IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
Care must be exercised here, as faulty settings in the registry might impair the
operability of the system, thus preventing it from starting up properly the next
time. Consequently, the settings mentioned here should first be used in a
separate test system and checked critically for proper functionality under real
conditions before being put into regular operation.
Network access to the registry
Access to the registry via the network should be disabled, unless this function
is absolutely necessary. This is allowed by version 4.0 or higher, by setting the
entry "winreg" in the key
\System\CurrentControlSet\Control\SecurePipeServers in the area
HKEY_LOCAL_MACHINE to the value REG_DWORD = 1.
Version 3.x does not allow an explicit blockage of the registry against network
access. In this case, it is helpful to withdraw the right of "All" to access the
root of the area HKEY_LOCAL_MACHINE (but not the underlying keys!), so
that only administrators have access to this area. This modification must, on
all accounts, be checked in a test system as it could paralyse certain
applications. It must be noted that such a change only remains effective until
the system is restarted.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000