.NET Framework 2.0 Security Guidelines - Registry

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe


Consider using ACLs to restrict access to data stored in HKLM

If you store sensitive data in the HKEY_LOCAL_MACHINE section of the registry, consider applying an ACL to the registry key that restricts access to a specific account, such as the account under which your application runs. This is important because any process running on your computer has access to the HKEY_LOCAL_MACHINE section of the registry. By isolating your application and running it under a dedicated custom account, only your application can access the data from the ACL-protected key.

Note Use of HKEY_LOCAL_MACHINE makes it easier to store configuration data at installation time and maintain it later on.

If your security requirements dictate an even less accessible storage solution, use a key under HKEY_CURRENT_USER. This approach means that you do not have to explicitly configure ACLs because access to the current user key is automatically restricted based on process identity.

Note HKEY_CURRENT_USER allows more restrictive access because a process can access the current user key only if the user profile associated with the current thread or process token is loaded.


Consider encrypting sensitive data in the registry

If you need to store sensitive data in the registry, then consider encrypting it with DPAPI. You can use DPAPI with the machine key to encrypt the data, store the encrypted data beneath a registry key, and then use an ACL that restricts access to your specific application identity to restrict access to the registry key. Alternatively, you can use DPAPI with the user store. In this latter case, you need to load the user account's profile to access the key.

Consider using the machine store if your application is a server that runs on its own dedicated computer with no other applications, or if you have multiple applications on the same server and you need those applications to be able to share the sensitive registry data. If you only want specific service accounts to be able to access the DPAPI keys and their profiles are loaded, then use DPAPI with the user store.

The following code shows how to create a registry key protected with an ACL and how to use DPAPI with the machine store to store encrypted data in the restricted key.

using System.Security.Cryptography;
using System.Security.AccessControl;
using System.Text;
using Microsoft.Win32;
...

// Get the original data in a byte array
byte[] toEncrypt = UnicodeEncoding.ASCII.GetBytes(
                  "The secret data to be encrypted");

// Encrypt the data by using the ProtectedData class.
byte[] encryptedData = ProtectedData.Protect(toEncrypt, null,
                      DataProtectionScope.LocalMachine);

// Create a new key in the registry with a restricted ACL 
// and write stream of bytes to the registry key
string user = Environment.UserDomainName + "\\" + Environment.UserName;
RegistrySecurity security = new RegistrySecurity();
RegistryAccessRule rule = new RegistryAccessRule(user,
               RegistryRights.FullControl,
               InheritanceFlags.ContainerInherit,
               PropagationFlags.None,
               AccessControlType.Allow);
security.AddAccessRule(rule);

Registry.CurrentUser.CreateSubKey("TestEncryptedData",
               RegistryKeyPermissionCheck.ReadWriteSubTree,
               security);
Registry.SetValue(@"HKEY_CURRENT_USER\TestEncryptedData", "Encrypted",
                encryptedData);


Use the following code to decrypt the data stored in the registry.

// Read the encrypted data from registry and decrypt the contents 
byte[] dataFromRegistry = Registry.GetValue(
@"HKEY_CURRENT_USER\TestEncryptedData",
                "Encrypted", null) as byte[];
byte[] decryptedData = ProtectedData.Unprotect(dataFromRegistry, null,
                DataProtectionScope.LocalMachine);
Personal tools