Configuring the Windows registry rule

Windows Registry rules are comparison-based rules that enable you to select a Windows Registry key or folder from the source of the audit or snapshot specification, and then compare them with the target servers. The audit compares the selected registry folders and keys, and then determines whether these keys and folders exist on the target servers. You cannot set a target or remediation value in the rule.

Windows Registry object

The Windows Registry object allows you to capture registry keys, registry values, and subkeys. A registry key is a directory that contains registry values, where registry valuesare similar to files within a directory. A subkey is similar to a subdirectory. The SA Client supports the following Windows Registry keys: HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_LOCAL_MACHINE, and HKEY_USERS.

Valid control characters audited and captured for the contents of the key entry (Data) include: #x9, #xA, [#xD, #x20-#xD7FF], [#xE000-#xFFFD], and [#x10000-#x10FFFF]. Invalid control characters cannot be stored by the SA Client and will be converted to XML entities that will display as &#;. For example, if the data value is 00 00 (in bytes), � will display in the audit or snapshot specification results.

Access Control Levels

You can also choose to compare Access Control Levels (ACLs) for a Windows Registry rule. If you are checking ACLs for a Windows Registry rule where the user and group ACL does not exist, after the audit is run and after remediation, if a user and group does not exist on the target, a temporary user and group will be created using an unknown name. The next time you run the audit it shows up as unknown, which is not the name of the source user. See Audit results for more information.

To configure Windows Registry audit rules:

  1. Create a new audit. See Creating an audit for ways to create an audit.

    (Optional) If you want to create this rule for a snapshot specification, see Creating a snapshot specification .
  2. Select an Audit Source: Server, Snapshot, Snapshot Specification, or No Source.

    Some audit rules, such as Application Configuration and Windows User’s and Groups, must have a source.
  3. In the Audit window, from the Views pane, select Rules > Windows Registry.
  4. In the content pane of the Audit window, expand the top level node in the Available for Audit section and select a Windows Registry folder or key to create a rule for.
  5. Click the right arrow button to move the Windows Registry folder or key into the Selected for Audit section. All items that you select will be used to audit or snapshot the target server.
  6. For each registry entry key rule you create, you can set the following options to include when the audit checks the target:
    • Also Compare Contents of Sub-Keys—Evaluate all subkeys that belong to the selected registry key.
    • Also Compare ACLs—Compare ACLs of the selected registry key.
    • Use case-insensitive compare for Key Values—Do not show Key Value differences in the audit result if the names use a different case.
  7. To finish configuring the audit, set the target servers, the schedule, and the notification for the audit.
  8. From the File menu, select Save to save your audit.

    (Optional) You can also save the Audit as a policy. See Saving an audit or a snapshot specification as an audit policy.
  9. To run the audit, from the Actions menu, select Run Audit. See Running an audit .

Note In the Audit Policy window, if you select a server to view its registry information, and then want to check the registry information for another server, you must close the Audit Policy window, then reopen it to refresh the registry-contents field.