.NET Keys

Discussion in 'Ghost Security Suite (GSS)' started by tonyjl, Sep 18, 2005.

Thread Status:
Not open for further replies.
  1. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    I came across a couple of keys while finnishing off an uninstall,they are as follows :-

    HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Aspnet_state\Parameters | allowremoteconnection | READ VALUE, SET VALUE, DELETE VALUE | Ask User, Log to Disk | Test Rules | 3

    HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Aspnet_state\Parameters | dontresetonupgradeallowremoteconnection | READ VALUE, SET VALUE, DELETE VALUE | Ask User, Log to Disk | Test Rules | 4

    HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Aspnet_state\Parameters | port | READ VALUE, SET VALUE, DELETE VALUE | Ask User, Log to Disk | Test Rules | 5

    Been watching them a couple of weeks now,but no activity as of yet.

    Looks like they're related to .NET,but not 100% sure. Anyone what they are and any idea how important they are and if i should keep an eye on them?
     
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Tonyjl,
    I did a google search and turned up a document on MSDN that describes what they are for and it seems like the reason you are seeing no activity is because your rules are slightly out (and its not likely that those keys will be seeing activity)

    Here is a web applications best practices paper that describes the keys (towards the end). From my understanding of it protecting the keys with an Ask User won't hurt if you have .NET installed, but its probably not adding much in the way of additional protection (unless you are running a Webserver).

    In terms of your keys, what you have specified won't be effective, instead of using "CurrentControlSet" you need to use "*ControlSet*"

    Most of the time you probably don't want to have rules that trigger on READ access unless you have a very good reason. Its fine if you just added that in for testing to see what processes might interact with the keys/values but if you keep the rule more permanently it would probably be worth dropping the READ because that adds very little in terms of protection.

    Your rules then become
    Code:
    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Aspnet_state\Parameters | allowremoteconnection | SET VALUE, DELETE VALUE | Ask User, Log to Disk | Test Rules | 3
    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Aspnet_state\Parameters | dontresetonupgradeallowremoteconnection | SET VALUE, DELETE VALUE | Ask User, Log to Disk | Test Rules | 4
    HKEY_LOCAL_MACHINE\System\*controlset*\Services\Aspnet_state\Parameters | port | SET VALUE, DELETE VALUE | Ask User, Log to Disk | Test Rules | 5
    NB: The google search I used was
     
    Last edited: Sep 19, 2005
  3. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Thanks Gottadoit!
    I did find those other keys and a bit of info on them. I'll keep keep it on "ask user" for now (removed "read") just to be nosey.

    Anyway thanks for your time gottadoit
     
Thread Status:
Not open for further replies.