Jump to content

HIPS to Block Registry Key


Recommended Posts

Hello,

We are using ERA 6.7 and Endpoint security Client for our windows pc users.

We have created a rule in HIPS to block users from deleting , modifying or  changing the value of a particular key, which works fine.

The Key is : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastuserSwitching

 

However, when we are trying to achieve similar result for another key, its not working, .i.e. user is able to delete or modify the key !

The Key is : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun

The Key is : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer

 

The reason for blocking the keys are, we want to restrict users from performing :

1. Disable Fast User Switching ( working fine with disabling in registry and HIPS rule monitoring to deny any change)

2. Disable Win + R  i.e. show RUN for the user/system (working fine with disabling in registry BUT HIPS rule doesn't work)

3. Disable Right Click Properties option (working fine with disabling in registry BUT HIPS rule doesn't work)

 

Do let us know if we are doing something wrong and help us in resolving the issue. 

 

Thanks,

Tariq

Link to comment
Share on other sites

  • Administrators

Instead of HKEY_CURRENT_USER, use HKEY_USERS\%SID%. I reckon that * should work as a wildcard for any SID.

Link to comment
Share on other sites

Hi Marcos,

Thanks, appreciate your prompt reply !

I tired HKCU\*\ rest of the key but it didn't help, after troubleshooting I realized that i could use the HKLM instead of HKCU for the key which i wanted to block ( blocking for entire system), hence problem solved as its already working with HIPS.

However , if i need to use the HKCU, is it possible for you to send me the correct syntax, as HKCU\*\ didnt work for me.

 

Thanks

Tariq

Link to comment
Share on other sites

15 hours ago, Tariq Shaikh said:

However , if i need to use the HKCU, is it possible for you to send me the correct syntax, as HKCU\*\ didnt work for me.

Using this reg. key for reference: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun when you code HKCU\*\ , what it means all keys under the registry branch  HKEY_CURRENT_USER\ \ only.

Try this instead: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\* . This will protect all sub-keys referenced under Explorer .

Link to comment
Share on other sites

  • Administrators

I advised you to use HKEY_USERS\*\ where "*" represents any SID, ie. any user. Note that I'm talking about HKU, not about HKCU.

Link to comment
Share on other sites

Thanks Marcos and itman, 

our mgmt. decided to go with system wide blocking and not user wide, hence I used the HKLM key. I would soon test for myself on the HKCU as suggested by both of you.

Many Thanks

Cheers !

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...