Microsoft

Tech Tip: Lock down remote access to the registry

Follow these steps to lock down remote access to the registry.

By Mike Mullins

The registry is the heart of the Windows operating system. But by default, the registry on all Windows-based computers is open and available across the network.

A well-informed hacker can use this vulnerability to compromise your organization's systems or modify file relationships and permissions to inject malicious code. To protect your network, you need to deny remote access to the registry.

You can accomplish this via a network access list change and a simple registry fix. Depending on the complexity of your network, you might consider denying remote registry access on the machines themselves.

Fix the registry

For computers running Windows 2000, Windows XP, and Windows Server 2003, follow these steps:

  1. Go to Start | Run.
  2. Enter Regedt32.exe, and click OK.
  3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Control\SecurePipeServers.
  4. If the winreg key is present, skip to Step 8. If this key doesn't exist, go to Edit | Add Key.
  5. Name the key winreg, and give it a class of REG_SZ.
  6. Select the new key, and go to Edit | Add Value.
  7. Enter the following:
    Name: Description
    Type: REG_SZ
    Value: Registry Server
  8. Select the winreg key, and go to Security | Permissions.
  9. Make sure the local System Administrators Group has full access, and give read access to the System account and the Everyone group.
  10. Close the Registry Editor, and restart the computer.

If you have a special group for workstation and server support that isn't a member of your administrators group, you should also grant it the appropriate access permissions.

In addition, if the machine you're making these changes on is a server or if it provides remote services to authorized users, you must allow the service account associated with that service to have read permissions to this key as well.

Fix the network

The registry fix will take care of your internal, authorized needs, but you still need to protect the registry from external and Internet access. Registry exploits are still prevalent among Windows systems, and you should make sure your security strategy addresses these vulnerabilities.

Denying TCP/UDP ports 135, 137, 138, 139, and 445 at the premise router or firewall is the solution. Blocking these ports will not only stop remote registry access—it will also stop most remote attacks against Windows systems.

Shutting down access from the Internet to these ports will instantly boost the security of your Windows networks. However, before blocking these ports, make sure you don't have a business reason to allow external access to these ports.

While there's a Remote Registry service on machines that run Windows 2000, Windows XP, and Windows Server 2003 that you can disable, this isn't always a practical approach for an enterprise network.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox