REGISTRY_PERMISSIONS
This policy item checks if the registry key ACL is correct. The check is performed by calling the function RegGetKeySecurity on the registry key handle.
Note: This check requires remote registry access for the remote Windows system to function properly.
Usage
<custom_item>
type: REGISTRY_PERMISSIONS
description: ["description"]
value_type: [value_type]
value_data: [value]
(optional) check_type: [value]
reg_key: ["regkeyname"]
(optional) acl_option: [acl_option]
</custom_item>
The allowed type is:
value_type: REG_ACL
value_data: "ACLname"
reg_key: "RegistryKeyName"
The following predefined paths can be used for the reg_key field:
HKLM (HKEY_LOCAL_MACHINE)
HKU (HKEY_USERS)
HKCR (HKEY_CLASS_ROOT)
When using this audit, please note the following:
- The
reg_keyfield must include the full path to the file registry key. - The
value_datafield is the name of an ACL defined in the policy file. - The
acl_optionfield can be set to CAN_BE_NULL or CAN_NOT_BE_NULL to force a success/error if the key does not exist.
Example
<registry_acl: "ACL2">
<user: "Administrators">
acl_inheritance: "not inherited"
acl_apply: "This key and subkeys"
acl_allow: "Full Control"
</user>
<user: "SYSTEM">
acl_inheritance: "not inherited"
acl_apply: "This key and subkeys"
acl_allow: "Full Control"
</user>
</acl>
<custom_item>
type: REGISTRY_PERMISSIONS
description: "Permissions for HKLM\SOFTWARE\Microsoft"
value_type: REG_ACL
value_data: "ACL2"
reg_key: "HKLM\SOFTWARE\Microsoft"
</custom_item>
When the above check is executed, the compliance module will check if the permissions defined for HKLM\SOFTWARE\Microsoft match the ones described in registry_acl ACL2.