Check or Attack Name: Critical Key Permissions

A registry key that can lead to higher access levels is writable by non-administrators. Each of these keys can be used to insert a Trojan horse program that is then invoked when another user logs in. The AeDebug key can be used to directly gain higher access if the attacker can cause a service running at a privileged user level to crash.

The vulnerable keys under HKEY_LOCAL_MACHINE are:

• Software\Microsoft\Windows\CurrentVersion\Run
• Software\Microsoft\Windows\CurrentVersion\RunOnce
• Software\Microsoft\Windows\CurrentVersion\RunOnceEx
• Software\Microsoft\Windows NT\CurrentVersion\AeDebug
• Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Set permissions on each of these keys. Grant Administrators and System users full access, and Everyone read access. To set key permissions, follow these steps:

1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedt32, and click OK.
2. Go to the registry key listed in the description.
3. From the Security menu, select Permissions to display the Registry Key Permissions dialog box.
4. Examine the permissions for the following characteristics:
   • Verify that Administrator and System are Full Access.
   • Verify that Everyone is Read access.
   • Remove unauthorized names, or change the Type of Access to Read.
5. Click OK when you have completed setting the permissions.
6. Repeat steps 2 to 5 for all the keys listed above.