denying registry usage.

  • Thread starter Thread starter EDMS
  • Start date Start date
E

EDMS

Hi,

I am a software developer, I have developed a software with a seperate
software registration
process, which accesses the windows registry to input some details about the
software.

but some users complain that there registration process fails.

so I want to make an environment on my machine so that I cannot write to the
registry
how can I achieve this.

i know how to stop accessing the registry editors, but not how to stop
writing to it


thanks
 
If you log in as a limited user on XP and later (in its default install
condition)
you will only have write to areas where you should (the user account's
keys).
You should review the guidance for Windows application logo certification
as it details application installation and runtime behaviors that are
correct
for both registry and filesystem usage.
 
You can deny users access to regedit.exe and regedt32.exe, via NTFS file
permissions, via Group Policy, and/or via Software Restriction Policy [as
long as they are not in the local Administrators group on the computer].
However, they can still attempt to edit the registry by, say, copying
regedit.exe to a floppy disk and running it from there, or via other means.

If it is really important that these users absolutely not have the ability
to edit the registry, I think it would however be more secure to run
whatever program is trying to access the registry as a different user
account. For example, if only the installer needs to edit the registry just
once, then you could require someone log in as administrator to do the
install. Or, if the program needs to be able to edit the registry, you
could figure out a way for the program to run under a different account,
such as via a service account. If absolutely necessary, I suppose a RunAs
icon [set up so that the user does not need to know the admin password]
might be something to consider [doesn't sound very elegant or completely
secure, but I don't know your complete situation].

http://securityadmin.info/faq.asp#runas
 
However, they can still attempt to edit the registry by, say,
copying regedit.exe to a floppy disk and running it from there, or
via other means.
Click to expand...

Hash rules can take care of the floppy trick. :)

Adam
 
Hash rules can take care of the floppy trick. :)
Click to expand...

Yes, but then you can probably change the hash or use a different registry
editing tool. I also don't know whether SRP with enough hash rules to make
the system sufficiently secure would make the system run like a slug. I'm
pretty sure that collecting and setting up all those hash rules by yourself
for all the various versions out there, and adding new hashes as executables
are patched and re-released, would be a nightmare. Whitelisting executables
instead of blacklisting them would probably be easier and more secure, but
even that would be pretty intensive to administer month to month. Which is
why very few enterprises are using SRP or similar solutions. SRP is one of
those things that everyone suggests in a theoretical way but rarely ever use
in real life.
 
I think OP just needs to test with an environment that matches the
users reporting the issue with the installation.
My guess is prior tests as admin, users installing as users; or test
on W2k, users on XP, etc..
--
Roger Abell
Microsoft MVP (Windows Server: Security)


Karl Levinson said:
You can deny users access to regedit.exe and regedt32.exe, via NTFS file
permissions, via Group Policy, and/or via Software Restriction Policy [as
long as they are not in the local Administrators group on the computer].
However, they can still attempt to edit the registry by, say, copying
regedit.exe to a floppy disk and running it from there, or via other
means.

If it is really important that these users absolutely not have the ability
to edit the registry, I think it would however be more secure to run
whatever program is trying to access the registry as a different user
account. For example, if only the installer needs to edit the registry
just
once, then you could require someone log in as administrator to do the
install. Or, if the program needs to be able to edit the registry, you
could figure out a way for the program to run under a different account,
such as via a service account. If absolutely necessary, I suppose a RunAs
icon [set up so that the user does not need to know the admin password]
might be something to consider [doesn't sound very elegant or completely
secure, but I don't know your complete situation].

http://securityadmin.info/faq.asp#runas



EDMS said:
Hi,

I am a software developer, I have developed a software with a seperate
software registration
process, which accesses the windows registry to input some details about the
software.

but some users complain that there registration process fails.

so I want to make an environment on my machine so that I cannot write to the
registry
how can I achieve this.

i know how to stop accessing the registry editors, but not how to stop
writing to it


thanks
Click to expand...
Click to expand...
 
Back
Top