home *** CD-ROM | disk | FTP | other *** search
/ PC World Komputer 2010 April / PCWorld0410.iso / WindowsServerTrial / server.iso / sources / install.wim / 5 / Windows / inf / defltbase.inf < prev    next >
Windows Setup INFormation  |  2008-01-18  |  51KB  |  476 lines

  1.  ■; Copyright (c) Microsoft Corporation.  All rights reserved.
  2. ;
  3. ; Security Configuration Template for Security Configuration Editor
  4. ;
  5. ; Template Name:        DefltSV.INF
  6. ; Template Version:     05.10.DS.0000
  7. ;
  8. ; Default Security For Windows VISTA Server.
  9. [Profile Description]
  10. %SCEDefltSVProfileDescription%
  11. [version]
  12. signature="$CHICAGO$"
  13. revision=1
  14. DriverVer=06/21/2006,6.0.6001.18000
  15. [System Access]
  16. ;----------------------------------------------------------------
  17. ;Account Policies - Password Policy
  18. ;----------------------------------------------------------------
  19. MinimumPasswordAge = 0
  20. MaximumPasswordAge = 42
  21. MinimumPasswordLength = 0   
  22. PasswordComplexity = 1
  23. PasswordHistorySize = 0
  24. RequireLogonToChangePassword = 0
  25. ClearTextPassword = 0
  26. ;----------------------------------------------------------------
  27. ;Account Policies - Lockout Policy
  28. ;----------------------------------------------------------------
  29. ;No Account Lockout
  30. LockoutBadCount = 0
  31. ;The following are not configured when No Account Lockout
  32. ;ResetLockoutCount = 30
  33. ;LockoutDuration = 30
  34. ;----------------------------------------------------------------
  35. ;Local Policies - Security Options
  36. ;----------------------------------------------------------------
  37. ;DC Only
  38. ;ForceLogoffWhenHourExpire = 0
  39. LSAAnonymousNameLookup = 0
  40. ;NewAdministatorName =
  41. ;NewGuestName =
  42. ;SecureSystemPartition
  43. ;----------------------------------------------------------------
  44. ;Event Log - Log Settings
  45. ;----------------------------------------------------------------
  46. ;Audit Log Retention Period:
  47. ;0 = Overwrite Events As Needed
  48. ;1 = Overwrite Events As Specified by Retention Days Entry
  49. ;2 = Never Overwrite Events (Clear Log Manually)
  50. [System Log]
  51. MaximumLogSize = 20480
  52. AuditLogRetentionPeriod = 0
  53. ;RetentionDays = 7
  54. RestrictGuestAccess = 1
  55. [Security Log]
  56. MaximumLogSize = 20480
  57. AuditLogRetentionPeriod = 0
  58. ;RetentionDays = 7
  59. RestrictGuestAccess = 1
  60. [Application Log]
  61. MaximumLogSize = 20480
  62. AuditLogRetentionPeriod = 0
  63. ;RetentionDays = 7
  64. RestrictGuestAccess = 1
  65. ;----------------------------------------------------------------
  66. ;Local Policies - Audit Policy
  67. ;----------------------------------------------------------------
  68. [Event Audit]
  69. CrashOnAuditFull = 0
  70. ;----------------------------------------------------------------
  71. ;Registry Values
  72. ;----------------------------------------------------------------
  73. [Registry Values]
  74. ; Registry value name in full path = Type, Value
  75. ; REG_SZ                      ( 1 )
  76. ; REG_EXPAND_SZ               ( 2 )  // with environment variables to expand
  77. ; REG_BINARY                  ( 3 )
  78. ; REG_DWORD                   ( 4 )
  79. ; REG_MULTI_SZ                ( 7 )
  80. MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
  81. MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
  82. MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
  83. MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
  84. MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
  85. MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0
  86. MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
  87. MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
  88. MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,3
  89. MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0
  90. MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0
  91. MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
  92. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
  93. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
  94. ;Domain Controllers Only
  95. ;MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl=4,0
  96. MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1
  97. MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
  98. MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
  99. MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
  100. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
  101. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
  102. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
  103. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
  104. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
  105. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
  106. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
  107. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
  108. MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
  109. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
  110. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
  111. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
  112. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
  113. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
  114. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,0
  115. ;Potential to take on different values during and after setup
  116. ;MACHINE\Software\Microsoft\Driver Signing\Policy=3,1
  117. ;MACHINE\Software\Microsoft\Non-Driver Signing\Policy=3,0
  118. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
  119. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
  120. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
  121. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,""
  122. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0
  123. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0
  124. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
  125. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
  126. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
  127. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,25
  128. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
  129. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
  130. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,0
  131. MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0
  132. ; remove lsarpc, samr and netlogon from anonymously accessible pipes
  133. MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes=8,Remove:,lsarpc,samr,netlogon
  134. ;----------------------------------------------------------------------
  135. ;   Privileges & Rights
  136. ;----------------------------------------------------------------------
  137. ;
  138. ;World                          S-1-1-0
  139. ;
  140. ;NT Authority                   S-1-5
  141. ;TERMINAL_SERVER                13
  142. ;LOCAL_SERVICE                  19
  143. ;NETWORK_SERVICE                20
  144. ;
  145. ;Built-In Domain SubAuthority = S-1-5-32
  146. ;ADMINISTRATORS                 544
  147. ;USERS                          545
  148. ;GUESTS                         546
  149. ;POWER_USERS  (DEPRECATED)
  150. ;ACCOUNT_OPS                    548
  151. ;SYSTEM_OPS                     549
  152. ;PRINT_OPS                      550
  153. ;BACKUP_OPS                     551
  154. ;REPLICATOR                     552
  155. ;RAS_SERVERS                    553
  156. ;PREW2KCOMPACCESS               554
  157. ;REMOTE_DESKTOP_USERS           555
  158. ;NETWORK_CONFIGURATION_OPS      556
  159. ;LOGGING_USERS                  559
  160. [Privilege Rights]
  161. SeAssignPrimaryTokenPrivilege = *S-1-5-19, *S-1-5-20
  162. SeAuditPrivilege = *S-1-5-19, *S-1-5-20
  163. SeBackupPrivilege = *S-1-5-32-544, *S-1-5-32-551
  164. SeBatchLogonRight = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-559
  165. SeChangeNotifyPrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-545, *S-1-1-0, *S-1-5-19, *S-1-5-20
  166. SeCreateGlobalPrivilege = *S-1-5-6, *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  167. SeCreatePagefilePrivilege = *S-1-5-32-544
  168. SeCreatePermanentPrivilege =
  169. SeCreateSymbolicLinkPrivilege = *S-1-5-32-544
  170. SeCreateTokenPrivilege =
  171. SeDebugPrivilege = *S-1-5-32-544
  172. SeImpersonatePrivilege = *S-1-5-6, *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  173. SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
  174. SeIncreaseQuotaPrivilege = *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  175. SeIncreaseWorkingSetPrivilege = *S-1-5-32-545
  176. SeInteractiveLogonRight = *S-1-5-32-544, *S-1-5-32-551,  *S-1-5-32-545
  177. SeLoadDriverPrivilege = *S-1-5-32-544
  178. SeLockMemoryPrivilege =
  179. SeMachineAccountPrivilege =
  180. SeManageVolumePrivilege = *S-1-5-32-544
  181. SeNetworkLogonRight = *S-1-5-32-544, *S-1-5-32-551,  *S-1-5-32-545, *S-1-1-0
  182. SeProfileSingleProcessPrivilege = *S-1-5-32-544
  183. SeRemoteInteractiveLogonRight = *S-1-5-32-544, *S-1-5-32-555
  184. SeRemoteShutdownPrivilege = *S-1-5-32-544
  185. SeRestorePrivilege = *S-1-5-32-544, *S-1-5-32-551
  186. SeSecurityPrivilege = *S-1-5-32-544
  187. SeServiceLogonRight =
  188. SeShutdownPrivilege = *S-1-5-32-544, *S-1-5-32-551
  189. SeSystemEnvironmentPrivilege = *S-1-5-32-544
  190. SeSystemProfilePrivilege = *S-1-5-32-544
  191. SeSystemTimePrivilege = *S-1-5-32-544,  *S-1-5-19
  192. SeTakeOwnershipPrivilege = *S-1-5-32-544
  193. SeTcbPrivilege =
  194. SeTimeZonePrivilege = *S-1-5-32-544, *S-1-5-19
  195. ;
  196. SeDenyInteractiveLogonRight =
  197. SeDenyBatchLogonRight =
  198. SeDenyServiceLogonRight =
  199. SeDenyNetworkLogonRight =
  200. SeDenyRemoteInteractiveLogonRight =
  201. ;
  202. SeUndockPrivilege = *S-1-5-32-544
  203. SeSyncAgentPrivilege =
  204. SeEnableDelegationPrivilege =
  205. [Group Membership]
  206. *S-1-5-32-545__Memberof =
  207. *S-1-5-32-545__Members = *S-1-5-11,*S-1-5-4
  208. [Service General Setting]
  209. ;autostarted on workstations and servers, standalone or joined
  210. Browser,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  211. TrkWks,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  212. Dnscache,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  213. PolicyAgent,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  214. dmserver,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  215. PlugPlay,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  216. Spooler,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  217. ProtectedStorage,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  218. RpcSs,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  219. NtmsSvc,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  220. seclogon,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  221. SamSs,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLO;;;IU)(A;;CCLCSWLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  222. lanmanserver,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  223. SENS,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  224. Schedule,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  225. Sysmonlog,,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCRPLOCR;;;LU)S:AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  226. LmHosts,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  227. LanmanWorkstation,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  228. RemoteRegistry,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  229. ClipSrv,4,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  230. NetDDE,4,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  231. NetDDEdsdm,4,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  232. EventSystem,,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  233. ;Not autostarted if machine is standalone
  234. Netlogon,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  235. W32Time,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  236. ;Server Only Services
  237. Dfs,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  238. LicenseService,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  239. ;IIS Specific Services - Leave them alone
  240. ;IISADMIN,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  241. ;W3SVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  242. ;MSFTPSVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  243. ;SMTPSVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  244. ;
  245. ; set default startup for the following services - do not touch permissions
  246. ;
  247. ;;FastUserSwitching service not installed in setup
  248. Mnmsrvc,4,""
  249. Themes,4,""
  250. TlntSvr,4,""
  251. TrkSvr,4,""
  252. ;;Tssdis service not installed in setup
  253. WmdmPmSp,3,""
  254. [Registry Keys]
  255. ;Not same as parent, and this is the target of a symlink - set explicitly.
  256. "MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  257. "MACHINE\Software\Microsoft\Speech",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  258. "MACHINE\SOFTWARE\Microsoft\SystemCertificates",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  259. "MACHINE\SOFTWARE\Microsoft\Tracing",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;S-1-5-13)"
  260. "MACHINE\Software\Microsoft\Windows\CurrentVersion",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  261. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  262. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  263. ;The following keys need to be writable by TERMINAL_SERVER_USER for App-Compat
  264. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  265. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  266. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  267. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  268. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  269. ;The following keys do not exist when we run.
  270. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy",1,"D:AR"
  271. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies",1,"D:AR"
  272. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  273. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  274. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  275. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  276. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  277. "MACHINE\System",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  278. "MACHINE\SYSTEM\Clone",1,"D:AR"
  279. "MACHINE\SYSTEM\ControlSet001",1,"D:AR"
  280. "MACHINE\SYSTEM\ControlSet002",1,"D:AR"
  281. "MACHINE\SYSTEM\ControlSet003",1,"D:AR"
  282. "MACHINE\SYSTEM\ControlSet004",1,"D:AR"
  283. "MACHINE\SYSTEM\ControlSet005",1,"D:AR"
  284. "MACHINE\SYSTEM\ControlSet006",1,"D:AR"
  285. "MACHINE\SYSTEM\ControlSet007",1,"D:AR"
  286. "MACHINE\SYSTEM\ControlSet008",1,"D:AR"
  287. "MACHINE\SYSTEM\ControlSet009",1,"D:AR"
  288. "MACHINE\SYSTEM\ControlSet010",1,"D:AR"
  289. "MACHINE\SYSTEM\CurrentControlSet\Control\Class",0,"D:AR"
  290. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",2,"D:(A;CI;GR;;;WD)"
  291. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\JD",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  292. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Skew1",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  293. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\GBG",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  294. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Data",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  295. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi",2,"D:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CIIO;RC;;;S-1-3-4)"
  296. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\4",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)((A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  297. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a01-9b1a-11d4-9123-0050047759bc}\4",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  298. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a1C-9b1a-11d4-9123-0050047759bc}\0",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  299. "MACHINE\SYSTEM\CurrentControlSet\Services",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  300. ;Set security subkey permissions for those services created via default hives
  301. "MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  302. "MACHINE\SYSTEM\CurrentControlSet\Services\kdc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  303. "MACHINE\SYSTEM\CurrentControlSet\Services\LicenseInfo",2,"D:AR(A;CI;CCLCSWRPRC;;;NS)(A;CIIO;CCDCLCSWRPRC;;;NS)"
  304. "MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  305. ;Set security subkey permissions for those services created in GUI-mode setup before SCE runs
  306. "MACHINE\SYSTEM\CurrentControlSet\Services\STISvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  307. "MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries",2,"D:(A;CI;GA;;;NS)(A;CI;CCDCLCSWSDRC;;;LU)"
  308. "MACHINE\SYSTEM\CurrentControlSet\Enum",1,"D:AR"
  309. "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles",1,"D:AR"
  310. "USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots",1,"D:AR"
  311. [File Security]
  312. ;---------------------------------------------------------------------------------------
  313. ;System Drive
  314. ;---------------------------------------------------------------------------------------
  315. ;SetupSecurity will contain the new root acl.  Ignore docs and settings if it's reapplied (e.g. on conversion from FAT)
  316. ; Directories that might not exist when security is applied; but are listed here
  317. ; so that they get secured correctly on converting the file system to NTFS
  318. ;---------------------------------------------------------------------------------------------
  319. ;ProgramFiles
  320. ;---------------------------------------------------------------------------------------------
  321. "%SceInfCommonProgramFiles%\SpeechEngines\Microsoft\TTS",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  322. ;---------------------------------------------------------------------------------------------
  323. ;Win64 32bit ProgramFiles Directory
  324. ;---------------------------------------------------------------------------------------------
  325. ;---------------------------------------------------------------------------------------------
  326. ; ProgramData Folder (Typically \ProgramData)
  327. ;---------------------------------------------------------------------------------------------
  328. ;---------------------------------------------------------------------------------------------
  329. ;System Root (Typically \WINDOWS)
  330. ;---------------------------------------------------------------------------------------------
  331. ;Directories that existed and inherited on NT4 out of the box.
  332. ;The text-mode files within these directories are individually secured below.
  333. ;Config, Cursors, Help, Media, Repair, System, Fonts, INF
  334. ;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
  335. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
  336. ;Profile for LocalService and NetworkService, moved from Users in Longhorn, creator specifies security
  337. "%SystemRoot%\ServiceProfiles\LocalService",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;LS)"
  338. "%SystemRoot%\ServiceProfiles\NetworkService",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;NS)"
  339. ;---------------------------------------------------------------------------------------------
  340. ;System Directory (Typically \Windows\System32)
  341. ;---------------------------------------------------------------------------------------------
  342. ;Directories with no legacy to preserve. Different from parent.
  343. "%SystemDirectory%\wbem\mof",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  344. ; Directories that might not exist when security is applied; but are listed here
  345. ; so that they get secured correctly on converting the file system to NTFS
  346. "%SystemDirectory%\LogFiles\wms",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  347. ;-----------------------------------------------------------------------------------------
  348. ; SysWOW64 directories
  349. ;-----------------------------------------------------------------------------------------
  350. ;-----------------------------------------------------------------------------------------
  351. ;Individual File Settings.
  352. ;-----------------------------------------------------------------------------------------
  353. "%Systemroot%\repair\default",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  354. "%Systemroot%\repair\ntuser.dat",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  355. "%Systemroot%\repair\sam",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  356. "%Systemroot%\repair\security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  357. "%Systemroot%\repair\software",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  358. "%Systemroot%\repair\system",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  359. [Strings]
  360. SceInfAdministrator = "Administrator"
  361. SceInfAdmins = "Administrators"
  362. SceInfAcountOp = "Account Operators"
  363. SceInfAuthUsers = "Authenticated Users"
  364. SceInfInteractive = "INTERACTIVE"
  365. SceInfBackupOp = "Backup Operators"
  366. SceInfDomainAdmins = "Domain Admins"
  367. SceInfDomainGuests = "Domain Guests"
  368. SceInfDomainUsers = "Domain Users"
  369. SceInfEveryone = "Everyone"
  370. SceInfGuests = "Guests"
  371. SceInfGuest = "Guest"
  372. SceInfPowerUsers = "Power Users"
  373. SceInfPrintOp = "Print Operators"
  374. SceInfReplicator = "Replicator"
  375. SceInfServerOp = "Server Operators"
  376. SceInfUsers = "Users"
  377. SceInfLocalService = "Local Service"
  378. SceInfNetworkService = "Network Service"
  379. SceInfProgramFiles = "%ProgramFiles%"
  380. SceInfProgramFilesx86 = "%ProgramFiles(x86)%"
  381. SceInfCommonProgramFiles = "%CommonProgramFiles%"
  382. SceInfRemoteDesktopUsers = "Remote Desktop Users"
  383. SceDefltSVProfileDescription = "Default Security Settings. (Windows Server)"
  384. SCEInfSysdir1 = "edit.com"
  385. SCEInfSysdir2 = "edit.hlp"
  386. SCEInfHelp1 = "signin.hlp"
  387.