To get to this page: Select Controls from the left menu. Go to New > Control. Click Get Started for the Registry Permission control type. (Or click edit for any control of this type you want to change.)
The Registry Permission control type checks permissions that are set on a Windows registry key for different user groups and individual users. In order to maximize space, the compliance module assigns each permission a letter (A,B,C,D,...) and displays the letter instead of the full permission name. You must use the same mapping when setting the default expected value for the control. See Registry Permissions for a table that maps each permission to the letter it represents.
In the General Information section, provide basic information for the control, including a control statement and category. See General Information for details.
In the Scan Parameters section, specify the scan parameters that the scanning engine will use to gather data for the control. The scan parameters combined make up a single data point. You must also enter a description for the data point, which will appear in compliance policies and reports.
A registry hive is a top level registry key predefined by the Windows system to store registry keys, subkeys and values for specific objectives. All registry hives begin with HKEY and appear as file folders at the top level on the left hand side of the Registry Editor window.
These common hives are supported in custom controls:
HKEY_CLASSES_ROOT (HKCR). This hive contains information about registered applications, such as Associations from File Extensions and OLE Object Class IDs tying them to the applications used to handle these items. The information stored here ensures that the correct program opens when you open a file by using Windows Explorer. HKEY_CLASSES_ROOT is a subkey of HKEY_LOCAL_MACHINE\Software.
HKEY_CURRENT_USER (HKCU). This hive contains the root of the configuration information for the user who is currently logged on. The user's folders, screen colors, and Control Panel settings are stored here. This information is referred to as a user's profile. HKEY_CURRENT_USER is a subkey of HKEY_USERS.
HKEY_USERS (HKU). This hive contains the root of all user profiles on the computer.
HKEY_LOCAL_MACHINE (HKLM). This hive contains configuration information particular to the computer. The information stored here is general to all users on the computer.
A registry key appears as a file folder on the left side of the Registry Editor window. Registry keys may contain registry subkeys, which are keys within a key. Subkeys also appear as file folders on the left side of the Registry Editor window.
Data Type. (View only) The data type of the value returned by the scanning engine. For a registry permission control this is set to "String List" by default.
Description. Enter a description for the custom control which will appear in compliance policies and reports.
Click Add Parameters to add parameters and close the Scan Parameters window. You will notice the Edit Parameters button is available. Click this button to edit parameters before saving the control.
See also:
Add/Edit Scan Parameters in a New Control
Update the Data Point Description in an Existing Control
In the Control Technologies section, identify the technologies applicable to the control. For each technology, provide a rationale statement, select a cardinality, select an operator, and set the default control value.
Enter a rationale statement describing how the control should be implemented for each technology.
Select a cardinality. Several cardinality options appear as shown in the table below. X represents the value returned by the scanning engine and Y represents the expected value defined for the control.
cardinality |
you are compliant when |
contains |
X contains all of Y |
does not contain |
X does not contain any of Y |
matches |
all strings in X match all strings in Y (listed in any order) |
intersects |
any string in X matches any string in Y |
is contained in |
all strings in X are contained in Y |
Select the Lock Cardinality option to lock the cardinality. When locked, users cannot change the cardinality in the Policy Editor.
Select an operator. Select the operator "regular expression list" if you are specifying the default value as a list of regular expressions that you want to compare the results to. Select the operator "string list" if you are specifying the default value as a list of string values that you want to compare the results to.
Select the Lock Operator option to lock the operator. When locked, users cannot change the operator in the Policy Editor.
Enter the default expected value for each technology. The compliance module assigns each permission a letter (A,B,C,D,...) and uses the letter instead of the full permission name. You must use this same mapping when setting the default value. When entering a list of permissions for a user or user group, separate each permission with a colon (:). For example, if the Administrators group has Full Control permission, then you would enter Administrators:D:E:F:G:H:I:J:K:L:M. When entering permissions for multiple users or user groups, enter each user/group on a separate line. See Registry Permissions for a table that maps each permission to the letter it represents.
Select the Lock Value option to lock the default value. When locked, users cannot change the default value in the Policy Editor.
Regular Expression: See Regular Expression Symbols for standard symbols and their meanings. The compliance module implements Perl Compatible Regular Expressions (PCRE) following the PCRE standard. For information on this standard, go to http://www.pcre.org/. For information on building proper regular expressions for controls using this standard, go to http://perldoc.perl.org/perlre.html. Note that users should escape special characters in PCRE regular expressions for string matching to occur correctly:
( ) [ ] | ^ $ -
For example, to match the string "(cs" you must enter "\(cs" (add backslash before the special character).
In the References section, add or remove references to internal policies and documents. See References for details.