- Use of registry reduces application portability. Therefore, use only if required.
- Don’t use the registry as a configuration trash–bin.
- Don’t store secrets in registry.
- Encrypt application data stored in the registry.
- Discourage users from directly editing the registry.
- Perform input validation on data read and written to registry.
- Don’t write data to HKLM. Reading back the data will require the user to be logged on as administrator as by default only Read-access is provided to HKLM all users.
- Don't open registry keys for FULL_CONTROL or ALL_ACCESS.
Tuesday, October 24, 2006
Windows registry application security best practices
Use the following appsec best practices when dealing with the Windows registry.