The Friendly Alternative
to Registry Editing:
Introducing Local Security Policy Editor
by David M. Piscitello, President, Core Competence, Inc.
Windows Operating Systems are often installed with default settings
that maximize ease of use and "plug and play" operation. Unfortunately,
these settings often conflict with business security needs -- and common
Other than power users and system administrators, few folks bother to
learn and perform customizing and hardening Windows 2000/XP desk and
laptop ("client") computers. This is unfortunate, because some basic
customizations to client computers are not only helpful, but also highly
recommended. Changing certain Windows OS default settings, for example,
eliminates some commonly exploited vulnerabilities. Other changes help you
publish acceptable use policies and legal notices governing employee
computer use. Still other changes can help you optimize network
performance for broadband or dial-up access, or adjust the look-and-feel
of your desktop.
Oh, The Good (Security) Deeds You Can Do
Let's consider all the things you can do with Windows settings that
improve client computer security.
You can improve Windows Logon and Authentication in several ways. For
instance, you can add a legal notice dialog box before logon to let users
know what you consider acceptable use and abuse. (Attorneys say that such
measures are necessary if you want to prosecute anyone for misuse.) You
can force users to log on to Windows, control logon passwords by setting a
minimum length, disable password caching, limit the lifetime of passwords,
and prevent the username of the last successful logon from being displayed
You can take several measures to protect client computers from network
attacks, including certain Denial of Service attacks, attacks against
Windows file sharing, and network access to certain critical Windows
information. While these countermeasures are typically enforced at your
office by your firewall, teleworkers and mobile employees who don't have
(or forget to run) personal firewall software will benefit from modifying
Additional measures can be taken to remove traces of user activity. You
can have all Temporary Internet Files and the IE browser History removed
when a user logs off, and you can even have a special file that supports
virtual memory (the swap or Page File)
removed at System Shutdown. Why remove it? Some sensitive information may
be installed in clear text in this file, so it could represent a risk on
mobile worker computers that are lost or stolen. If it's removed, though,
you eliminate potentially useful computer forensic information, so think
this setting through carefully and discuss it with your legal
If you provide public access computers, you can prevent access to
removable media (removable, floppy, and CDROM drives), and restrict access
to critical operating system libraries.
Modifying these and literally hundreds more default Registry settings
are seemingly Good Deeds. Customization and hardening of Windows OSs,
however, can be tricky business.
No Good Deed Goes Unpunished?
To understand why so few folks modify default Windows settings, let's
consider some Windows administration basics. When you add or remove
hardware and software on your computer, installer programs modify a
database of information that Windows OSs require to operate your computer:
the Registry. When you change settings using Control Panels, change
the properties of your display, or add printers and network cards, you are
actually changing the Registry. In fact, most everything about your
computer, peripherals, programs, network access, desktop appearance, and
security preferences is stored in the Registry.
Most users first encounter the Registry when they see an error message
or "Blue Screen" that indicates something in the Registry is broken, or
corrupted. The first lesson most users learn about the Registry is that
presumably competent application and hardware developers can break the
Registry by editing it improperly. The common warning about Registry
editing is that you can corrupt this critical database so badly
that you'll have to reinstall your operating system, hardware drivers, and
applications, and you may lose valuable data files as well. So it's no
surprise that users are intimidated by the notion of editing the
But if you choose to edit the Registry, there are some simple measures
you can take that can protect you from self-inflicted wounds, mistakes,
and random acts of stupidity.
If you know nothing about the Registry, read a tutorial
or eBook before you whack at
it. A good rule of thumb when editing the Registry is, "back it up, you
may need it." Should you damage it badly, you can restore
the Registry (see also, using the Last Known Good Configuration
option in Windows 2000
A second rule of thumb: use one of the many advanced registry editors you
can find for free or cheap on the Web (just Google "Registry Editors").
Choose one that automates the backup process and provides safe editing
measures (multi-level Undo, search&replace, etc.).
If you reach the point where you're comfortable editing the Registry,
visit The WinGuides
Network Registry Guide Pages; here you can learn what Registry keys
you must change to adjust the security settings I described earlier, and
Avoiding Punishment Entirely
For many security settings, you can avoid direct
Registry editing. Locate the folder Administrative Tools on your
computer, then choose Local Security Policy (or simply RUN secpol.msc from your START Menu). This
utility provides a much friendlier user interface for modifying security
policy. Most of the policy settings I mentioned above can be found in the
Account Policies directory and Security Options
sub-directory of Local Policies. While I would not call secpol.msc
intuitive, it's far simpler to use than a Registry editor.
Let's try an example. Windows Anonymous Login (also known as "null
session") is Number 5 on the SANS Top 20 Vulnerability
List. The recommended procedure for protecting against Anonymous Login is
to change the value of the Registry Key
to one (1) for NT, and two (2) for Windows 2000 and XP.
A much simpler and safer way to change this is to set the Local
Security Policy Setting Additional Restrictions for Anonymous
Connections to "No Access Without Explicit Anonymous Permissions."
Want to add a Legal Notice for users attempting to log on? Rather than
composing your "Get Lost if You Don't Belong Here" message in Notepad and
pasting it into
you can modify Message Text for users attempting to log on.
You're on a roll! While you have the policy editor open, change Do not
display last user name in logon screen from Disabled (default) to
Enabled, adjust the amount of idle time required before disconnecting user
sessions, rename your Administrator and Guest accounts to something other
than the defaults.
If you spend a small amount of time browsing Local Security Settings,
you'll find all sorts of useful ways to tweak client computer security
policy. If you aren't entirely certain what a particular setting does,
Googling the exact setting name almost always returns a page from
Microsoft's Developer Network (MSDN) or TechNet Libraries that describes
the Security Setting, and additional hyperlinks often provide helpful
information about exploits related to the setting.
Raise the Bar
Many small businesses don't have the staff or budget to
create standard desktop installations, then push these to every PC in the
organization. Too often, client computers in small-to-medium businesses
are left less secure than they should be. A small amount of knowledge
about Local Security Policy and how to configure it can help raise the
security baseline in your company, and at home. It doesn't cost one cent
in hard cash, and it's not all that painful a process to use the tools
Microsoft built into your software. Read, think, then apply -- you'll be
glad you did. ##
Copyright© 2003, WatchGuard Technologies, Inc. All rights
reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks
or registered trademarks of WatchGuard Technologies, Inc. in the United
States and other countries.