Information
This policy setting ensures that default permissions for the HKEY_LOCAL_MACHINE registry hive are maintained.
The recommended STIG state for this setting is:
HKEY_LOCAL_MACHINE\SECURITY
SYSTEM - Full Control - This key and subkeys and Administrators - Special - This key and subkeys ;
HKEY_LOCAL_MACHINE\SOFTWARE
Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys and ALL APPLICATION PACKAGES - Read - This key and subkeys ;
HKEY_LOCAL_MACHINE\SYSTEM
Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - Subkeys only and ALL APPLICATION PACKAGES - Read - This key and subkeys
The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibility of unauthorized and anonymous modification to the operating system.
Solution
Maintain the default permissions for the registry keys of the HKEY_LOCAL_MACHINE hive as noted below.
- Open
Regedit
- Right-click on the registry areas noted below
Select
Permissions
and the
Advanced
button.
HKEY_LOCAL_MACHINE\SECURITY
Type - 'Allow' for all
Inherited from - 'None' for all
Principal - Access - Applies to
SYSTEM - Full Control - This key and subkeys and Administrators - Special - This key and subkeys
HKEY_LOCAL_MACHINE\SOFTWARE
Type - 'Allow' for all
Inherited from - 'None' for all
Principal - Access - Applies to
Users - Read - This key and subkeys Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - This key and subkeys and ALL APPLICATION PACKAGES - Read - This key and subkeys
HKEY_LOCAL_MACHINE\SYSTEM
Type - 'Allow' for all
Inherited from - 'None' for all
Principal - Access - Applies to:
Users - Read - This key and subkeys
Administrators - Full Control - This key and subkeys SYSTEM - Full Control - This key and subkeys CREATOR OWNER - Full Control - Subkeys only and ALL APPLICATION PACKAGES - Read - This key and subkeys
Note: Microsoft has given Read permission to the
SOFTWARE
and
SYSTEM
registry keys in Windows Server 2019 to the following SID: S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 this is in compliance with the recommendation.
Impact:
Non-privileged groups such as Users or Authenticated Users must not have greater than 'Read' permissions except where noted as defaults. Individual accounts must not be used to assign permissions.