home *** CD-ROM | disk | FTP | other *** search
/ PC World Komputer 2010 April / PCWorld0410.iso / WindowsServerTrial / server.iso / sources / boot.wim / 2 / Windows / inf / dwup.inf < prev    next >
Windows Setup INFormation  |  2008-01-18  |  39KB  |  331 lines
  1.  ■; Copyright (c) Microsoft Corporation.  All rights reserved.
  2. ;
  3. ; Security Configuration Template for Security Configuration Editor
  4. ;
  5. ; Template Name:        DWUp.INF
  6. ; Template Version:     05.10.DK.0000
  7. ;
  8. ; Default Security Settings applied on Professional Upgrade
  11. [Profile Description]
  12. %SCEDWUpProfileDescription%
  14. [version]
  15. signature="$CHICAGO$"
  16. revision=1
  17. DriverVer=06/21/2006,6.0.6001.18000
  19. [System Access]
  20. LSAAnonymousNameLookup = 0
  21. EnableAdminAccount = 0
  23. ;----------------------------------------------------------------
  24. ;Event Log - Log Settings
  25. ;----------------------------------------------------------------
  27. [System Log]
  28. RestrictGuestAccess = 1
  30. [Security Log]
  31. RestrictGuestAccess = 1
  33. [Application Log]
  34. RestrictGuestAccess = 1
  36. ;----------------------------------------------------------------
  37. ;Registry Values
  38. ;----------------------------------------------------------------
  39. [Registry Values]
  40. ;On upgrade (NT4 or 5), we can only set those registry values that meet the following criteria:
  41. ;a. value known not to exist on previous versions OR
  42. ;b. default setting has changed from less secure (NT4) to more secure (Win2k+) OR
  43. ;c. PERsonal-specific settings that should be set differently on PRO
  44. ;Note PER to PRO upgrade is feasible unlike PRO to SRv.  We assume default reg values for PER remain unchanged.
  47. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
  49. MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
  50. MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
  51. MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0
  52. MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
  53. MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,3
  54. MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
  55. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
  57. MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=8,Add:,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,Remove:,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
  58. MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=8,Add:,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
  60. MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
  61. MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
  63. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
  65. MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
  67. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
  69. ; remove lsarpc, samr and netlogon from anonymously accessible pipes
  70. MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes=8,Remove:,lsarpc,samr,netlogon
  72. ;We cannot set the following values which were new for Win2k, because
  73. ;Win2k customers may have already configured them differently.
  74. ;Therefore, the following may not be configured on NT4 upgrade.
  75. ;
  76. ;MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
  77. ;MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
  78. ;MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,0
  80. [Privilege Rights]
  81. ;
  82. ;World                          S-1-1-0
  83. ;
  84. ;NT Authority                   S-1-5
  85. ;LOCAL_SERVICE                  19
  86. ;NETWORK_SERVICE                20
  87. ;
  88. ;Built-In Domain SubAuthority = S-1-5-32
  89. ;ADMINISTRATORS                 544
  90. ;USERS                          545
  91. ;GUESTS                         546
  92. ;POWER_USERS (DEPRECATED)
  93. ;ACCOUNT_OPS                    548
  94. ;SYSTEM_OPS                     549
  95. ;PRINT_OPS                      550
  96. ;BACKUP_OPS                     551
  97. ;REPLICATOR                     552
  98. ;RAS_SERVERS                    553
  99. ;PREW2KCOMPACCESS               554
  100. ;REMOTE_DESKTOP_USERS           555
  101. ;NETWORK_CONFIGURATION_OPS      556
  102. ;LOGGING_USERS                  559
  104. SeAssignPrimaryTokenPrivilege = Add:, *S-1-5-19, *S-1-5-20
  105. SeAuditPrivilege = Add:, *S-1-5-19, *S-1-5-20
  106. SeBatchLogonRight = Add:, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-559
  107. SeChangeNotifyPrivilege = Add:, *S-1-5-19, *S-1-5-20
  108. SeCreateGlobalPrivilege = Add:, *S-1-5-6, *S-1-5-32-544, *S-1-5-19, *S-1-5-20, Remove:, *S-1-5-4
  109. SeCreateSymbolicLinkPrivilege = Add:, *S-1-5-32-544
  110. SeImpersonatePrivilege = Add:, *S-1-5-6, *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  111. ;SeIncreaseBasePriorityPrivilege = Remove:, *S-1-5-32-547
  112. SeIncreaseQuotaPrivilege = Add:, *S-1-5-19, *S-1-5-20
  113. SeIncreaseWorkingSetPrivilege = Add:, *S-1-5-32-545
  114. SeManageVolumePrivilege = Add:, *S-1-5-32-544
  115. SeRemoteInteractiveLogonRight = Add:, *S-1-5-32-544, *S-1-5-32-555
  116. ;SeRemoteShutdownPrivilege = Remove:, *S-1-5-32-547
  117. SeSystemTimePrivilege = Add:, *S-1-5-19, Remove:, *S-1-5-20
  118. SeTimeZonePrivilege = Add:, *S-1-5-32-544, *S-1-5-19, *S-1-5-32-545
  119. SeUndockPrivilege = Add:, *S-1-5-32-544
  121. ;[Group Membership]
  122. ;During upgrade, use net api's to
  123. ;1 - add Authenticated Users and Interactive into the Users group
  125. [Service General Setting]
  126. ;Note: startup type should not be configured during setup\dcpromo.
  127. Browser,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  128. ;TrkWks,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  129. ;Dnscache,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  130. ;PolicyAgent,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  131. dmserver,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  132. ;PlugPlay,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  133. ;Spooler,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  134. ;ProtectedStorage,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  135. ;RpcSs,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  136. NtmsSvc,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  137. ;seclogon,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  138. SamSs,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLO;;;IU)(A;;CCLCSWLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  139. ;lanmanserver,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  140. ;SENS,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  141. ;Schedule,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  142. Sysmonlog,,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCRPLOCR;;;LU)S:AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  143. ;LmHosts,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  144. ;LanmanWorkstation,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  145. ;RemoteRegistry,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  147. ClipSrv,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  148. NetDDE,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  149. NetDDEdsdm,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  150. ;EventSystem,,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  152. ;Not autostarted if machine is standalone
  153. ;Netlogon,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  154. ;W32Time,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  156. ;Server Only Services
  157. ;Dfs,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  158. ;LicenseService,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  160. ;IIS Specific Services - Leave them alone
  161. ;IISADMIN,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  162. ;W3SVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  163. ;MSFTPSVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  164. ;SMTPSVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  167. [Registry Keys]
  169. "MACHINE\Software",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  171. ;Same as parent, but this is the target of a symlink - set explicitly.
  172. "MACHINE\SOFTWARE\Classes",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  173. "MACHINE\SOFTWARE\Classes\.hlp",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  175. "MACHINE\SOFTWARE\MICROSOFT\DRM",0,"D:P(D;CIOI;GA;;;BG)(D;CIOI;GA;;;LG)(A;;0x1e01ff;;;WD)(A;OICIIO;GA;;;WD)(A;;GA;;;SY)S:(ML;;0x1;;;LW)"
  177. "MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  178. "MACHINE\SOFTWARE\Microsoft\OLAP Server\CurrentVersion\SECURITY",1,"D:AR"
  180. "MACHINE\SOFTWARE\Microsoft\Windows",0,"D:AR"
  182. ;The following keys do not exist when we run
  183. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy",1,"D:AR"
  184. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer",1,"D:AR"
  185. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies",1,"D:AR"
  187. "MACHINE\SOFTWARE\Microsoft\Windows NT",0,"D:AR"
  189. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing",2,"D:P(A;CI;GRGWSD;;;LS)(A;CI;GRGWSD;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  191. "MACHINE\System",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  193. "MACHINE\SYSTEM\Clone",1,"D:AR"
  195. "MACHINE\SYSTEM\ControlSet001",1,"D:AR"
  196. "MACHINE\SYSTEM\ControlSet002",1,"D:AR"
  197. "MACHINE\SYSTEM\ControlSet003",1,"D:AR"
  198. "MACHINE\SYSTEM\ControlSet004",1,"D:AR"
  199. "MACHINE\SYSTEM\ControlSet005",1,"D:AR"
  200. "MACHINE\SYSTEM\ControlSet006",1,"D:AR"
  201. "MACHINE\SYSTEM\ControlSet007",1,"D:AR"
  202. "MACHINE\SYSTEM\ControlSet008",1,"D:AR"
  203. "MACHINE\SYSTEM\ControlSet009",1,"D:AR"
  204. "MACHINE\SYSTEM\ControlSet010",1,"D:AR"
  206. "MACHINE\SYSTEM\CurrentControlSet\Control\Class",1,"D:AR"
  208. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",2,"D:(A;CI;GR;;;WD)"
  209. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\JD",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  210. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Skew1",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  211. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\GBG",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  212. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Data",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  213. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi",2,"D:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CIIO;RC;;;S-1-3-4)"
  214. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\4",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)((A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  215. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a01-9b1a-11d4-9123-0050047759bc}\4",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  216. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a1C-9b1a-11d4-9123-0050047759bc}\0",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  218. "MACHINE\SYSTEM\CurrentControlSet\Enum",1,"D:AR"
  219. "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles",1,"D:AR"
  221. ;Don't whack more restrictive security subkeys.
  222. "MACHINE\SYSTEM\CurrentControlSet\Services",0,"D:AR"
  224. ;Set security subkey permissions for those services created via default hives
  225. "MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  226. "MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  228. ;Set security subkey permissions for those services created in GUI-mode setup before SCE runs
  229. "MACHINE\SYSTEM\CurrentControlSet\Services\STISvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  231. "MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries",2,"D:(A;CI;GA;;;NS)(A;CI;CCDCLCSWSDRC;;;LU)"
  233. "USERS\.DEFAULT",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  234. "USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots",1,"D:AR"
  236. [File Security]
  239. ;---------------------------------------------------------------------------------------
  240. ;System Drive
  241. ;---------------------------------------------------------------------------------------
  242. ; Directories that might not exist when security is applied; but are listed here
  243. ; so that they get secured correctly on converting the file system to NTFS
  244. "%SystemDrive%\perflogs",2,"D:P(A;CIOI;GRGX;;;MU)(A;CIOI;GRGWGXSDRC;;;NS)(A;CIOI;GRGWGXSDRC;;;LU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  245. "%SystemDrive%\System Volume Information",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  248. ;---------------------------------------------------------------------------------------------
  249. ;ProgramFiles
  250. ;---------------------------------------------------------------------------------------------
  251. "%SceInfCommonProgramFiles%\SpeechEngines\Microsoft\TTS",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  253. ;---------------------------------------------------------------------------------------------
  254. ;Win64 ProgramFiles Directory
  255. ;---------------------------------------------------------------------------------------------
  256. ;@6:"%SceInfProgramFilesx86%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  258. ;---------------------------------------------------------------------------------------------
  259. ; ProgramData Folder (Typically \ProgramData)
  260. ;---------------------------------------------------------------------------------------------
  261. "%PROGRAMDATA%\Microsoft\Windows\DRM",0,"D:P(D;CIOI;GA;;;BG)(D;CIOI;GA;;;LG)(A;;0x1e01ff;;;WD)(A;OICIIO;GA;;;WD)(A;;GA;;;SY)S:(ML;;0x1;;;LW)"
  262. "%PROGRAMDATA%\Microsoft\Windows\DRM\Cache",0,"D:P(D;CIOI;GA;;;BG)(D;CIOI;GA;;;LG)(A;;0x1e01ff;;;WD)(A;OICIIO;GA;;;WD)(A;;GA;;;SY)S:(ML;;0x1;;;LW)"
  264. ;---------------------------------------------------------------------------------------------
  265. ;System Root (Typically \WINDOWS)
  266. ;---------------------------------------------------------------------------------------------
  267. ;Profile for LocalService and NetworkService, moved from Users in Longhorn, creator specifies security
  268. "%SystemRoot%\ServiceProfiles\LocalService",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;LS)"
  269. "%SystemRoot%\ServiceProfiles\NetworkService",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;NS)"
  271. ;---------------------------------------------------------------------------------------------
  272. ;System Directory (Typically \Windows\System32)
  273. ;---------------------------------------------------------------------------------------------
  274. ;Profile for system account - moved from Docs and Settings in Whistler. Creator specifies security.
  275. ;"%SystemDirectory%\config\systemprofile",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  277. ;Directories with no legacy to preserve. Different from parent.
  278. "%SystemDirectory%\wbem\mof",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  281. ;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
  282. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
  283. "%SystemDirectory%\appmgmt",1,"D:AR"
  286. ; Directories that might not exist when security is applied; but are listed here
  287. ; so that they get secured correctly on converting the file system to NTFS
  288. "%SystemDirectory%\Windows media",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  291. ;-----------------------------------------------------------------------------------------
  292. ; SysWOW64 directories
  293. ;-----------------------------------------------------------------------------------------
  296. ;-----------------------------------------------------------------------------------------
  297. ;Individual File Settings.
  298. ;-----------------------------------------------------------------------------------------
  299. "%Systemroot%\repair\default",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  300. "%Systemroot%\repair\ntuser.dat",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  301. "%Systemroot%\repair\sam",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  302. "%Systemroot%\repair\security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  303. "%Systemroot%\repair\software",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  304. "%Systemroot%\repair\system",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  307. [Strings]
  309. SceInfAdministrator = "Administrator"
  310. SceInfAcountOp = "Account Operators"
  311. SceInfAuthUsers = "Authenticated Users"
  312. SceInfInteractive = "INTERACTIVE"
  313. SceInfDomainAdmins = "Domain Admins"
  314. SceInfDomainGuests = "Domain Guests"
  315. SceInfDomainUsers = "Domain Users"
  316. SceInfEveryone = "Everyone"
  317. SceInfGuests = "Guests"
  318. SceInfGuest = "Guest"
  319. SceInfUsers = "Users"
  320. SceInfLocalService = "Local Service"
  321. SceInfNetworkService = "Network Service"
  322. SceInfRemoteDesktopUsers = "Remote Desktop Users"
  323. SceInfProgramFiles = "%ProgramFiles%"
  324. SceInfProgramFilesx86 = "%ProgramFiles(x86)%"
  325. SceInfCommonProgramFiles = "%CommonProgramFiles%"
  326. SceDWUpProfileDescription = "Security applied to upgraded workstations"
  327. SCEInfSysdir1 = "edit.com"
  328. SCEInfSysdir2 = "edit.hlp"
  329. SCEInfHelp1 = "signin.hlp"
  330.