home *** CD-ROM | disk | FTP | other *** search
/ PC World Komputer 2010 April / PCWorld0410.iso / WindowsServerTrial / server.iso / sources / install.wim / 2 / Windows / inf / dsupt.inf < prev    next >
Windows Setup INFormation  |  2008-01-19  |  43KB  |  371 lines
  1.  ■; Copyright (c) Microsoft Corporation.  All rights reserved.
  2. ;
  3. ; Security Configuration Template for Security Configuration Editor
  4. ;
  5. ; Template Name:        DSUpT.INF
  6. ; Template Version:     05.10.DT.0000
  7. ;
  8. ; Default Security for Windows NT 5.1 Terminal Servers that have been:
  9. ; 1. Upgraded from NT4 Terminal Server OR
  10. ; 2. Upgraded from Win2k Terminal Server that was running in App Mode.
  11. ; NOT used to upgrade Win2k\Whistler Terminal Servers running in remote admin mode (DSUp.inf should be used for that)
  13. [Profile Description]
  14. %SCEDSUpProfileDescription%
  16. [version]
  17. signature="$CHICAGO$"
  18. revision=1
  19. DriverVer=06/21/2006,6.0.6001.18000
  21. [System Access]
  22. ;----------------------------------------------------------------
  23. ;Local Policies - Security Options
  24. ;----------------------------------------------------------------
  25. LSAAnonymousNameLookup = 0
  28. ;----------------------------------------------------------------
  29. ;Event Log - Log Settings
  30. ;----------------------------------------------------------------
  32. [System Log]
  33. RestrictGuestAccess = 1
  35. [Security Log]
  36. RestrictGuestAccess = 1
  38. [Application Log]
  39. RestrictGuestAccess = 1
  41. ;----------------------------------------------------------------
  42. ;Registry Values
  43. ;----------------------------------------------------------------
  44. [Registry Values]
  45. ;On upgrade, we can only set reg values that meet the following criteria:
  46. ;a.) value did not exist on previous releases
  47. ;b.) default setting was changed from a less secure to a more secure state
  49. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
  51. MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
  52. MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
  53. MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
  54. MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0
  55. MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
  56. MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,3
  57. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
  59. MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=8,Add:,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,Remove:,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
  60. MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=8,Add:,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
  62. MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
  63. MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
  65. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
  67. MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
  69. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
  71. ; remove lsarpc, samr and netlogon from anonymously accessible pipes
  72. MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes=8,Remove:,lsarpc,samr,netlogon
  74. ;We cannot set the following values which were new for Win2k, because
  75. ;Win2k customers may have already configured them differently.
  76. ;Therefore, the following may not be configured on upgrade from NT4.
  77. ;
  78. ;MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
  79. ;MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
  80. ;MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,0
  83. [Privilege Rights]
  84. ;
  85. ;World                          S-1-1-0
  86. ;
  87. ;NT Authority                   S-1-5
  88. ;TERMINAL_SERVER                13
  89. ;LOCAL_SERVICE                  19
  90. ;NETWORK_SERVICE                20
  91. ;
  92. ;Built-In Domain SubAuthority = S-1-5-32
  93. ;ADMINISTRATORS                 544
  94. ;USERS                          545
  95. ;GUESTS                         546
  96. ;POWER_USERS  (DEPRECATED)
  97. ;ACCOUNT_OPS                    548
  98. ;SYSTEM_OPS                     549
  99. ;PRINT_OPS                      550
  100. ;BACKUP_OPS                     551
  101. ;REPLICATOR                     552
  102. ;RAS_SERVERS                    553
  103. ;PREW2KCOMPACCESS               554
  104. ;REMOTE_DESKTOP_USERS           555
  105. ;NETWORK_CONFIGURATION_OPS      556
  106. ;
  107. SeAssignPrimaryTokenPrivilege = Add:, *S-1-5-19, *S-1-5-20
  108. SeAuditPrivilege = Add:, *S-1-5-19, *S-1-5-20
  109. SeBatchLogonRight = Add:, *S-1-5-32-544, *S-1-5-32-551
  110. SeChangeNotifyPrivilege = Add:, *S-1-5-19, *S-1-5-20
  111. SeCreateGlobalPrivilege = Add:, *S-1-5-6, *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  112. SeCreateSymbolicLinkPrivilege = Add:, *S-1-5-32-544
  113. SeImpersonatePrivilege = Add:, *S-1-5-6, *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  114. ;SeIncreaseBasePriorityPrivilege = Remove:, *S-1-5-32-547
  115. SeIncreaseQuotaPrivilege = Add:, *S-1-5-19, *S-1-5-20
  116. SeIncreaseWorkingSetPrivilege = Add:, *S-1-5-32-545
  117. SeInteractiveLogonRight = Remove:, &-501
  118. SeManageVolumePrivilege = Add:, *S-1-5-32-544
  119. SeRemoteInteractiveLogonRight = Add:, *S-1-5-32-544, *S-1-5-32-555
  120. SeRemoteShutdownPrivilege = Remove:, *S-1-5-32-545, *S-1-1-0
  121. SeShutdownPrivilege = Remove:, *S-1-5-32-545, *S-1-1-0
  122. SeSystemTimePrivilege = Add:, *S-1-5-19, Remove:, *S-1-5-20
  123. SeTimeZonePrivilege = Add:, *S-1-5-32-544, *S-1-5-19
  125. ;Undock was added in Win2k.  Not adding Users because:
  126. ;a.) Win2k customers may have justifiably removed them.
  127. SeUndockPrivilege = Add:, *S-1-5-32-544
  129. ;[Group Membership]
  130. ;During upgrade, use net api's to
  131. ;1 - add Authenticated Users and Interactive into the Users group
  135. [Service General Setting]
  136. ;Note: startup type should not be configured during setup\dcpromo.
  137. ;autostarted on workstations and servers, standalone or joined
  138. Browser,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  139. TrkWks,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  140. Dnscache,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  141. PolicyAgent,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  142. dmserver,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  143. PlugPlay,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  144. Spooler,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  145. ProtectedStorage,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  146. RpcSs,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  147. NtmsSvc,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  148. seclogon,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  149. SamSs,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLO;;;IU)(A;;CCLCSWLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  150. lanmanserver,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  151. SENS,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  152. Schedule,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  153. Sysmonlog,,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCRPLOCR;;;LU)S:AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  154. LmHosts,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  155. LanmanWorkstation,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  156. RemoteRegistry,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  158. ClipSrv,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  159. NetDDE,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  160. NetDDEdsdm,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  161. EventSystem,,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  163. ;Not autostarted if machine is standalone
  164. ;Netlogon,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  165. ;W32Time,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  167. ;Server Only Services
  168. Dfs,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  169. LicenseService,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  171. ;IIS Specific Services - Leave them alone
  172. ;IISADMIN,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  173. ;W3SVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  174. ;MSFTPSVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  175. ;SMTPSVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  178. ;
  179. ; set default startup for the following services - do not touch permissions
  180. ;
  181. TrkSvr,4,""
  185. [Registry Keys]
  188. ;Not same as parent, and this is the target of a symlink - set explicitly.
  191. "MACHINE\SOFTWARE\Microsoft\ADs\Providers\LDAP\Extensions",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  192. "MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  193. "MACHINE\SOFTWARE\Microsoft\OLAP Server\CurrentVersion\SECURITY",1,"D:AR"
  194. "MACHINE\Software\Microsoft\Speech",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  195. "MACHINE\SOFTWARE\Microsoft\SystemCertificates",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  196. "MACHINE\SOFTWARE\Microsoft\SystemCertificates\Authroot",2,"D:AI(A;CIOI;GA;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459)"
  197. "MACHINE\SOFTWARE\Microsoft\Tracing",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;S-1-5-13)"
  199. "MACHINE\SOFTWARE\Microsoft\Windows",0,"D:AR"
  201. "MACHINE\Software\Microsoft\Windows\CurrentVersion",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  202. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  203. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  205. ;The following keys need to be writable by TERMINAL_SERVER_USER for App-Compat
  206. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  207. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  208. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  209. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  210. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  212. ;The following keys do not exist when we run.
  213. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy",1,"D:AR"
  214. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies",1,"D:AR"
  215. "MACHINE\SOFTWARE\Microsoft\SMS",1,"D:AR"
  217. "MACHINE\SOFTWARE\Microsoft\Windows NT",0,"D:AR"
  219. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  220. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  221. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  222. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  223. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  224. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing",2,"D:P(A;CI;GRGWSD;;;LS)(A;CI;GRGWSD;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  226. "MACHINE\System",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  228. "MACHINE\SYSTEM\Clone",1,"D:AR"
  230. "MACHINE\SYSTEM\ControlSet001",1,"D:AR"
  231. "MACHINE\SYSTEM\ControlSet002",1,"D:AR"
  232. "MACHINE\SYSTEM\ControlSet003",1,"D:AR"
  233. "MACHINE\SYSTEM\ControlSet004",1,"D:AR"
  234. "MACHINE\SYSTEM\ControlSet005",1,"D:AR"
  235. "MACHINE\SYSTEM\ControlSet006",1,"D:AR"
  236. "MACHINE\SYSTEM\ControlSet007",1,"D:AR"
  237. "MACHINE\SYSTEM\ControlSet008",1,"D:AR"
  238. "MACHINE\SYSTEM\ControlSet009",1,"D:AR"
  239. "MACHINE\SYSTEM\ControlSet010",1,"D:AR"
  241. "MACHINE\SYSTEM\CurrentControlSet\Control\Class",1,"D:AR"
  243. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",2,"D:(A;CI;GR;;;WD)"
  244. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\JD",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  245. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Skew1",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  246. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\GBG",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  247. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Data",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  248. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi",2,"D:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CIIO;RC;;;S-1-3-4)"
  249. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\4",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)((A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  250. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a01-9b1a-11d4-9123-0050047759bc}\4",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  251. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a1C-9b1a-11d4-9123-0050047759bc}\0",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  253. "MACHINE\SYSTEM\CurrentControlSet\Enum",1,"D:AR"
  254. "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles",1,"D:AR"
  256. ;Don't whack more restrictive security subkeys.
  257. "MACHINE\SYSTEM\CurrentControlSet\Services",0,"D:AR"
  259. ;Set security subkey permissions for those services created via default hives
  260. "MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  261. "MACHINE\SYSTEM\CurrentControlSet\Services\kdc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  262. "MACHINE\SYSTEM\CurrentControlSet\Services\LicenseInfo",2,"D:AR(A;CI;CCLCSWRPRC;;;NS)(A;CIIO;CCDCLCSWRPRC;;;NS)"
  263. "MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  265. ;Set security subkey permissions for those services created in GUI-mode setup before SCE runs
  266. "MACHINE\SYSTEM\CurrentControlSet\Services\STISvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  268. "MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries",2,"D:(A;CI;GA;;;NS)(A;CI;CCDCLCSWSDRC;;;LU)"
  270. "USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots",1,"D:AR"
  272. [File Security]
  275. ;---------------------------------------------------------------------------------------
  276. ;System Drive
  277. ;---------------------------------------------------------------------------------------
  278. ;SetupSecurity will contain the new root acl.  Ignore docs and settings if it's reapplied (e.g. on conversion from FAT)
  279. ; Directories that might not exist when security is applied; but are listed here
  280. ; so that they get secured correctly on converting the file system to NTFS
  283. ;---------------------------------------------------------------------------------------------
  284. ;Program Files
  285. ;---------------------------------------------------------------------------------------------
  286. "%SceInfCommonProgramFiles%\SpeechEngines\Microsoft\TTS",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  288. ;---------------------------------------------------------------------------------------------
  289. ;Win64 ProgramFiles Directory
  290. ;---------------------------------------------------------------------------------------------
  292. ;---------------------------------------------------------------------------------------------
  293. ; ProgramData Folder (Typically \ProgramData)
  294. ;---------------------------------------------------------------------------------------------
  296. ;---------------------------------------------------------------------------------------------
  297. ;System Root (Typically \WINDOWS)
  298. ;---------------------------------------------------------------------------------------------
  301. ;Profile for LocalService and NetworkService, moved from Users in Longhorn, creator specifies security
  302. "%SystemRoot%\ServiceProfiles\LocalService",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;LS)"
  303. "%SystemRoot%\ServiceProfiles\NetworkService",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;NS)"
  306. ;---------------------------------------------------------------------------------------------
  307. ;System Directory (Typically \Windows\System32)
  308. ;---------------------------------------------------------------------------------------------
  311. ;Profile for system account - moved from Docs and Settings in Whistler. Creator specifies security.
  313. ;Directories with no legacy to preserve. Different from parent.
  314. "%SystemDirectory%\wbem\mof",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  317. ;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
  318. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
  319. "%SystemDirectory%\appmgmt",1,"D:AR"
  321. ; Directories that might not exist when security is applied; but are listed here
  322. ; so that they get secured correctly on converting the file system to NTFS
  325. ;-----------------------------------------------------------------------------------------
  326. ; SysWOW64 directories
  327. ;-----------------------------------------------------------------------------------------
  330. ;-----------------------------------------------------------------------------------------
  331. ;Individual File Settings.
  332. ;-----------------------------------------------------------------------------------------
  333. "%Systemroot%\repair\default",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  334. "%Systemroot%\repair\ntuser.dat",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  335. "%Systemroot%\repair\sam",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  336. "%Systemroot%\repair\security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  337. "%Systemroot%\repair\software",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  338. "%Systemroot%\repair\system",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  341. [Strings]
  343. SceInfAdministrator = "Administrator"
  344. SceInfAdmins = "Administrators"
  345. SceInfAcountOp = "Account Operators"
  346. SceInfAuthUsers = "Authenticated Users"
  347. SceInfInteractive = "INTERACTIVE"
  348. SceInfBackupOp = "Backup Operators"
  349. SceInfDomainAdmins = "Domain Admins"
  350. SceInfDomainGuests = "Domain Guests"
  351. SceInfDomainUsers = "Domain Users"
  352. SceInfEveryone = "Everyone"
  353. SceInfGuests = "Guests"
  354. SceInfGuest = "Guest"
  355. SceInfLocalService = "Local Service"
  356. SceInfNetworkService = "Network Service"
  357. SceInfPowerUsers = "Power Users"
  358. SceInfPrintOp = "Print Operators"
  359. SceInfReplicator = "Replicator"
  360. SceInfRemoteDesktopUsers = "Remote Desktop Users"
  361. SceInfServerOp = "Server Operators"
  362. SceInfUsers = "Users"
  363. SceInfProgramFiles = "%ProgramFiles%"
  364. SceInfProgramFilesx86 = "%ProgramFiles(x86)%"
  365. SceInfCommonProgramFiles = "%CommonProgramFiles%"
  366. SceDSUpProfileDescription = "Security applied to upgraded terminal servers"
  367. SCEInfSysdir1 = "edit.com"
  368. SCEInfSysdir2 = "edit.hlp"
  369. SCEInfHelp1 = "signin.hlp"
  370.