Re: Vulnerability in Windows 2000 policy

[Andrew Reisse <areisse () WAM UMD EDU>]

The settings in the policy editor "disable registry editing tools" are
almost useless. Their only function is to provide a flag that microsoft's
supplied regedit checks, and exits if set. A user can install a different
registry-editing tool, and use it instead. The proper way to secure the
registry is to set ACL's (use regedt32 for this) on keys that are
security-critical.

On Tue, Oct 17, 2000 at 05:44:43PM +0200, Andrejus Stavickis wrote:
>       Hi,
>
>   as You know, there are a group policies in Windows 2000. So i done an
> experiment with it.
>
> software: Windows 2000 Server SP1, Windows 2000 Professional SP1.
>
> Workaround:
>
> 1. create a domain, or OU group policy, which disables registry editing
> tools. Now user should not run regedit.exe and regedt32.exe, and it's true,
> but user still able to merge .REG file into the registry. So there are one
> step for user needed to disable policies: create a .reg file and merge it
> into the registry, Also there are a possibility to control file extensions,
> but it's don't help.
>
> Solution:
>
> You must disable regedit.exe and regedt32.exe together with registry editing
> tools.
>
>    Sincerely,
>
> --Andrejus Stavickis (MCSE+I, MCSD, MCDBA, MCT)
> KTU SC UESM
> Studentu 48a-203
> Kaunas, 3028
> LITHUANIA
> phone: +370 7 300633
> Cellular phone: +370 87 15664
> fax: +370 7 352995
> ICQ: 2402709