Detections
Analytics

20.16 Ensure 'Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained'

Information

This policy setting ensures that default permissions for the HKEY_LOCAL_MACHINE registry hive are maintained.

The recommended STIG state for this setting is:

HKEY_LOCAL_MACHINE\SECURITY

SYSTEM - Full Control - This key and subkeys and Administrators - Special - This key and subkeys ;

HKEY_LOCAL_MACHINE\SOFTWARE

Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys and ALL APPLICATION PACKAGES - Read - This key and subkeys ;

HKEY_LOCAL_MACHINE\SYSTEM

Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - Subkeys only and ALL APPLICATION PACKAGES - Read - This key and subkeys

The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibility of unauthorized and anonymous modification to the operating system.

Solution

Maintain the default permissions for the registry keys of the HKEY_LOCAL_MACHINE hive as noted below.

 - Open

Regedit

 - Right-click on the registry areas noted below

If the default settings are not present change the permissions to the following:

Select

Permissions

and the

Advanced

button.

HKEY_LOCAL_MACHINE\SECURITY

Type - 'Allow' for all

Inherited from - 'None' for all

Principal - Access - Applies to:

SYSTEM - Full Control - This key and subkeys and Administrators - Special - This key and subkeys

HKEY_LOCAL_MACHINE\SOFTWARE

Type - 'Allow' for all

Inherited from - 'None' for all

Principal - Access - Applies to

Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys and ALL APPLICATION PACKAGES - Read - This key and subkeys

HKEY_LOCAL_MACHINE\SYSTEM

Type - 'Allow' for all

Inherited from - 'None' for all

Principal - Access - Applies to

Users - Read - This key and subkeys

Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - Subkeys only and ALL APPLICATION PACKAGES - Read - This key and subkeys

Note: Microsoft has given Read permission to the

SOFTWARE

and

SYSTEM

registry keys in Windows Server 2019 to the following SID: S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 this is in compliance with the recommendation.

Impact:

Non-privileged groups such as Users or Authenticated Users must not have greater than 'Read' permissions except where noted as defaults. Individual accounts must not be used to assign permissions.

See Also

https://workbench.cisecurity.org/benchmarks/18857

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-6(7)(b), 800-53|CM-6b.

Plugin: Windows

Control ID: 6f6a7503ff3bbb2097eda5907ba8186cf2177fc0ea83d46cec32a8e6e8365a32