The Windows NT Registry
The Windows Registry is a repository of information about all aspects of the computer—software, hardware, peripherals, applications, operating system, and users. The Registry brings together information that was previously held in files like autoexec.bat, config.sys, and the various .INI files. Information in the Registry is spread over several hives (files) and can be edited using a utility call Regedit. You can start Regedit by selecting Start, Run and typing regedit in the Run window. Regedit has an Explorer-like interface, with the tree to the left and the data to the right, as shown in Figure 10.26. Data in the Registry is organized in a key/value pairing. You can think of keys and subkeys like folders and subfolders, much like a file system structure. The final data structure along the tree is known as a value. By double-clicking the value in the right pane, you can update it.
Figure 10.26. Regedit and its Explorer-like interface.
The Registry stores a tremendous amount of information about the user, system, and computer. Accordingly, it should also be protected with the same amount of vigilance. Windows NT's Registry is by default more secure than that of Windows 95/98 (information is stored in the file's system.dat and user.dat files). You can assign key security to the Registry as you would to a disk volume. This blocks general outside access, and you can even assign administrative rights to users or groups that do have Registry access. The Registry corresponds to the system files listed in Table 10.4.
| Hive Registry Path | Hive File Path |
|---|---|
| HKEY_LOCAL_MACHINESYSTEM | winntsystem32configsystem |
| HKEY_LOCAL_MACHINESAM | winntsystem32configsam |
| HKEY_LOCAL_MACHINESECURITY | winntsystem32configsecurity |
| HKEY_LOCAL_MACHINESOFTWARE | winntsystem32configsoftware |
| HKEY_LOCAL_MACHINEHARDWARE | Volatile hive |
| HKEY_LOCAL_MACHINESYSTEMClone | Volatile hive |
| HKEY_USERSUserProfile | Profile, usually under winntprofilesusere |
| HKEY_USERSDEFAULT | winntsystem32configdefault |
Even with appropriately set Registry access settings, you would have other problems. For example, at one point, hackers discovered a major security hole within the NT Registry. This problem revolved around security keys that assign specific programs or services to run automatically after the server boots. Under a default Windows NT Server installation, all users have access to these keys, making it relatively simple for hackers to run one of their own programs every time a server boots. A hacker program that adds an account, copies data somewhere, or even formats the drive can be added to the Registry to run when the server boots up. Table 10.5 shows some security Registry settings that can be used to add more security features to a default installation of Windows NT.
| Function | Key | Value |
|---|---|---|
| Remote Registry Access | HKLMCurrentControlSetControlSecurePipeServesWinreg | 1 |
| Legal Notice 1 | HKLMSOFTWAREMicrosoftWindowsNTCurrent VersionWinloginLegalNoticeCaption | "Legal Notice for All Users" |
| Legal Notice 2 | HKLMSOFTWAREMicrosoftWindowsNTCurrent VersionWinloginLegalNoticeCaption | "Warning: This system is to be used by authorized individuals only. By using this system you consent to be monitored for law enforcement and other purposes. Unauthorized use of this computer might be subject to criminal prosecution and penalties." |
| Last User Name | HKLMSOFTWAREMicrosoftWindows NTCurrent VersionWinloginDontDisplayLastUserName | 1 |
| Protect Event Logs | HKLMSystemCurrentControlSetServicesEventLogLognameRestrictGuestAccess | 1 |
| Secure Print Drivers | HKLMSystemCurrentControlSetControlPrintProvidersLanManPrintServicesServers | 1 |
| Restrict Anonymous Login | HKLMSystemCurrentControlSetControlLSANameRestrictAnonymous | 1 |
| Restrict Scheduled Commands 1 | HKLMSystemCurrentControlSetControlLSASubmit Control | 1 |
| Restrict Anonymous Registry Access | HKLMSystemCurrentControlSetServicesLanManServerParametersNullSessionPipes | <Configure with authorized names> |
| Restrict Scheduled Commands 2 | HKLMSystemCurrentControlSetServicesSchedule | <Restrict to administrators> |
| Clear the Page File at Shutdown | HKLMSYSTEMCurrentControlSetControlSession ManagerMemory | 1 |
| ManagementClearPageFileAtShutdown | ||
| Disable Default Shares | HKLMSYSTEMCurrentControlSetServicesLanManServerParametersAutoShareWks | 0 |
As with Windows NT, Windows 2000 is an improvement over its predecessor. Many of the Microsoft security features described in earlier sections of this chapter can also be applied to Windows 2000. For example, the password, auditing, and NTFS recommendations from the Windows NT section should all be applied to Windows 2000 computers. In Windows 2000, accessing the password and audit setting is a bit different. To set these parameters, select Start, Control Panel, Administrative Tools, Local Security Settings. From there, you can change password, account lockout, and audit policies through the Account Policies and Local Policies options. You can select the same parameters we use in Windows NT.