home *** CD-ROM | disk | FTP | other *** search
/ PC World Komputer 2010 April / PCWorld0410.iso / WindowsServerTrial / server.iso / sources / boot.wim / 1 / Windows / inf / defltbase.inf < prev    next >
Windows Setup INFormation  |  2008-01-18  |  46KB  |  416 lines

  1.  ■; Copyright (c) Microsoft Corporation.  All rights reserved.
  2. ;
  3. ; Security Configuration Template for Security Configuration Editor
  4. ;
  5. ; Template Name:        DefltWK.INF
  6. ; Template Version:     05.10.DW.0000
  7. ;
  8. ; Default Security for Vista
  9. [Profile Description]
  10. %SCEDefltWKProfileDescription%
  11. [version]
  12. signature="$CHICAGO$"
  13. revision=1
  14. DriverVer=06/21/2006,6.0.6001.18000
  15. [System Access]
  16. ;----------------------------------------------------------------
  17. ;Account Policies - Password Policy
  18. ;----------------------------------------------------------------
  19. MinimumPasswordAge = 0
  20. MaximumPasswordAge = 42
  21. MinimumPasswordLength = 0
  22. PasswordComplexity = 0
  23. PasswordHistorySize = 0
  24. RequireLogonToChangePassword = 0
  25. ClearTextPassword = 0
  26. LSAAnonymousNameLookup = 0
  27. EnableGuestAccount = 0
  28. EnableAdminAccount = 0
  29. ;----------------------------------------------------------------
  30. ;Account Policies - Lockout Policy
  31. ;----------------------------------------------------------------
  32. LockoutBadCount = 0
  33. ;ResetLockoutCount = 30
  34. ;LockoutDuration = 30
  35. ;----------------------------------------------------------------
  36. ;Local Policies - Security Options
  37. ;----------------------------------------------------------------
  38. ;DC Only
  39. ;ForceLogoffWhenHourExpire = 0
  40. ;NewAdministatorName =
  41. ;NewGuestName =
  42. ;----------------------------------------------------------------
  43. ;Event Log - Log Settings
  44. ;----------------------------------------------------------------
  45. ;Audit Log Retention Period:
  46. ;0 = Overwrite Events As Needed
  47. ;1 = Overwrite Events As Specified by Retention Days Entry
  48. ;2 = Never Overwrite Events (Clear Log Manually)
  49. [System Log]
  50. MaximumLogSize = 20480
  51. AuditLogRetentionPeriod = 0
  52. ;RetentionDays = 7
  53. RestrictGuestAccess = 1
  54. [Security Log]
  55. MaximumLogSize = 20480
  56. AuditLogRetentionPeriod = 0
  57. ;RetentionDays = 7
  58. RestrictGuestAccess = 1
  59. [Application Log]
  60. MaximumLogSize = 20480
  61. AuditLogRetentionPeriod = 0
  62. ;RetentionDays = 7
  63. RestrictGuestAccess = 1
  64. ;----------------------------------------------------------------
  65. ;Registry Values
  66. ;----------------------------------------------------------------
  67. [Registry Values]
  68. ; Registry value name in full path = Type, Value
  69. ; REG_SZ                      ( 1 )
  70. ; REG_EXPAND_SZ               ( 2 )  // with environment variables to expand
  71. ; REG_BINARY                  ( 3 )
  72. ; REG_DWORD                   ( 4 )
  73. ; REG_MULTI_SZ                ( 7 )
  74. MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
  75. MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
  76. MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
  77. MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
  78. MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
  79. MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0
  80. MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
  81. MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
  82. MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,3
  83. MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0
  84. MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0
  85. MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
  86. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
  87. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
  88. ;Domain Controllers Only
  89. ;MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl=4,0
  90. MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,0
  91. MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
  92. MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
  93. MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
  94. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
  95. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
  96. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
  97. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
  98. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
  99. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
  100. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
  101. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
  102. MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
  103. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
  104. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
  105. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
  106. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
  107. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
  108. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,0
  109. ;Potential to take on different values during and after setup
  110. ;MACHINE\Software\Microsoft\Driver Signing\Policy=3,1
  111. ;MACHINE\Software\Microsoft\Non-Driver Signing\Policy=3,0
  112. ;MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,1
  113. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
  114. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
  115. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,""
  116. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0
  117. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,1
  118. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
  119. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
  120. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
  121. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,10
  122. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
  123. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
  124. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,0
  125. MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0
  126. ; remove lsarpc, samr and netlogon from anonymously accessible pipes
  127. MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes=8,Remove:,lsarpc,samr,netlogon
  128. ;----------------------------------------------------------------------
  129. ;   Privileges & Rights
  130. ;----------------------------------------------------------------------
  131. ;
  132. ;World                          S-1-1-0
  133. ;
  134. ;NT Authority                   S-1-5
  135. ;LOCAL_SERVICE                  19
  136. ;NETWORK_SERVICE                20
  137. ;
  138. ;Built-In Domain SubAuthority = S-1-5-32
  139. ;ADMINISTRATORS                 544
  140. ;USERS                          545
  141. ;GUESTS                         546
  142. ;POWER_USERS (DEPRECATED) 
  143. ;ACCOUNT_OPS                    548
  144. ;SYSTEM_OPS                     549
  145. ;PRINT_OPS                      550
  146. ;BACKUP_OPS                     551
  147. ;REPLICATOR                     552
  148. ;RAS_SERVERS                    553
  149. ;PREW2KCOMPACCESS               554
  150. ;REMOTE_DESKTOP_USERS           555
  151. ;NETWORK_CONFIGURATION_OPS      556
  152. ;LOGGING_USERS                  559
  153. [Privilege Rights]
  154. SeAssignPrimaryTokenPrivilege = *S-1-5-19, *S-1-5-20
  155. SeAuditPrivilege = *S-1-5-19, *S-1-5-20
  156. SeBatchLogonRight = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-559
  157. SeBackupPrivilege = *S-1-5-32-544, *S-1-5-32-551
  158. SeChangeNotifyPrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-545, *S-1-1-0, *S-1-5-19, *S-1-5-20
  159. SeCreateGlobalPrivilege = *S-1-5-6, *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  160. SeCreatePagefilePrivilege = *S-1-5-32-544
  161. SeCreatePermanentPrivilege =
  162. SeCreateSymbolicLinkPrivilege = *S-1-5-32-544
  163. SeCreateTokenPrivilege =
  164. SeDebugPrivilege = *S-1-5-32-544
  165. SeImpersonatePrivilege = *S-1-5-6, *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  166. SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
  167. SeIncreaseQuotaPrivilege = *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  168. SeIncreaseWorkingSetPrivilege = *S-1-5-32-545
  169. SeInteractiveLogonRight = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-545, &-501
  170. SeLoadDriverPrivilege = *S-1-5-32-544
  171. SeLockMemoryPrivilege =
  172. SeMachineAccountPrivilege =
  173. SeManageVolumePrivilege = *S-1-5-32-544
  174. SeNetworkLogonRight = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-545, *S-1-1-0
  175. SeProfileSingleProcessPrivilege = *S-1-5-32-544
  176. SeRemoteInteractiveLogonRight = *S-1-5-32-544, *S-1-5-32-555
  177. SeRemoteShutdownPrivilege = *S-1-5-32-544
  178. SeRestorePrivilege = *S-1-5-32-544, *S-1-5-32-551
  179. SeSecurityPrivilege = *S-1-5-32-544
  180. SeServiceLogonRight =
  181. SeShutdownPrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-545
  182. SeSystemEnvironmentPrivilege = *S-1-5-32-544
  183. SeSystemProfilePrivilege = *S-1-5-32-544
  184. SeSystemTimePrivilege = *S-1-5-32-544,  *S-1-5-19
  185. SeTakeOwnershipPrivilege = *S-1-5-32-544
  186. SeTcbPrivilege =
  187. SeTimeZonePrivilege = *S-1-5-32-544, *S-1-5-19, *S-1-5-32-545
  188. ;
  189. SeDenyInteractiveLogonRight = &-501
  190. SeDenyBatchLogonRight =
  191. SeDenyServiceLogonRight =
  192. SeDenyNetworkLogonRight = &-501
  193. SeDenyRemoteInteractiveLogonRight =
  194. ;
  195. SeUndockPrivilege = *S-1-5-32-544,  *S-1-5-32-545
  196. SeSyncAgentPrivilege =
  197. SeEnableDelegationPrivilege =
  198. [Group Membership]
  199. *S-1-5-32-545__Memberof =
  200. *S-1-5-32-545__Members = *S-1-5-11,*S-1-5-4
  201. [Service General Setting]
  202. ;Note: startup type should not be configured during setup\dcpromo.
  203. Browser,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  204. ;TrkWks,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  205. ;Dnscache,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  206. ;PolicyAgent,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  207. dmserver,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  208. ;PlugPlay,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  209. ;Spooler,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  210. ;ProtectedStorage,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  211. ;RpcSs,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  212. NtmsSvc,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  213. ;seclogon,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  214. SamSs,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLO;;;IU)(A;;CCLCSWLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  215. ;lanmanserver,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  216. ;SENS,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  217. ;Schedule,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  218. Sysmonlog,,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCRPLOCR;;;LU)S:AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  219. ;LmHosts,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  220. ;LanmanWorkstation,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  221. ;RemoteRegistry,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  222. ClipSrv,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  223. NetDDE,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  224. NetDDEdsdm,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  225. ;EventSystem,,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  226. ;Not autostarted if machine is standalone
  227. ;Netlogon,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  228. ;W32Time,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  229. ;Server Only Services
  230. ;Dfs,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  231. ;LicenseService,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  232. ;IIS Specific Services - Leave them alone
  233. ;IISADMIN,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  234. ;W3SVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  235. ;MSFTPSVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  236. ;SMTPSVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  237. [Registry Keys]
  238. "MACHINE\Software",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  239. "MACHINE\SOFTWARE\Classes",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  240. "MACHINE\SOFTWARE\Classes\.hlp",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  241. "MACHINE\SOFTWARE\MICROSOFT\DRM",0,"D:P(D;CIOI;GA;;;BG)(D;CIOI;GA;;;LG)(A;;0x1e01ff;;;WD)(A;OICIIO;GA;;;WD)(A;;GA;;;SY)S:(ML;;0x1;;;LW)"
  242. "MACHINE\Software\Microsoft\EventSystem",1,"D:AR"
  243. ;The following keys do not exist when we run
  244. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy",1,"D:AR"
  245. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies",1,"D:AR"
  246. "MACHINE\System",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  247. "MACHINE\SYSTEM\Clone",1,"D:AR"
  248. "MACHINE\SYSTEM\ControlSet001",1,"D:AR"
  249. "MACHINE\SYSTEM\ControlSet002",1,"D:AR"
  250. "MACHINE\SYSTEM\ControlSet003",1,"D:AR"
  251. "MACHINE\SYSTEM\ControlSet004",1,"D:AR"
  252. "MACHINE\SYSTEM\ControlSet005",1,"D:AR"
  253. "MACHINE\SYSTEM\ControlSet006",1,"D:AR"
  254. "MACHINE\SYSTEM\ControlSet007",1,"D:AR"
  255. "MACHINE\SYSTEM\ControlSet008",1,"D:AR"
  256. "MACHINE\SYSTEM\ControlSet009",1,"D:AR"
  257. "MACHINE\SYSTEM\ControlSet010",1,"D:AR"
  258. "MACHINE\SYSTEM\CurrentControlSet\Control\Class",0,"D:AR"
  259. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",2,"D:(A;CI;GR;;;WD)"
  260. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\JD",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  261. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Skew1",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  262. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\GBG",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  263. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Data",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  264. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi",2,"D:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CIIO;RC;;;S-1-3-4)"
  265. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\4",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)((A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  266. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a01-9b1a-11d4-9123-0050047759bc}\4",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  267. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a1C-9b1a-11d4-9123-0050047759bc}\0",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  268. "MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security",2,"D:P(A;CI;GR;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CIOI;GA;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)"
  269. ;Set security subkey permissions for those services created via default hives
  270. "MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  271. "MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  272. "MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config",2,"D:(A;CI;GRGWSD;;;LS)"
  273. "MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders",2,"D:(A;CI;GRGWSD;;;LS)"
  274. ;Set security subkey permissions for those services created in GUI-mode setup before SCE runs
  275. "MACHINE\SYSTEM\CurrentControlSet\Services\STISvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  276. "MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries",2,"D:(A;CI;GA;;;NS)(A;CI;CCDCLCSWSDRC;;;LU)"
  277. "MACHINE\SYSTEM\CurrentControlSet\Enum",1,"D:AR"
  278. "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles",1,"D:AR"
  279. "USERS\.DEFAULT",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  280. "USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots",1,"D:AR"
  281. [File Security]
  282. ;---------------------------------------------------------------------------------------------
  283. ;ProgramFiles
  284. ;---------------------------------------------------------------------------------------------
  285. ;Need to use the SceInfProgramFiles environment var to handle the Win9x upgrade case which is treated like clean-install
  286. ;"%SystemDrive%\%SCEInfProgramFiles%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  287. "%SceInfCommonProgramFiles%\SpeechEngines\Microsoft\TTS",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  288. ;---------------------------------------------------------------------------------------------
  289. ;Win64 ProgramFiles Directory
  290. ;---------------------------------------------------------------------------------------------
  291. ;@6:"%SceInfProgramFilesx86%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  292. ;---------------------------------------------------------------------------------------------
  293. ; ProgramData Folder (Typically \ProgramData)
  294. ;---------------------------------------------------------------------------------------------
  295. "%PROGRAMDATA%\Microsoft\Windows\DRM",0,"D:P(D;CIOI;GA;;;BG)(D;CIOI;GA;;;LG)(A;;0x1e01ff;;;WD)(A;OICIIO;GA;;;WD)(A;;GA;;;SY)S:(ML;;0x1;;;LW)"
  296. "%PROGRAMDATA%\Microsoft\Windows\DRM\Cache",0,"D:P(D;CIOI;GA;;;BG)(D;CIOI;GA;;;LG)(A;;0x1e01ff;;;WD)(A;OICIIO;GA;;;WD)(A;;GA;;;SY)S:(ML;;0x1;;;LW)"
  297. ;---------------------------------------------------------------------------------------------
  298. ;System Root (Typically \WINDOWS)
  299. ;---------------------------------------------------------------------------------------------
  300. ;"%SystemRoot%",0,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  301. ;---------------------------------------------------------------------------------------------
  302. ;System Directory (Typically \Windows\System32)
  303. ;---------------------------------------------------------------------------------------------
  304. ;"%SystemDirectory%",0,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  305. ;"%SystemDirectory%\config\systemprofile",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  306. ;Directories with no legacy to preserve. Different from parent.
  307. "%SystemDirectory%\wbem\mof",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  308. ;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
  309. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
  310. "%SystemDirectory%\appmgmt",1,"D:AR"
  311. ; Directories that might not exist when security is applied; but are listed here
  312. ; so that they get secured correctly on converting the file system to NTFS
  313. "%SystemDirectory%\Windows media",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  314. ;-----------------------------------------------------------------------------------------
  315. ; SysWOW64 directories
  316. ;-----------------------------------------------------------------------------------------
  317. ;-----------------------------------------------------------------------------------------
  318. ;Individual File Settings.
  319. ;-----------------------------------------------------------------------------------------
  320. "%Systemroot%\repair\default",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  321. "%Systemroot%\repair\ntuser.dat",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  322. "%Systemroot%\repair\sam",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  323. "%Systemroot%\repair\security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  324. "%Systemroot%\repair\software",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  325. "%Systemroot%\repair\system",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  326. [Strings]
  327. SceInfAdministrator = "Administrator"
  328. SceInfAcountOp = "Account Operators"
  329. SceInfAuthUsers = "Authenticated Users"
  330. SceInfInteractive = "INTERACTIVE"
  331. SceInfDomainAdmins = "Domain Admins"
  332. SceInfDomainGuests = "Domain Guests"
  333. SceInfDomainUsers = "Domain Users"
  334. SceInfEveryone = "Everyone"
  335. SceInfGuests = "Guests"
  336. SceInfGuest = "Guest"
  337. SceInfUsers = "Users"
  338. SceInfLocalService = "Local Service"
  339. SceInfNetworkService = "Network Service"
  340. SceInfRemoteDesktopUsers = "Remote Desktop Users"
  341. SceInfProgramFiles = "%ProgramFiles%"
  342. SceInfProgramFilesx86 = "%ProgramFiles(x86)%"
  343. SceInfCommonProgramFiles = "%CommonProgramFiles%"
  344. SCEInfSysdir1 = "edit.com"
  345. SCEInfSysdir2 = "edit.hlp"
  346. SCEInfHelp1 = "signin.hlp"
  347.