Re: securing HKLM

• To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
• Subject: Re: securing HKLM
• From: David Mahon <ddmn_ssTROI.CC.ROCHESTER.EDU>
• Date: Tue, 17 Nov 1998 11:57:41 -0500
• Approved-By: Russ.CooperRC.ON.CA
• Comments: To: Benjamin Webb <benrwebbNETSCAPE.NET>
• Importance: Normal
• In-Reply-To: <19981117142119.18419.qmailwww0c.netaddress.usa.net>
• Reply-To: David Mahon <ddmn_ssTROI.CC.ROCHESTER.EDU>
• Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

>     When securing HKEY_LOCAL_MACHINE, one area that definitely
> needs attention
> is \software\classes (note:  this is the same as editing
> HKEY_CLASSES_ROOT).

The only difficulty with securing this area as it should be (Read-only for
authenticated, local users) is that many programs are not Windows NT aware.

Many programs (including Netscape Navigator/Communicator 4.x, Office 97,
etc.) write to this area at startup.  Worse, they tend to either crash or
popup weird mesages.  When I secured HKLM, Netscape Navigator advised the
normal user account that it couldn't edit the registry - "try using
REGEDIT."

Considering I have people at the University of Rochester who are willing to
spend hours finding less-than-obvious loopholes in applications to run their
own programs, trojan horses, whatever, I don't want to give them ideas.

Thus, the registry must stay insecure for now.  Programmers need to get into
the habit of checking before writing (heck, I know I'm guilty of not doing
this).

Dave Mahon
CLARC PC Technical Assistant
University of Rochester
ddmn_sstroi.cc.rochester.edu

• Follow-Ups:
  • Re: securing HKLM
    • From: Jason Adam Young <jason_youngNCSU.EDU>
  • Re: securing HKLM
    • From: Eric Lochstet <lochstetPOBOX.UPENN.EDU>

• References:
  • securing HKLM
    • From: Benjamin Webb <benrwebbNETSCAPE.NET>

• Prev by Date: securing HKLM
• Next by Date: Re: securing HKLM
• Prev by thread: securing HKLM
• Next by thread: Re: securing HKLM
• Index(es):
  • Date
  • Thread