Windows NT Registry contents.gifindex.gif

Windows NT Registry

This indicates that the scanner is able to open the registry remotely. If the user running the scanner should have access to the scanned host from the network, this does not indicate a problem. If the scanner is run by a user who should not have access, the host should be checked to determine if the guest account is enabled, or if the access the computer from the network user right has the appropriate permissions.

Once the registry has been opened, the access control list for HKEY_LOCAL_MACHINE and HKEY_CLASSES_ROOT are then checked for appropriate permissions. Windows NT 3.51 and earlier shipped with HKEY_CLASSES_ROOT set as writeable to everyone. This allows any user with access to the computer to alter the file associations (for example, *.txt = notepad.exe), which could potentially lead to the installation of a trojan application. If the guest account has been allowed write access to the registry, it indicates a very serious misconfiguration or that the computer has been breached by an intruder.

Risk: Low to high

OS Vulnerable: Windows NT

Fix: Review registry permissions. Under NT 4.0, registry access from the network can be denied completely.