Verify Permissions on Group Policy Registry Keys

Objective

  • Changes to the permissions on group policy registry keys could block security settings from being applied.
  • Audit these registry keys (and subkeys).

Group Policy Registry Paths

  • HKLM\SOFTWARE\Policies
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
  • HKCU\SOFTWARE\Policies
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies

Manual audit with powershell

get-acl HKLM:SOFTWARE\Policies | fl
 
 
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies
Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
Access : NT AUTHORITY\Authenticated Users Allow -2147483648
 NT AUTHORITY\Authenticated Users Allow ReadKey
 NT AUTHORITY\SYSTEM Allow FullControl
 NT AUTHORITY\SYSTEM Allow 268435456
 BUILTIN\Administrators Allow FullControl
 BUILTIN\Administrators Allow 268435456
 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadKey
 APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow -2147483648
Audit :
Sddl : O:SYG:SYD:P(A;OICIIO;GR;;;AU)(A;;KR;;;AU)(A;;KA;;;SY)(A;OICIIO;GA;;;SY)(A;;KA;;;BA)(A;OICIIO;GA;;;BA)(A;;KR;;;
 AC)(A;OICIIO;GR;;;AC)

Audit with Nessus auditfile

<check_type: "Windows" version:"2">
<group_policy: "MS Windows Server">
 
 
<registry_acl: "ACL_CU">
<user: "Administrators">
acl_inheritance: "inherited"
acl_apply: "This key and subkeys"
acl_allow: "Full Control"
</user>
 
<user: "SYSTEM">
acl_inheritance: "inherited"
acl_apply: "This key and subkeys"
acl_allow: "Full Control"
</user>
 
<user: "Creator Owner">
acl_inheritance: "inherited"
acl_apply: "subkeys only"
acl_allow: "Full Control"
</user>
 
<user: "all application packages">
acl_inheritance: "inherited"
acl_apply: "This key and subkeys"
acl_allow: "Read"
</user>
 
<user: "users">
acl_inheritance: "inherited"
acl_apply: "This key and subkeys"
acl_allow: "Read"
</user>
</acl>
 
<registry_acl: "ACL_LM">
<user: "Administrators">
acl_inheritance: "not inherited"
acl_apply: "This key and subkeys"
acl_allow: "Full Control"
</user>
 
<user: "SYSTEM">
acl_inheritance: "not inherited"
acl_apply: "This key and subkeys"
acl_allow: "Full Control"
</user>
 
 
<user: "all application packages">
acl_inheritance: "not inherited"
acl_apply: "This key and subkeys"
acl_allow: "Read"
</user>
 
<user: "authenticated users">
acl_inheritance: "not inherited"
acl_apply: "This key and subkeys"
acl_allow: "Read"
</user>
</acl>
 
<custom_item>
type: REGISTRY_PERMISSIONS
description: "Permissions for HKLM\SOFTWARE\Policies"
value_type: REG_ACL
value_data: "ACL_LM"
reg_key: "HKLM\SOFTWARE\Policies"
</custom_item>
 
<custom_item>
type: REGISTRY_PERMISSIONS
description: "Permissions for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies"
value_type: REG_ACL
value_data: "ACL_LM"
reg_key: "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies"
acl_option: CAN_BE_NULL
</custom_item>
 
<custom_item>
type: REGISTRY_PERMISSIONS
description: "Permissions for HKCU\SOFTWARE\Policies"
value_type: REG_ACL
value_data: "ACL_CU"
reg_key: "HKCU\SOFTWARE\Policies"
</custom_item>
 
<custom_item>
type: REGISTRY_PERMISSIONS
description: "Permissions for HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies"
value_type: REG_ACL
value_data: "ACL_CU"
reg_key: "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies"
acl_option: CAN_BE_NULL 
</custom_item>
 
 </group_policy>
</check_type>