Protected Registry Keys and Preventing Group Policy edits

How do you set Defense+ Protected Registry Keys to prevent group policies from taking effect? I’ve been testing with the predefined keys:
*\SOFTWARE\Policies* and
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies*

I even created my own Registry group called “Policy Keys,” set all Predefined Policies (i.e. Trusted and Windows System Application) and Custom Policies to “Ask” on Protected Registry Keys.

My environments and info:
Windows XP Pro 32-bit
Windows 7 Pro 64-bit
Group Policy is applied from the domain

Part of my difficulty may just be on my understanding of how Group Policy mechanism works on the local machine.

I never tried this nor am I intimately familiar with working with group policies, so my comments come from common sense rather than experience.

Why do you want to use D+ to block policies from getting started in the first place? What are your concerns?

What is your help question? Do you think the changes you made to D+ are not working and if that is the case what makes you think they are not working?

Why do you want to use D+ to block policies from getting started in the first place? What are your concerns?

What is your help question? Do you think the changes you made to D+ are not working and if that is the case what makes you think they are not working?


I agree with EricJH

Basicly, What is your goal as everybody is different(There’s usually more then 1 way to do anything, there may even be a better way to do something depend on what you would like to get done) or are you just trying to learn how it works by playing with it :slight_smile:

Part of my difficulty may just be on my understanding of how Group Policy mechanism works on the local machine.
Just an idea, the best way(or at least what I did to better learn it)
  1. download and install “virtual box”
    Download VirtualBox 7.0.2 for Windows - Filehippo.com

  2. install windows in virtual box

  3. Now play with the “Group policy”. That way, if something screws up and you can fix it, just restart windows in virtual box and everything will be back to the way it was :■■■■

*That’s what I like to do before applying anything on an actual machine

just an idea

Just keep in mind that there are incompatibilities between CIS and VirtualBox due to the way it does its virtualization. If you decide you might want to run Windows inside VirtualBox protected by CIS as a more permanent malware protection setup, a better alternative would be the free VMWare Player.

Thanks for your replies. I should clarify with some background info:
I used Adaware (by Lavasoft) a loooong time ago. One nice (sometimes annoying) feature it had was it could prompt you for approval of changes to the registry by anyone – including yourself.

  1. I am in search of an ability to do the same in CIS D+(?), but only for certain keys and certain registry change requests (like those from Group Policy). Why Group Policy? There are certain Group Policies that make sense, however there are several Policies that are meant for the majority and not a few power users.

I’m not in a position to influence our IT’s Group Policy configuration, but I would like a way to accept or reject changes to certain keys. (I figure this would be useful even if I change companies.)

  1. I believe the changes I made to D+ are not working, so I’m not sure if I am missing something or if it doesn’t work as expected. After changing the following Policies:
    o Trusted Application (Predefined)
    o Windows System Application (Predefined), and
    o each Custom Policy

to “Ask” on Protected Registry Keys, I still see Group Policy changes applied to my Protected Registry keys:
*\SOFTWARE\Policies* (actual “HKCU\SOFTWARE\Policies\system”)
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies* (actual" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system")

Thanks!

Can you show us the changes you made to the Policies at hand with screenshots?

Are any of the D+ rules situated somewhere under a rule named All Applications? If that is the case then move the applications that where accessing the Group Policy group to a place above the rule for All Applications.

Rules under the All Applications rule are subordinate to the standard policy set by the All Applications rule. That’s why you have to move rules if you want to give them a policy to your likings.

The above could explain why some applications would not follow your rule.

The process that applies the policy is running under “Windows system application” that’s the reason nothing pops.

On the other hand, even if you set the policy I don’t think it will work as M$ will make sure security software can’t interfere with the execution of a group policy.
That would render the complete security model for Group policies useless.

a possible solution (I think). This program(Free) seems like what your looking for based on your post writen :slight_smile:

a program called “MJ Regwatcher”
http://www.jacobsm.com/RegWatcher.zip

you’ll have to read the help on using the features

some important points

MJRW not only polls the system, but it also hooks it, so that most changes to keys, files and directories are reported instantaneously. Key deletions are still caught by the polling loop though, since they cannot be hooked. Exactly which keys and files are protected can be completely configured by the user, although the sets I supply with MJRW will cover most standard PCs.
To install it, extract the files with pathnames, and you'll have a self-contained .exe file with a small help text file, the keys and files lists, and a couple of exclusion files in the MJRegWatcher directory. Launch RegWatcher.exe and then, use the Options, Settings, Automatic Startup Options screen to install it either just for the current user, or for all users. This will cause an alert which you should accept, and which shows that MJRW is already protecting your system. From this screen, you can also choose which key set to start it up with, or even uninstall it.

Please note that under Vista and later, MJRW may need to be configured with Administrator privilege to write to the registry. To do this, go to the RegWatcher.exe file in Explorer, right-click to Properties, and go to the Compatibility tab. Check the admin box. Whenever the PC is restarted, you may have to OK MJRW to start with admin rights. Unless you disable UAC, the only way round this is to use the task scheduler to launch MJRW with administrator rights and set it to run at log on.

When monitoring, keys are opened in Read-Only mode, and the application only needs Write Registry access when it has detected a change. It keeps a log of any suspect activity, and displays any such information for the current session in the bottom panel. A log file has this appended to it and can be viewed by pressing the Log button. The file keeps a complete history of alerts.

This should be good for windows xp and 7 :slight_smile:

Sure thing. Here are the screenshots:

  1. ProtectedRegistryKeys

[attachment deleted by admin]

  1. PredefinedPolicies

[attachment deleted by admin]

  1. Access Rights for both “Trusted Application” and “Windows System Application”

[attachment deleted by admin]

Reg Key I’m testing with:
(I delete the two highlighted values and see if Comodo prompts me about adding them back in when the Group Policy is pushed out.)

[attachment deleted by admin]

Thanks HeffeD and Ronny for the comments. Thanks jay2007tech for the links. I learned quite a bit. If Comodo cannot prevent Group Policy registry edits, I will definitely look into MJ Regwatcher. Thanks EricJH – hopefully the screenshots will help and Comodo will be able to do this.

What you can do and that should work is add it to the ‘blocked/protection settings → blocked registry keys’ group, it won’t ask but just deny.
If you catch the correct process that should prevent modification of those keys.

The system can’t ‘ask’ during startup/policy apply.

Thanks Ronny, but I really like the option to accept most of the Group Policy settings and deny specific ones. I know I can specifically block some of the keys as a short term solution, but I do want to have the “ask” option for any new group policies that may occur in the future. Sorry this is sounding so difficult.

Sorry this is sounding so difficult.
Not really :)

I’m glad we could help you with a solution of some sort :■■■■

Easy - you go and see your domain adminstrator and discuss it with him.

Unfortunately, it is not, in the collective opinion of the moderators, ethical to advise people how to bypass policies and security measures on a corporate LAN of which they are not the owner/administrator.

Sorry,

Ewen :slight_smile: