You are here: Compliance Check Types > Windows Configuration > ACL Format > Registry Access Control Checks

Registry Access Control Checks

A registry ACL is identified by the keyword registry_acl. The ACL name must be unique to be used with a registry permissions item. A registry ACL can contain one or multiple user entry.

Usage

<registry_acl: ["name"]>

 

<user: ["user_name"]>

acl_inheritance: ["value"]

acl_apply: ["value"]

(optional) acl_allow: ["rights value"]

(optional) acl_deny: ["rights value"]

</user>

 

</acl>

Syntax

Associated Types

Allowed Types

acl_inheritance

not inherited

inherited

not used

acl_apply

this key only

this key and subkeys

subkeys only

acl_allow

acl_deny

These settings are optional and are used to define the rights a user has on the object.

Generic rights:

  • full control
  • read

Advanced rights:

  • full control
  • query value
  • set value
  • create subkey
  • enumerate subkeys
  • notify
  • create link
  • delete
  • write dac
  • write owner
  • read control

Here is an example registry access control list .audit text:

<registry_acl: "SOFTWARE ACL">

 

<user: "Administrators">

acl_inheritance: "not inherited"

acl_apply: "This key and subkeys"

acl_allow: "Full Control"

</user>

 

<user: "CREATOR OWNER">

acl_inheritance: "not inherited"

acl_apply: "Subkeys only"

acl_allow: "Full Control"

</user>

 

<user: "SYSTEM">

acl_inheritance: "not inherited"

acl_apply: "This key and subkeys"

acl_allow: "Full Control"

</user>

 

<user: "Users">

acl_inheritance: "not inherited"

acl_apply: "This key and subkeys"

acl_allow: "Read"

</user>

 

</acl>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.