V-224835
CAT IIDefault permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained.
- Ships Affected
- 1
- Total Findings
- 8
- Open
- 0
- Closed
- 8
Check Text
Review the registry permissions for the keys of the HKEY_LOCAL_MACHINE hive noted below.
If any non-privileged groups such as Everyone, Users, or Authenticated Users have greater than Read permission, this is a finding.
If permissions are not as restrictive as the default permissions listed below, this is a finding.
Run "Regedit".
Right-click on the registry areas noted below.
Select "Permissions..." and the "Advanced" button.
HKEY_LOCAL_MACHINE\SECURITY
Type - "Allow" for all
Inherited from - "None" for all
Principal - Access - Applies to
SYSTEM - Full Control - This key and subkeys
Administrators - Special - This key and subkeys
HKEY_LOCAL_MACHINE\SOFTWARE
Type - "Allow" for all
Inherited from - "None" for all
Principal - Access - Applies to
Users - Read - This key and subkeys
Administrators - Full Control - This key and subkeys
SYSTEM - Full Control - This key and subkeys
CREATOR OWNER - Full Control - This key and subkeys
ALL APPLICATION PACKAGES - Read - This key and subkeys
HKEY_LOCAL_MACHINE\SYSTEM
Type - "Allow" for all
Inherited from - "None" for all
Principal - Access - Applies to
Users - Read - This key and subkeys
Administrators - Full Control - This key and subkeys
SYSTEM - Full Control - This key and subkeys
CREATOR OWNER - Full Control - Subkeys only
ALL APPLICATION PACKAGES - Read - This key and subkeys
Server Operators – Read – This Key and subkeys (Domain controllers only)
Other examples under the noted keys may also be sampled. There may be some instances where non-privileged groups have greater than Read permission.
If the defaults have not been changed, these are not a finding.
Fix Text
Maintain the default permissions for the HKEY_LOCAL_MACHINE registry hive.
The default permissions of the higher-level keys are noted below.
HKEY_LOCAL_MACHINE\SECURITY
Type - "Allow" for all
Inherited from - "None" for all
Principal - Access - Applies to
SYSTEM - Full Control - This key and subkeys
Administrators - Special - This key and subkeys
HKEY_LOCAL_MACHINE\SOFTWARE
Type - "Allow" for all
Inherited from - "None" for all
Principal - Access - Applies to
Users - Read - This key and subkeys
Administrators - Full Control - This key and subkeys
SYSTEM - Full Control - This key and subkeys
CREATOR OWNER - Full Control - This key and subkeys
ALL APPLICATION PACKAGES - Read - This key and subkeys
HKEY_LOCAL_MACHINE\SYSTEM
Type - "Allow" for all
Inherited from - "None" for all
Principal - Access - Applies to
Users - Read - This key and subkeys
Administrators - Full Control - This key and subkeys
SYSTEM - Full Control - This key and subkeys
CREATOR OWNER - Full Control - Subkeys only
ALL APPLICATION PACKAGES - Read - This key and subkeys
Server Operators – Read – This Key and subkeys (Domain controllers only)
STIG Reference
- STIG
- Microsoft Windows Server 2016 Security Technical Implementation Guide
- Version
- 2
- Release
- 10
- Rule ID
- SV-224835r958726_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-AP-002/Checklist/MONT-AP-002_WinServer2016_V2R10_20251023-144214.ckl | Unassigned | 2026-01-14T12:57:42.721079 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_WinServer2016_V2R10_20251023-143943.ckl | Unassigned | 2026-01-14T12:57:41.363810 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DB-002/Checklist/MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl | Unassigned | 2026-01-14T12:57:39.082634 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServer2016_V2R10_20251023-172220.ckl | Unassigned | 2026-01-14T12:57:37.248886 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_WinServer2016_V2R10_20251023-144106.ckl | Unassigned | 2026-01-14T12:57:35.637816 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_WinServer2016_V2R10_20251023-152736.ckl | Unassigned | 2026-01-14T12:57:33.842838 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_WinServer2016_V2R10_20251023-143935.ckl | Unassigned | 2026-01-14T12:57:31.534241 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_WinServer2016_V2R10_20251023-143909.ckl | Unassigned | 2026-01-14T12:57:30.046447 | View in Context |