TOC & Recently Viewed

Recently Viewed Topics

REGISTRY_SETTING

Note: This check requires remote registry access for the remote Windows system to function properly.

This policy item is used to check the value of a registry key. Many policy checks in “Security Settings -> Local Policies -> Security Options” use this policy item. This check is performed by calling the function RegQueryValueEx.

The reg_key field is the name of the registry key (e.g., “HKLM\SOFTWARE\Microsoft\Driver Signing”). The first part of the key (HKLM) is used to connect to the correct registry hive. The subsequent path is a static designation where the desired reg_item is located.

Note: The HKU (HKEY_USERS) hive is a special case. It is not possible to specify a SID for HKU keys. What happens is the nbin internally iterates over each SID, and passes only if the value in each SID is valid.

For example:

<custom_item>

type: REGISTRY_SETTING

description: "HKU\Control Panel\Desktop\ScreenSaveActive"

value_type: POLICY_DWORD

value_data: 1

reg_key: "HKU\Control Panel\Desktop"

reg_item: "ScreenSaveActive"

</item>

would loop over:

HKU\S-1-5-18\Control Panel\Desktop\ScreenSaveActive

HKU\S-1-5-19\Control Panel\Desktop\ScreenSaveActive

HKU\S-1-5-20\Control Panel\Desktop\ScreenSaveActive

...

and pass if item “ScreenSaveActive” is set to 1 for all SIDs.

The optional reg_option field can be set to CAN_BE_NULL to force the check to succeed if the key does not exist or to the opposite CAN_NOT_BE_NULL.

An additional option reg_enum with the argument “ENUM_SUBKEYS” can be used to enumerate a specified value for all subkeys of a registry key. For example, the key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall has many software packages listed. If you wish to match the “CurrentVersion” value for all of the subkeys under “Uninstall”, use reg_enum.

Example:

<custom_item>

type: REGISTRY_SETTING

description: "DBMS network port, protocol, and services (PPS) usage"

info: "Checking whether TCPDynamicPorts key value is configured (should be blank)."

value_type: POLICY_TEXT

value_data: ""

reg_key: "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL.1\MSSQLServer\SuperSocketNetLib\Tcp"

reg_item: "TCPDynamicPorts"

reg_enum: ENUM_SUBKEYS

reg_option: CAN_BE_NULL

</custom_item>

This audit of the HKU registry hive does not include the SID (security identifier) in the reg_key registry path. This example will search every HKU SID for the specified reg_item.

<custom_item>

type: REGISTRY_SETTING

description: "FakeAlert.BG trojan check"

value_type: POLICY_TEXT

reg_key: "HKU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

reg_item: "brastk"

value_data: "C:\WINDOWS\System32\brastk.exe"

reg_option: CAN_BE_NULL

check_type: CHECK_NOT_EQUAL

info: "A registry entry for FakeAlert.BG trojan/downloader was found."

info: "The contents of this audit can be edited as desired."

</custom_item>

Usage

<custom_item>

type: REGISTRY_SETTING

description: ["description"]

value_type: [VALUE_TYPE]

value_data: [value]

reg_key: ["key name"]

reg_item: ["key item"]

(optional) check_type: [value]

(optional) reg_option: [KEY_OPTIONS]

(optional) reg_enum: ENUM_SUBKEYS

</custom_item>

The following main value_type field types are available:

  • POLICY_SET

    value_data: "Enabled" or "Disabled"

  • POLICY_DWORD

    value_data: DWORD or RANGE [same dword as in registry or range]

  • POLICY_TEXT

    value_data: "TEXT" [same text as in registry]

  • POLICY_MULTI_TEXT

    value_data: "TEXT1" && "TEXT2" && ... && "TEXTN" [same texts as in registry]

  • POLICY_BINARY

    value_data: "0102ac0b...34fb" [same binary as in registry]

  • FILE_ACL, REG_ACL, SERVICE_ACL, LAUNCH_ACL, ACCESS_ACL

    value_data: "acl_name" [name of the acl to use]

The following optional value_type field types are available and used in predefined items:

  • DRIVER_SET

    value_data: "Silent Succeed", "Warn but allow installation", "Do not allow installation"

  • LDAP_SET

    value_data: "None" or "Require Signing"

  • LOCKEDID_SET

    value_data: "user display name, domain and user names", "user display name only", "do not display user information"

  • SMARTCARD_SET

    value_data: "No action", "Lock workstation", "Force logoff", "Disconnect if a remote terminal services session"

  • LOCALACCOUNT_SET

    value_data: "Classic - local users authenticate as themselves", "Guest only - local users authenticate as guest"

  • NTLMSSP_SET

    value_data: "No minimum", "Require message integrity", "Require message confidentiality", "Require ntlmv2 session security", "Require 128-bit encryption"

  • CRYPTO_SET

    value_data: "User input is not required when new keys are stored and used", "User is prompted when the key is first used" or "User must enter a password each time they use a key"

  • OBJECT_SET

    value_data: "Administrators group", "Object creator"

  • DASD_SET

    value_data: "Administrators", "administrators and power users", "Administrators and interactive users"

  • LANMAN_SET

    value_data: "Send LM & NTLM responses", "send lm & ntlm - use ntlmv2 session security if negotiated", "send ntlm response only", "send ntlmv2 response only", "send ntlmv2 response only\refuse lm" or "send ntlmv2 response only\refuse lm & ntlm"

  • LDAPCLIENT_SET

    value_data: "None", "Negotiate Signing" or "Require Signing"

  • EVENT_METHOD

    value_data: "by days", "manually" or "as needed"

  • POLICY_DAY

    value_data: DWORD or RANGE (time in days)

  • POLICY_KBYTE

    value_data: DWORD or RANGE

For the custom_item field, use the main value_type. Optional types have been created for predefined items.

If the value_type is an ACL, the registry item must be a security description in binary format.

Examples

<custom_item>

type: REGISTRY_SETTING

description: "Network security: Do not store LAN Manager hash value on next password change"

value_type: POLICY_SET

value_data: "Enabled"

reg_key: "HKLM\SYSTEM\CurrentControlSet\Control\Lsa"

reg_item: "NoLMHash"

</custom_item>

<custom_item>

type: REGISTRY_SETTING

description: "Network access: Shares that can be accessed anonymously"

value_type: POLICY_MULTI_TEXT

value_data: "SHARE" && "EXAMPLE$"

reg_key: "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters"

reg_item: "NullSessionShares"

</custom_item>

<custom_item>

type: REGISTRY_SETTING

description: "DCOM: Network Provisioning Service - Launch permissions"

value_type: LAUNCH_ACL

value_data: "2"

reg_key: "HKLM\SOFTWARE\Classes\AppID\{39ce474e-59c1-4b84-9be2-2600c335b5c6}"

reg_item: "LaunchPermission"

</custom_item>

<custom_item>

type: REGISTRY_SETTING

description: "DCOM: Automatic Updates - Access permissions"

value_type: ACCESS_ACL

value_data: "3"

reg_key: "HKLM\SOFTWARE\Classes\AppID\{653C5148-4DCE-4905-9CFD-1B23662D3D9E}"

reg_item: "AccessPermission"

</custom_item>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.