Registry access allowed for all users

Risk Level: Medium risk vulnerability  Medium

Check or Attack Name: winreg - everyone
Platforms: Windows NT
Description:

Unrestricted remote access for all users to the registry has been successful. The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key permissions are set to allow access to all users via a null session. If this key is not present, remote access to the registry is not controlled. If this key is detected and Windows NT 4.0 Service Pack 3 or later has not been applied, then non-authenticated users can write registry keys.

If the Everyone group is denied access, null session access to the registry can be prevented.
Remedy:

Apply the latest Windows NT 4.0 Service Pack and modify the registry for RestrictAnonymous.

To apply the latest Windows NT 4.0 Service Pack, follow these steps:

  1. Open a web browser.
  2. Go to http://support.microsoft.com/support/ntserver/Content/ServicePacks/ and follow the directions to download the appropriate service pack for your computer.
  3. Find the installation program you downloaded to your computer.
  4. Double-click the program icon to start the installation.
  5. Follow the installation directions.

—AND—

To restrict registry access, follow these steps:

  1. Open Registry Editor. From the Windows NT Start menu, select Run, type regedt32, and click OK.
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SecurePipeServers\Winreg.
  3. From the Security menu, select Permissions to display the Registry Key Permissions dialog box.
  4. Use these guidelines to review the listed permissions:
    • Remove or change any permissions such as Everyone - Full Control. This default permission allows all users to read, modify, and even change ownership and permissions on the items in the share.
    • Review any names with Full Control permissions and determine if the permission is appropriate. Consider using Special Access, Read, or removing permissions if these names do not need to modify items in the key.
    • Review any names with Special Access permissions and determine if the permission is appropriate. Consider using Read or removing permissions if these names do not need to modify items in the key.
    • Review any names that should not be in the list, and remove the name or change their permission as appropriate.

If an Allowed Paths subkey is present under the winreg key, inspect permissions on these paths closely. This optional subkey defines specific paths into the registry that are allowed access, regardless of the security on the winreg registry key. It contains multiple strings representing registry entries that can be read by Everyone. This subkey allows specific system functions, such as checking printer status, to work correctly regardless of how access is restricted via the winreg registry key. The default security on the AllowedPaths registry key only grants Administrators the ability to manage these paths.
References:

Microsoft Knowledge Base Article Q155363, HOWTO: Regulate Network Access to the Windows NT Registry, http://support.microsoft.com/support/kb/articles/q155/3/63.asp
X-Force Logo
Know Your Risks