Defense+: Security Policy based on a Registry Group doesn't work (v3.0.8.214)[CONFIRMED]


I’m running CFP in Win XP x64 with SP2. I observed an unusual Defense+ behavior with respect to registry groups, and I’m not sure if this is a bug.

My Scenario

I created a registry group called “Network Related Keys”, containing the following keys and all their subkeys (left out for the sake of brevity):HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters* HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\root* HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates*
I created a predefined security policy called “Shell Application With Web Access”. It contains the same access rights as the predefined Shell Application, and additionally the group “Network Related Keys” under Protected Registry KeysAllowed Registry Keys. The default action is Ask just as in Shell Application.

I created a computer security policy for the application Internet Explorer, using the predefined security policy “Shell Application With Web Access”.

Observed Behavior
When I start Internet Explorer and visit a SSL-enabled page (so that certificates are read from registry), CFP asks for each registry key, although the keys are allowed.

When I add the registry keys directly under Protected Registry KeysAllowed Registry Keys, i.e. circumventing the registry group “Network Related Keys”, CFP does not ask for the keys.

I consider this a bug, but please tell me if I lost sight of something.

Hi there,

Congratulations. You have indentified a very good bug. It should have worked just as you expected.

Thank you for the feedback,