Tuesday, October 24, 2006

Windows registry application security best practices

Use the following appsec best practices when dealing with the Windows registry.
  1. Use of registry reduces application portability. Therefore, use only if required.
  2. Don’t use the registry as a configuration trash–bin.
  3. Don’t store secrets in registry.
  4. Encrypt application data stored in the registry.
  5. Discourage users from directly editing the registry.
  6. Perform input validation on data read and written to registry.
  7. Don’t write data to HKLM. Reading back the data will require the user to be logged on as administrator as by default only Read-access is provided to HKLM all users.
  8. Don't open registry keys for FULL_CONTROL or ALL_ACCESS.

No comments: