CSA: remote workstations try to access registry remotely

rnaydenov · ‎09-17-2006

Hello,

This is what I see in a windows 2000 domain on the domain controller itself

The process '<remote application>' (as user MACHINE_ACCOUNT$) attempted to access the registry key '\REGISTRY\MACHINE' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied. Rule 124

Is there any way that I can get around this without disabling the rule(CSA 4.5.1-616)?

RichardSW · ‎09-18-2006

In your rule, under "Attempt to write any of these registry entries", you will need to create a registry set variable if there isn't one already. Open the registry set variable (i.e. $All Registry Keys), and you'll see "Registry keys matching" set to some wildcarded string. Next to that in "but not:" add the string:

**\MACHINE\**

rnaydenov · ‎09-18-2006

Is there a way that I can enable only read access?

RichardSW · ‎09-19-2006

What do you mean by only read access? Are you refering to whether it denies or not? I suppose you could, just change the action to Monitor.

If that's not what you mean, I will have to see more details about your rule, and you'll have to be more specific about what you want to accomplish.

rnaydenov · ‎09-20-2006

Well I have asked this question before. When adding registry access control rule it is *always* for allowing *WRITE* access. Is there a way that one can allow only *READ* access?

RichardSW · ‎09-21-2006

Okay I understand what you're asking now. You want to place a restriction on the registry. So machines can access the registry but not make changes to any of it.

The answer is... there aren't specific options in the Registry access control rule to distinguish between changes, creates, deletes, and reads. The rule is simply there to protect a registry set from overall change. However, you can still accomplish what you're asking, by simply creating a rule with a Deny action for whatever your target set is. But keep in mind - the registry is used for some pretty weird stuff. For example I've seen backup software use the registry to store temp values during a backup. If you deny that write action, the backup software wouldn't work.

In your first post you asked about the Machine keys on a domain controller. If you stopped writes to this (made it Read Only) the DC would not function.

My personal preference is not to go overboard with registry access control rules. I started off monitoring the 4 main hives. It wasn't useful information, just a lot of white noise. So now I'm targetting very specific keys I know I don't want written to. Some of my rules include watching the Run keys and BHO keys. I could also get really locked down by restricting All Applications from writing to particular Software keys, except for the Software that owns the keys.

blwoltz · ‎09-22-2006

FYI - Check out Cisco BUG ID CSCsb02296. I've pasted the output of that bug below as I've had the same issue.

Symptom:

If a Registry Access Control rule is used to control the registry access

from a Remote Client then Cisco Security Agent (CSA) cannot distinguish

between a read operation and a write operation. Cisco Security Agent treats

a remote client registry read operation as a remote client registry write

operation.

Conditions:

This bug effects users running Cisco Security Agent Version 4.5.0.565

and deploying the Registry Access Control rule with Remote Clients.

Workaround:

None at this time, this is considered addition functionality to be added

in a future release.