Title

Standard user accounts must only have Read permissions to the Active Setup\Installed Components registry key. (Cat I impact)

Discussion

Permissions on the Active Setup\Installed Components registry key must only allow privileged accounts to add or change registry values. If standard user accounts have these permissions, there is a potential for programs to run with elevated privileges when a privileged user logs on to the system.

Check Content

Run "Regedit". Navigate to the following registry keys and review the permissions: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems) If the default permissions listed below have been changed, this is a finding. Users - Read Administrators - Full Control SYSTEM - Full Control CREATOR OWNER - Full Control (Subkeys only) ALL APPLICATION PACKAGES - Read

Fix Text

Maintain the default permissions of the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\ (64-bit systems only) Users - Read Administrators - Full Control SYSTEM - Full Control CREATOR OWNER - Full Control (Subkeys only) ALL APPLICATION PACKAGES - Read

Additional Identifiers

Rule ID: SV-226269r877392_rule

Vulnerability ID: V-226269

Group Title: SRG-OS-000324-GPOS-00125

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.