Applications' Registry Entries
You'll probably also want to restrict users' permissions on Registry keys that relate to the primary applications you run. Microsoft products' installations and upgrades usually add keys to the Registry. Many third-party products' installations also change the Registry. To protect your crucial applications, you need to limit permissions on these keys. For example, if you install IE 4.x, you'll find a new subkey named RunOnceEx in the HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\ Windows\CurrentVersion Registry key. You need to adjust permissions on the RunOnceEx subkey because NT automatically executes any programs in the RunOnceEx key's value and removes the programs from the key, which lets users execute rogue programs on the system. Limit the Everyone group's permissions on the RunOnceEx key to Query Value, Enumerate Subkeys, Notify, and Read Control.
After you install software on your system (whether the software is from Microsoft or a third-party vendor), you need to inspect your Registry to see which keys the installation modified or created. You can use several tools to find these Registry changes. I like Regmon, which Mark Russinovich and Bryce Cogswell created. (You can download the tool from http://www.sysinternals.com/regmon.htm.) Regmon runs under NT or Windows 9x on Intel and Alpha platforms. The utility monitors all access to the Registry during a specified period and clearly reports which keys the system accessed. However, Regmon isn't always the best tool for tracking Registry changes during software installations, because it sometimes creates loads of log entries that you need to examine to figure out which Registry values changed.
Instead, you might prefer to use a tool such as Sysdiff, which comes in the Microsoft Windows NT Server 4.0 Resource Kit. You can use Sysdiff to make a preinstallation image of your Registry by dumping the Registry to a file before you install new software. After the new software's installation completes, you can use Sysdiff to make a postinstallation Registry image and compare the two images. Sysdiff will quickly reveal any differences between the pre- and postinstallation Registry images. You can then examine the installation's changes and consider the changes' implications for your network's security.
If you don't have Sysdiff in your security toolkit, I urge you to add it as soon as possible. Sysdiff is well worth the cost and effort of purchasing and installing the resource kit. (For information about how to use Sysdiff, see the resource kit documentation and Help files.)
When you find that a software installation has changed some of your system's Registry keys, consider which users need which permissions on those keys. Many third-party applications require read and write access to keys that they install, so you can't simply limit everyone except administrators to Read access on all SOFTWARE subkeys. Configure permissions on keys that software installations create or modify to limit users and groups to the minimum level of access that they need.
Don't Save RAS Passwords!
Finally, I would like to share one Registry value that you might not know about but that can be very important to your network's security. NT's Dial-Up Networking (DUN) service presents dialog boxes in which users enter usernames and passwords to connect to a network via RAS. These dialog boxes often include a check box labeled Save This Password or Remember This Password. Telling NT to remember your DUN passwords is quite handy, because the practice saves you from remembering the passwords. But having NT save DUN passwords poses a risk to your network. The problem with this functionality is that NT must store the passwords in a location that allows easy retrieval, and if NT can easily retrieve passwords, so can an intruder. Consider the implications for your network if someone steals a notebook computer that stores a user's NT DUN passwords. The thief can easily access your network. Ouch!
Disabling NT's ability to store DUN passwords is usually the best way to protect yourself from this danger. On your NT DUN client, drill down to the Parameters key, and add a REG_DWORD entry entitled DisableSavePassword. The existence of this value prevents the Save This Password check box from appearing in DUN dialog boxes.
Ongoing Security
I hope this article has made you aware that you can strengthen NT by adjusting aspects of the system's Registry. Microsoft adds and removes Registry adjustments with each new OS and application revision. If you don't remember anything else from this article, at least remember to examine your Registry before and after adding, upgrading, or removing software on a particular system and adjust security accordingly.