Greetings,
This has been on my mind for a while, but I have finally decided to make a post about it. Currently I am running CIS7 on Win7Pro, but the same thing applies to older versions of CIS I used to run. My HIPS is currently configured to safe mode, cloud lookup is disabled, and I have cleaned the trusted vendor’s list down to Microsoft and Comodo. Paranoid HIPS mode gives me way too many alerts, so I’m staying in safe mode for the time being.
The thing is that every once in a while I come across an application that will trigger up to a hundred HIPS alerts regarding access to certain registry keys that belong to system certificates. Normally I wouldn’t mind allowing them one or twice, but these alerts have become so common that I’m beginning to lose my patience. It’s a daunting task to have to allow those 100 alerts each time, even when choosing to remember them. This mostly happens with application that in some way or another attempt to communicate over the internet by using SSL.
Now I’ve managed to build up a list of these registry entries that I am posting here. This list is in no way guaranteed to be a full/proper list, so technically it should be possible to reduce the number of entries by using wildcards. Some of the entries may be duplicates, and it is possible that certain keys are missing. This list was generated from a number of applications that requested access to the keys, but I noticed that there were some of them missing i.e. by using REGEDIT I scanned the registry folders, and found some keys not present in the list - I added these to the list, and they appear like “TrustedPublishers” without any preceding “HKLM/Software…” text.
Here is the list:
AuthRoot HKUS\*\Software\Microsoft\SystemCertificates\CA HKUS\*\Software\Microsoft\SystemCertificates\CA\Certificates HKUS\*\Software\Microsoft\SystemCertificates\CA\CRLs HKUS\*\Software\Microsoft\SystemCertificates\CA\CTLs HKUS\*\Software\Microsoft\SystemCertificates\Disallowed HKUS\*\Software\Microsoft\SystemCertificates\Disallowed\Certificates HKUS\*\Software\Microsoft\SystemCertificates\Disallowed\CRLs HKUS\*\Software\Microsoft\SystemCertificates\Disallowed\CTLs HKUS\*\Software\Microsoft\SystemCertificates\My HKUS\*\Software\Microsoft\SystemCertificates\Root HKUS\*\Software\Microsoft\SystemCertificates\Root\Certificates HKUS\*\Software\Microsoft\SystemCertificates\Root\CRLs HKUS\*\Software\Microsoft\SystemCertificates\Root\CTLs HKUS\*\Software\Microsoft\SystemCertificates\SmartCardRoot HKUS\*\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates HKUS\*\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs HKUS\*\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs HKUS\*\Software\Microsoft\SystemCertificates\trust HKUS\*\Software\Microsoft\SystemCertificates\trust\Certificates HKUS\*\Software\Microsoft\SystemCertificates\trust\CRLs HKUS\*\Software\Microsoft\SystemCertificates\trust\CTLs HKUS\*\Software\Microsoft\SystemCertificates\TrustedPeople HKUS\*\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates HKUS\*\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs HKUS\*\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs TrustedPublisherHKUS*\Software\Policies\Microsoft
HKUS*\Software\Policies\Microsoft\SystemCertificates
HKUS*\Software\Policies\Microsoft\SystemCertificates\CA
HKUS*\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKUS*\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKUS*\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKUS*\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKUS*\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKUS*\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKUS*\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKUS*\Software\Policies\Microsoft\SystemCertificates\trust
HKUS*\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKUS*\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKUS*\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKUS*\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKUS*\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKUS*\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKUS*\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
TrustedPublisherHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs
HKLM\SOFTWARE\Microsoft\SystemCertificates\CA
HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
Homegroup Machine Certificates
My
HKLM\SOFTWARE\Microsoft\SystemCertificates\Root
HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates
HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs
HKLM\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs
HKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot
HKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKLM\SOFTWARE\Microsoft\SystemCertificates\trust
HKLM\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
HKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
HKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
TrustedDevices
HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople
HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
TrustedPublisherHKLM\SOFTWARE\Policies\Microsoft <= ???
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
TrustedPublisher\REGISTRY\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
\REGISTRY\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA
\REGISTRY\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed
Homegroup Machine Certificates
My
\REGISTRY\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root
\REGISTRY\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot
\REGISTRY\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust
TrustedDevices
\REGISTRY\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople
TrustedPublisher\REGISTRY\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA
\REGISTRY\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
\REGISTRY\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root
\REGISTRY\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust
\REGISTRY\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople
TrustedPublisher\REGISTRY\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\SystemCertificates\AuthRoot
\REGISTRY\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\SystemCertificates\CA
\REGISTRY\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\SystemCertificates\Disallowed
Homegroup Machine Certificate
My
\REGISTRY\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\SystemCertificates\Root
\REGISTRY\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\SystemCertificates\SmartCardRoot
\REGISTRY\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\SystemCertificates\trust
TrustedDevices
\REGISTRY\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\SystemCertificates\TrustedPeople
TrustedPublisher\REGISTRY\REGISTRY\MACHINE\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
\REGISTRY\REGISTRY\MACHINE\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed
\REGISTRY\REGISTRY\MACHINE\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Root
\REGISTRY\REGISTRY\MACHINE\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\trust
\REGISTRY\REGISTRY\MACHINE\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople
TrustedPublisher
My questions are the following:
I would like to properly handle the access to these keys, so I was thinking about adding a new group under the HIPS protected registry keys window in CIS advanced settings. And each time an app requests access I can simply add the group.
Is this the correct way of handling access to these keys? Considering that applications will often want access to only a portion of these keys, but rarely all of them, is it safe to allow apps to have access to all of them? There are some keys present in the registry that never triggered any alerts - is it safe to allow access to these? Do you have any suggestions how this list could be reduces i.e. by using wildcards/asterisk?
EDIT: I came up with this:
*\Software\Microsoft\SystemCertificates\* *\Software\Policies\Microsoft\SystemCertificates\* *\Software\Wow6432Node\Microsoft\SystemCertificates\* *\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\*
Wishlist:
Finally, I am building a CIS wishlist v3, and this topic covers a few entries I’d like to share. I’ll be posting these in the wishlist forum someday, but I’ve decided to share them in advance for possible input and ideas.
A) First of all I miss an option to manually edit the path in the alert window - the alert popup will only allow you to allow/deny access to a certain object, but there is no way to edit that object in the alert window - you have to go to the advanced settings, and edit it there. Personally I find this rather annoying, so for convenience I’d like the alert window to offer a feature where the entry can be edited manually. Maybe a button that brings up an edit textbox.
Example:
A HIPS alert pops up for reg key: “HKUS\S-X-X–XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1000\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates”
I can use the alert popup to edit the string to: “HKUS*\Software\Microsoft\SystemCertificates*”
This does not necessarily apply only to registry keys i.e. protected file access alerts can use the same feature.
B) The other thing I miss is an option to differ between the access type. There are applications that only want read access to registry keys, and there are applications that want to modify the reg keys - there should be separate alerts for the two access types. I.e. I’d like to allow any app to read the certs, but only a few trusted ones to modify them.
C) Comodo, please consider creating a new Defense+ => HIPS => “Protected Objects” group for “Registry Keys” and call it “Certificates”. Put the above reg keys inside that group, and bundle it so that any CIS installation in the future will have this group present.
Best regards!