REGISTRY_SETTING

Note: This check requires remote registry access for the remote Windows system to function properly.

This policy item is used to check the value of a registry key. Many policy checks in “Security Settings -> Local Policies -> Security Options” use this policy item. This check is performed by calling the function RegQueryValueEx.

The reg_key field is the name of the registry key (e.g., “HKLM\SOFTWARE\Microsoft\Driver Signing”). The first part of the key (HKLM) is used to connect to the correct registry hive. The subsequent path is a static designation where the desired reg_item is located.

The optional reg_option field can be set to CAN_BE_NULL to force the check to succeed if the key does not exist or to the opposite CAN_NOT_BE_NULL.

An additional option reg_enum with the argument “ENUM_SUBKEYS” can be used to enumerate a specified value for all subkeys of a registry key. For example, the key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall has many software packages listed. If you wish to match the “CurrentVersion” value for all of the subkeys under “Uninstall”, use reg_enum.

Example:

This audit of the HKU registry hive does not include the SID (security identifier) in the reg_key registry path. This example will search every HKU SID for the specified reg_item.

Usage

The following main value_type field types are available:

• POLICY_SET

  value_data: "Enabled" or "Disabled"

• POLICY_DWORD

  value_data: DWORD or RANGE [same dword as in registry or range]

• POLICY_TEXT

  value_data: "TEXT" [same text as in registry]

• POLICY_MULTI_TEXT

  value_data: "TEXT1" && "TEXT2" && ... && "TEXTN" [same texts as in registry]

• POLICY_BINARY

  value_data: "0102ac0b...34fb" [same binary as in registry]

• FILE_ACL, REG_ACL, SERVICE_ACL, LAUNCH_ACL, ACCESS_ACL

  value_data: "acl_name" [name of the acl to use]

The following optional value_type field types are available and used in predefined items:

• DRIVER_SET

  value_data: "Silent Succeed", "Warn but allow installation", "Do not allow installation"

• LDAP_SET

  value_data: "None" or "Require Signing"

• LOCKEDID_SET

  value_data: "user display name, domain and user names", "user display name only", "do not display user information"

• SMARTCARD_SET

  value_data: "No action", "Lock workstation", "Force logoff", "Disconnect if a remote terminal services session"

• LOCALACCOUNT_SET

  value_data: "Classic - local users authenticate as themselves", "Guest only - local users authenticate as guest"

• NTLMSSP_SET

  value_data: "No minimum", "Require message integrity", "Require message confidentiality", "Require ntlmv2 session security", "Require 128-bit encryption"

• CRYPTO_SET

  value_data: "User input is not required when new keys are stored and used", "User is prompted when the key is first used" or "User must enter a password each time they use a key"

• OBJECT_SET

  value_data: "Administrators group", "Object creator"

• DASD_SET

  value_data: "Administrators", "administrators and power users", "Administrators and interactive users"

• LANMAN_SET

  value_data: "Send LM & NTLM responses", "send lm & ntlm - use ntlmv2 session security if negotiated", "send ntlm response only", "send ntlmv2 response only", "send ntlmv2 response only\refuse lm" or "send ntlmv2 response only\refuse lm & ntlm"

• LDAPCLIENT_SET

  value_data: "None", "Negotiate Signing" or "Require Signing"

• EVENT_METHOD

  value_data: "by days", "manually" or "as needed"

• POLICY_DAY

  value_data: DWORD or RANGE (time in days)

• POLICY_KBYTE

  value_data: DWORD or RANGE

For the custom_item field, use the main value_type. Optional types have been created for predefined items.

If the value_type is an ACL, the registry item must be a security description in binary format.

Examples