account is modifying the registry on our servers (probably truly legit traffic, including auth to DC's). Has anyone seen this, and determined the majority of the requests to be legit? (This CSA purschase is the result of a nasty rootkit we had, and we cannot verify that all the reporting machines are 'clean'.) Any and all info regarding CSA would be appreciated.

TIA,

Suzanne

Patrick Laidlaw · ‎04-02-2006

Suzanne

Unfortuanly without seeing what the event is It's hard to say if it's valid or not. For the most part a majority of your events are going to be valid and should be allowed you just have to research what its accesing in the Registry.

I've been a part of training several groups on how to tune and create rules. Its mostly a matter of looking into your software running and how it works. One of the groups I work with has a ton of in house developed applications and have actually found CSA very useful in forcing there programmers to clean up the interactions.

Patrick

r-eastwood · ‎05-12-2006

Suzanne, Not sure if this will help or not. We had similar issues with almost all of our servers. CSA would detect different users accessing different registry keys. My guess is that you also dont have any "Wizard" options for creating allow rules. If you want to create an allow rule you will need to do it manually. I have found that in many cases having CSA deny certain registry access doesnt always break anything. Its a lot of trial and error. I placed some of my servers in Protect mode and performed tests with my users to determine which registry alarms were real and which were not causing any problems. I know thats probably not the easiest way to address the situation but maybe it will be helpfull.