Critical System Protection

hi i am having some difficulty blocking changes to a registry key.

i have tried many ways to specify it in the readonly resource access list but still i can go to regedit and change the key value.

is there a special way to define a registry key or am i missing something?

you  might want to trigger an event based on running the template_registry and seeing what the actual registry key is in the event.

Hi Shaun,

Thanks for your reply...I have tried using the template registry but still cannot get SCSP to detect changes.
The registry key i am trying to detect (among others) is :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ldap\ldapclientintegrity

how shall i input this in the option?

i have tried inputting this reg key in the following ways...but still doesnt work

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ldap\ldapclientintegrity
HKLM\SYSTEM\CurrentControlSet\Services\ldap\ldapclientintegrity
*\SYSTEM\CurrentControlSet\Services\ldap\ldapclientintegrity

any ideas?

What if you block regedit?

http://service1.symantec.com/support/intrusiondetectkb.nsf/854fa02b4f5013678825731a007d06af/e358830adfc5f2a3882574c9007d7569?OpenDocument

hi,

i have tried as per the instructions on the kb but still doesnt work... i am still able to go to regedit and change the registry key value

have any of you guys tried to block a specific registry key before?

i could block regedit, but i dont think thats what my company is going for..basically we want to block changes to all registry keys pertaining to windows security settings...is this possible?

Hi teong, how about changing permissions on the key you want to change?

hi paul,
thanks for your reply...i guess i could try that..but not too sure what permissions to set so that i dont break anything...but i was thinking SCSP would be able to do this? isnt this one of the core functions of scsp - setting read only access on a registry key?

I guess as long as you put administrators and SYSTEM account as full access you will not have any problems, so that you will have still access just in-case problem arises and need to revert back to previous settings.

The problem with adding policies on local administrator and system accounts is that it will be prone to malwares and other intrusions that uses this built-in accounts which nullifies the application.

But, nearly all registry keys (the ones mentioned above included) give full control access to the Administrators Group and System account by default.  Taking these permissions off of reg keys can have very detrimental affects.

This is probably a dumb question, teong27, but are you attempting to edit these entries while logged in as an Admin?  Is that what you're going by?

hi jmor..yes i am editing these keys using regedit while logged in as admin... i had the impression scsp would still block this....
if you set a file to the non writable resource list (eg. c:\test.txt) then you are unable to edit this file even if you are admin..
i actually logged this case to support and the guy told me he was able to do it in their environment...still waiting for a response now..