Designing Access Controls
Finalize Security Policies
| If so, you can activate the Windows Startup Registry Entries Allowed test. |
| Viruses, worms, and spyware often lurk in the “run” and “runOnce” keys |
| of the Windows registry (which dictate which applications run at startup). |
| You can create a list of valid entries for these keys. In other words, instead |
| of simply checking for known viruses and malware, the NAC 800 assumes |
| that every “run” and “runOnce” key runs malware unless specifically |
| specified as allowed. |
|
|
C a u t i o n | This test is a rather extreme measure. Altering the registry keys can cause |
| serious problems that might only be fixed by reinstalling the OS. These |
| problems can occur if your policy omits a necessary |
| policy is correct but a |
| policy deletes the wrong registry entry. |
|
|
If, after carefully considering these risks, you decide to activate the test, fill in every service and application allowed to run when an endpoint starts up. Then list the services and applications in the correct format for your NAC policy. The easiest valid format is the name of the key. For example, “updater.” You can find keys by accessing the Windows registry and looking in these folders, which the NAC 800 scans for this test:
•HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer- sion\Run
•HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer- sion\Run
•HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer- sion\RunOnce
•HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVer- sion\RunOnce
•HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer- sion\RunServices
•HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer- sion\RunServicesOnce
•HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer- sion\RunOnce\Setup
