Microsoft Windows Server 2016

Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained

STIG ID: WN16-00-000190 | SRG: SRG-OS-000324-GPOS-00125 | Severity: Medium | CCI: CCI-002235 | Vulnerability ID: V-224835

Description

The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibility of unauthorized and anonymous modification to the operating system.

Check

Review the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive noted below.If any non-privileged groups such as Everyone, Users, or Authenticated Users have greater than Read permission, this is a finding.If permissions are not as restrictive as the default permissions listed below, this is a finding.Run "Regedit".Right-click on the registry areas noted below.Select "Permissions..." and the "Advanced" button.HKEY_LOCAL_MACHINE\SECURITYType - "Allow" for allInherited from - "None" for allPrincipal - Access - Applies toSYSTEM - Full Control - This key and subkeysAdministrators - Special - This key and subkeysHKEY_LOCAL_MACHINE\SOFTWAREType - "Allow" for allInherited from - "None" for allPrincipal - Access - Applies toUsers - Read - This key and subkeysAdministrators - Full Control - This key and subkeysSYSTEM - Full Control - This key and subkeysCREATOR OWNER - Full Control - This key and subkeysALL APPLICATION PACKAGES - Read - This key and subkeysHKEY_LOCAL_MACHINE\SYSTEMType - "Allow" for allInherited from - "None" for allPrincipal - Access - Applies toUsers - Read - This key and subkeysAdministrators - Full Control - This key and subkeysSYSTEM - Full Control - This key and subkeysCREATOR OWNER - Full Control - Subkeys onlyALL APPLICATION PACKAGES - Read - This key and subkeysServer Operators – Read – This Key and subkeys (Domain controllers only) Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission.If the defaults have not been changed, these are not a finding.

Fix

Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive.The default permissions of the higher-level keys are noted below.HKEY_LOCAL_MACHINE\SECURITYType - "Allow" for allInherited from - "None" for allPrincipal - Access - Applies toSYSTEM - Full Control - This key and subkeysAdministrators - Special - This key and subkeysHKEY_LOCAL_MACHINE\SOFTWAREType - "Allow" for allInherited from - "None" for allPrincipal - Access - Applies toUsers - Read - This key and subkeysAdministrators - Full Control - This key and subkeysSYSTEM - Full Control - This key and subkeysCREATOR OWNER - Full Control - This key and subkeysALL APPLICATION PACKAGES - Read - This key and subkeysHKEY_LOCAL_MACHINE\SYSTEMType - "Allow" for allInherited from - "None" for allPrincipal - Access - Applies toUsers - Read - This key and subkeysAdministrators - Full Control - This key and subkeysSYSTEM - Full Control - This key and subkeysCREATOR OWNER - Full Control - Subkeys onlyALL APPLICATION PACKAGES - Read - This key and subkeysServer Operators – Read – This Key and subkeys (Domain controllers only)