Restricting registry permissions involves configuring access control settings for sensitive registry keys and hives to ensure that only authorized users or processes can make modifications. By limiting access, organizations can prevent unauthorized changes that adversaries might use for persistence, privilege escalation, or defense evasion.

• Regularly review permissions on keys such as Run, RunOnce, and Services to ensure only authorized users have write access.
• Use tools like icacls or PowerShell to automate permission adjustments. Enable Registry Auditing.
• Enable auditing on sensitive keys to log access attempts.
• Use Event Viewer or SIEM solutions to analyze logs and detect suspicious activity.
• Example Audit Policy: auditpol /set /subcategory:"Registry" /success:enable /failure:enable Protect Credential-Related Hives.
• Limit access to hives like SAM,SECURITY, and SYSTEM to prevent credential dumping or other unauthorized access.
• Use LSA Protection to add an additional security layer for credential storage. Restrict Registry Editor Usage.
• Use Group Policy to restrict access to regedit.exe for non-administrative users.
• Block execution of registry editing tools on endpoints where they are unnecessary. Deploy Baseline Configuration Tools.
• Use tools like Microsoft Security Compliance Toolkit or CIS Benchmarks to apply and maintain secure registry configurations.

• Registry Editor (regedit): Built-in tool to manage registry permissions.
• PowerShell: Automate permissions and manage keys. Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "KeyName" -Value "Value".
• icacls: Command-line tool to modify ACLs.

• Sysmon: Monitor and log registry events.
• Event Viewer: View registry access logs.

• Group Policy Management Console (GPMC): Enforce registry permissions via GPOs.
• Microsoft Endpoint Manager: Deploy configuration baselines for registry permissions.

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques.

• Turn off SMBv1, LLMNR, and NetBIOS where not needed.
• Disable remote registry and unnecessary services.

• Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows.
• Use AppArmor or SELinux on Linux for mandatory access controls.

• Enable User Account Control (UAC) for Windows.
• Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

• Implement least-privilege access for critical files and system directories.
• Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

• Restrict RDP, SSH, and VNC to authorized IPs using firewall rules.
• Enable NLA for RDP and enforce strong password/lockout policies.

• Enable Secure Boot and enforce UEFI/BIOS password protection.
• Use BitLocker or LUKS to encrypt boot drives.

• Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

• Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings.
• Windows Defender Exploit Guard: Built-in OS protection against exploits.
• CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

• AppArmor/SELinux: Enforce mandatory access controls.
• Lynis: Perform comprehensive security audits.
• SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

• Ansible or Chef/Puppet: Automate configuration hardening at scale.
• OpenSCAP: Perform compliance and configuration checks.

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements.

The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures. Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.

• Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
• Implementation: Use tools to scan for deviations from established benchmarks.

• Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
• Implementation: Run access reviews to identify users or groups with excessive permissions.

• Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
• Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

• Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
• Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

• Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
• Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.