Are there any especially interesting keys to watch?
The following keys are well suited for planting a back door in one way or another. Always ensure the ACLs on these are ok. To keep track of changes or tries to change them, one can set up auditing on the keys as well. See 2.10.5 Auditing . • HKLM\SYSTEM\CCS\Services\LanmanServer\Parameters\NullSession{Shares|Pipes} This keys lists shares and named pipes that are accessible without logging in to the system, a so called NULL session connection (see 2.7.4 ). One scary aspect of this is that if you by coincident happen to create a share or named pipe which name matches any of the names in these lists, they are accessible from a NULL session connection. Note that the RestrictAnonymous key under Control/LSA mentioned in $$$: Q143474 does not prevent access to resources listed here. On a fresh NT 4.0, the defaults are: • Pipes: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, EPMAPPER, LOCATOR • Shares: COMCFG, DFS$. • HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages Lists the DLLs
