OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Regarding HKLM & Classes_Root
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Regarding HKLM & Classes_Root


  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: Regarding HKLM & Classes_Root
  • From: Eric Johnfelt <ejohnfelIC.SUNYSB.EDU>
  • Date: Sat, 21 Nov 1998 11:23:02 -0500
  • Approved-By: Russ.CooperRC.ON.CA
  • Reply-To: Eric Johnfelt <ejohnfelIC.SUNYSB.EDU>
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

Hi All,

        I've had more then my share of problems with HKLM and the Classes_root
trees of the registry.

        A long time ago when the University I work for was paid a little
visit by some Microsoft Reps, among other things discussed was if there was
any fix for a small problem we had.

        In this case the student's were renaming the desktop icons to all
kinds of things (mostly foul language). In particular, Network Neighborhood,
My Computer and Internet Explorer.

        For any of you who have experienced this, the official response from
the MS reps was, "We know this is an issue, there is no solution for this as
yet, we are working on it.".

        To this day, there has been no forthcoming solution. That was a year
ago.

        The issue here is, these icons are not normal short cuts. You can't
simply make them Everyone:Read. As Microsoft puts it... "They are in a
name space all their own..." which is supposed to give them some sort of
benefit, which to this day I do not comprehend.

        And where are the icons names stored.... you guessed it...
HKLM\Software\Classes (or more specifically, HKCR).

        It occurs to me that the security in HKLM and HKCR is severely
lacking. I also can see that MS can't really dig itself out of this mess.
If users are allowed to install software or make changes to a workstation,
you will not be able to secure the entire HKLM or HKCR trees.

        Unless MS adopts a philosophy that only administrators and users
assigned to a special group can do that. Otherwise, it'll always be the
wild-wild-west in HKLM and HKCR.

        For those interested...

        At any rate, if you have the NT workstation or Server resource kit,
the REGINI utility and the following file will fix the problem, these lines
will reset the entries to their defaults and then lock the strings so that
only the administrator can rename them.

        These have been tested on NT 4.0, NT 4.0 SP3, NT 4.0 SP3 & Hotfixes,
both IE 3.01 and IE 4.0x up to IE4.0x SP1. There have been no side effects
recorded in over a year of their use here.

<---- Cut Here ---->
\Registry\Machine\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}[1 8 17]
    = REG_SZ "My Computer"
\Registry\Machine\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}[1 8 17]
    = REG_SZ "Network Neighborhood"
\Registry\Machine\Software\Classes\CLSID\{FBF23B42-E3F0-101B-8488-00AA003E56F8}[1 8 17]
    = REG_SZ "Internet Explorer"
<---- Cut here ---->

+->> Instructional Computing <<----------------------------------------------+
| Eric Johnfelt                      | Email : ejohnfelic.sunysb.edu        |
| PC-Specialist/NT Administrator     | Phone : (516) 632-9939                |
| Frank Melville Library Rm S-1460   | Fax   : (516) 632-9803                |
| Stony Brook, NY 11794              | Dept  : (516) 632-8050                |
+->> The State University of New York at Stony Brook <<----------------------+