Configure a Registry Permission Control (Windows)

Configure a  Registry Permission control to check the permissions set on a Windows registry key. You tell us the Windows registry key to be evaluated. We'll report the permissions at scan time.

 

The statement you provide is like the control name that describes what it is and how it should be implemented in the environment. You'll also need to decide which category the control belongs to. This is important because users can search and filter controls by category, they can also search by keywords in the statement.

The scan parameters are used to gather data needed for compliance evaluation at scan time.

Click Add Parameters, and make these settings:

Registry Hive - This is the registry hive containing the key to be evaluated.

Registry Key - This is the registry key to be evaluated.

Tell me about the data typeTell me about the data type

You'll see that "string list" is selected as the data type for this control type. This means the scan will return a list of string values.

Tell me about the descriptionTell me about the description

The control description will appear in compliance policies and reports. If you change the description at a later time, the description will be updated for all controls that use the same set of parameters.

Your control may apply to many technologies. Select each technology you're interested in and provide a rationale statement and expected value.

Time Saving Tip: If you plan to enter the same settings for each technology you only need to do it once. Make your selections in the "Default Values for Control Technologies" section first and then select the check box for each technology you want. You'll see that the settings get copied automatically to each technology that you select.

Make these settings:

Rationale - Enter a rationale statement describing how the control should be implemented for each technology.

Cardinality - Select a cardinality for the control. Tell me about cardinality optionsTell me about cardinality options

Several cardinality options appear as shown in the table below. X represents the value returned by the scanning engine and Y represents the expected value defined for the control.

Cardinality

You are compliant when

contains

X contains all of Y

does not contain

X does not contain any of Y

intersect

any string in X matches any string in Y

matches

all strings in X match all strings in Y (listed in any order)

is contained in

all strings in X are contained in Y

Operator - (View only) The operator "regular expression" is used to compare the results to the default value, which is specified as a regular expression.

Default Value - Enter the expected value for each technology as a regular expression. A list of strings returned in the scan results will be compared to the regular expression using the selected cardinality.

Knowing the format of the permissions information returned, you can write a regular expression that will match your pass/fail conditions. Learn more

Add up to 10 references for the control. These may be references to internal policies, documents and web sites. For each reference, enter a description, a URL or both. When providing a URL, you must start the URL with http://, https:// or ftp://.  For example, enter http://www.qualys.com to link to the Qualys web site. Once added users have the option to include references in policy reports..

 

Ready to scan?

You must select this setting in the option profile you apply to your scan: Enable Dissolvable Agent. When editing your profile, you'll see this setting under Dissolvable Agent (in the Scans section).

Quick Links

User-Defined Controls

Regular Expressions (PCRE)

FAQs