By Mike Mullins
The registry is the heart of the Windows operating system. But by default, the registry on all Windows-based computers is open and available across the network.
A well-informed hacker can use this vulnerability to compromise your organization's systems or modify file relationships and permissions to inject malicious code. To protect your network, you need to deny remote access to the registry.
You can accomplish this via a network access list change and a simple registry fix. Depending on the complexity of your network, you might consider denying remote registry access on the machines themselves.
Fix the registry
For computers running Windows 2000, Windows XP, and Windows Server 2003, follow these steps:
Value: Registry Server
If you have a special group for workstation and server support that isn't a member of your administrators group, you should also grant it the appropriate access permissions.
In addition, if the machine you're making these changes on is a server or if it provides remote services to authorized users, you must allow the service account associated with that service to have read permissions to this key as well.
Fix the network
The registry fix will take care of your internal, authorized needs, but you still need to protect the registry from external and Internet access. Registry exploits are still prevalent among Windows systems, and you should make sure your security strategy addresses these vulnerabilities.
Denying TCP/UDP ports 135, 137, 138, 139, and 445 at the premise router or firewall is the solution. Blocking these ports will not only stop remote registry access—it will also stop most remote attacks against Windows systems.
Shutting down access from the Internet to these ports will instantly boost the security of your Windows networks. However, before blocking these ports, make sure you don't have a business reason to allow external access to these ports.
While there's a Remote Registry service on machines that run Windows 2000, Windows XP, and Windows Server 2003 that you can disable, this isn't always a practical approach for an enterprise network.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.