we have configured a domain user for the authenticated scans (according to 10.3.3.2. Configuring a Domain Account for Authenticated Scans) on our windows machines.
The settings are propagated via GPO.
As described on the manual we have set the permissions on %systemdrive% and the registry hives in order to (section: Configuring the Policy to Give Read Permissions Only to the Registry for the Group Greenbone Local Scan) the deny the write access to the scan user.
But these settings only work for the main folder (C: drive) and for the main hives (MACHINE, USER, CLASSES) but not for the underlaying folders/key as the permissions are not inherited to the subfolders (and we do not want to change the inherit settings on systemfolders).
My question: Is this a wanted result? The security gain of this two actions is very low (the scan user has write access to all subfolders but not on the main folder/hive).