Mail Archives: cygwin/2005/10/27/07:44:02
Brian Dessent wrote:
> Chris Taylor wrote:
>
>
>>When I say editing the registry, I'm talking about the ability to
>>directly manipulate it with .reg files, regedit, or other registry
>>editing tools.
>
>
> You can block access to certain known tools like regedit. This does
> *nothing* to block access to the registry itself, except for amateur
> users that think regedit is the only way to access the registry.
You can, as per your next paragraph.
>
> Registry keys are full NT objects each with their own ACL, and so if you
> *really* want to prevent someone from being able to edit the registry,
> this is the *only* way. And doing so breaks lots of programs that
> expect to be able to store their settings in HKCU. I suppose you could
> allow specific write access to those keys that known programs need to
> access, and deny everything else. But that would be an enormous amount
> of work, and by the time you're done you'd have granted access to a
> large portion of HKCU.
Yes, though most programs will silently fail if they can't save their
settings. Most don't actually require you to have access of certain
levels to function, at least that are commonly used in a corporate
environment. Ideally you should have - perhaps restricted to the
software key though, and with the Windows section read only.
>
> The point here is that regedit is only *one* way of arbitrarily
> manipulating the registry, and a user that knows what he's doing will
> *always* be able to get around this. Disabling regedit is *not* a form
> of security, unless you define security as "keeping out casual users but
> nothing else."
Indeed. Hence the ACLs.
>
>
>>Yes, you are able to make changes to HKCU, but not *directly*.
>
>
> echo "1" > /proc/registry/HKEY_CURRENT_USER/Software/Foobar
>
> Oh look, I just edited the registry directly. Okay, so you don't allow
> Cygwin. So I compile a C program that takes a key+value on the command
> line and calls RegSetValueEx(). Oh, so you disallow that filename or
> checksum. So I make a different C program and call it something else.
> There are an infinite number of programs that I can write and it's
> impossible to block them all. The point here is that there is no such
> thing as "blocking direct access" while still "letting some programs
> write to the registry." Either it's writeable or it's not. If it is,
> then the user can make arbitrary changes. There's no middle ground.
Yes, but it isn't black and white either. As we all agree, you have the
joy of acl's, which complicates matters.
Then you also have the option of purging all current user registry files
on logoff.. Letting them make changes to aspects at runtime, but losing
them all at the end of the session.
Myself, I feel this is the best compromise.
>
>
>>Your method is flawed and destroys the existing setup, which is bad.
>>I disable ALL aspects of regedit and other tools, and I know I'm not
>>alone in this. It's perfectly normal and *common* to do it.
>
>
> You can disable every piece of software that has ever existed in the
> known universe, and I will still be able to make arbitrary registry
> changes if I want -- provided that the desired HKCU key is writeable.
>
>
>>The (l)user should *never* be allowed to edit the registry themselves.
>>That's a recipe for disaster.
>
>
> If you think it is possible to block "direct" editing of the registry
> while still allowing HKCU to be writeable, then you are clearly mistaken
> at how windows security works.
This is why you have application allow lists. Admittedly this also isn't
foolproof, but it does make it more difficult.
>
>
>>Using a command that alters the registry as part of it's function, but
>>does not allow the user to directly alter it is a very different
>>ballgame. mount would be permissable. Some console app to directly edit
>>the registry would not be.
>
>
> There is absolutely no way for a sysadmin to block one and not the
> other.
>
> Brian
>
Oh, I agree, but Thorsten was under the impression that regedit /s would
work when regedit itself was disabled - this is blatantly not the case.
Aside from that.. The whole concept of security on windows is a bit of a
farce.. A compromise is the best you're ever likely to manage.
Anyway.. I think this got rather off-topic :P
--
Spinning complacently in the darkness, covered and blinded by a blanket
of little lives, false security has lulled the madness of this world
into a slumber. Wake up! An eye is upon you, staring straight down and
keenly through, seeing all that you are and everything that you will
never be. Yes, an eye is upon you, an eye ready to blink. So face
forward, with arms wide open and mind reeling. Your future has
arrived... Are you ready to go?
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -