The Windows Registry is the database that stores all settings of the operating system, drivers, and applications. Having control over it is critical because many threats try to modify registry keys to gain persistence or disable defenses.
Functionalities
- Critical directory protection (Tamper Protection): Prevents users or malicious software from altering or deleting files in sensitive directories (like
C:\Windows,C:\Program Files, or the agent’s own installation directory). - Execution control: Can be configured to allow files to be executed only from specific, trusted directories, blocking the execution of binaries in temp folders (where malware often operates).
- Ransomware protection: By restricting who can modify or delete files in bulk within data directories, EPM acts as a barrier against data being encrypted and held ransom.
- Sensitive data isolation: Allows only specific (whitelisted) users and groups to have permission to read or write to certain files or directories, preventing a curious user or an infected process from accessing confidential information.
More information about precedence rules in Permissioning.