What does the SCSP IDS Registry Watch monitor look at, and does it monitor for a specific known good value?
Updated On:17-03-2015 15:15
Critical System Protection
SCSP Registry Watch monitors attempts to access or change registry values. It can report successful and/or failed attempts. It does not compare the current registry state to a desired state and report differences. Some customer will send a list of conditions such as, "Can SCSP make sure the correct registry key is present, correct, and does not change?". the following is some of what SCSP with IDS and IPS can and cannot do for the customer conditions stated above:
· SCSP can watch a value and only report if it changes to an “incorrect” value, i.e. not report if it changed from one “correct” value to another “correct” value. If the value is incorrect when the policy is applied, SCSP can’t detect that.
· SCSP can monitor for changes, assuming the change happens while the Registry Watch policy is applied. It could even report on failed attempts to modify or delete a value, perhaps blocked by the OS permissions on the registry.
· SCSP can report on failed attempts to open a key, which might indicate the key is missing. If you created a batch job that periodically attempts to open the keys you care about, and you know the job has permission to do the open, e.g. open with MAX_ALLOWED, then a Registry Watch policy could look for failures and that might get you what you want. It’s not 100% native SCSP, but SCSP helps.
SCSP IPS would not help here. IPS controls access and can enforce that a current registry value does not change. But it does not have any knowledge of whether the current value is correct or incorrect. Similarly, IPS can enforce that a particular registry key can’t be deleted (or created), but it does not have any knowledge of whether the key does or does not exist, or whether it should or should not exist.
CCS is the Symantec product that does configuration validation – comparing current system state against a desired state.