archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/mergedcomponents/setupinfs/defltp.inx

532 lines
31 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. @*:This file defines default security settings.
  2. @*:Please do not edit. Instead, email kirksol with the requested change.
  3. @*:Thanks!
  4. ; Copyright (c) Microsoft Corporation. All rights reserved.
  5. ;
  6. ; Security Configuration Template for Security Configuration Manager
  7. ;
  8. ; Template Name: DefltWK.INF
  9. ; Template Version: 05.10.DP.0000
  10. ;
  11. ; Default Security for NT 5.1 Personal Edition.
  12. ; DefltP.INF is copied to DefltWK.INF on the Personal SKU as specified in Layout.inf for personal.
  14. [Profile Description]
  15. %SCEDefltProfileDescription%
  17. [version]
  18. signature="$CHICAGO$"
  19. revision=1
  21. [System Access]
  22. ;----------------------------------------------------------------
  23. ;Account Policies - Password Policy
  24. ;----------------------------------------------------------------
  25. MinimumPasswordAge = 0
  26. MaximumPasswordAge = -1
  27. MinimumPasswordLength = 0
  28. PasswordComplexity = 0
  29. PasswordHistorySize = 0
  30. RequireLogonToChangePassword = 0
  31. ClearTextPassword = 0
  32. LSAAnonymousNameLookup = 0
  33. EnableGuestAccount = 0
  35. ;----------------------------------------------------------------
  36. ;Account Policies - Lockout Policy
  37. ;----------------------------------------------------------------
  38. LockoutBadCount = 0
  39. ;ResetLockoutCount = 30
  40. ;LockoutDuration = 30
  42. ;----------------------------------------------------------------
  43. ;Local Policies - Security Options
  44. ;----------------------------------------------------------------
  45. ;DC Only
  46. ;ForceLogoffWhenHourExpire = 0
  48. ;NewAdministatorName =
  49. ;NewGuestName =
  50. ;SecureSystemPartition
  52. ;----------------------------------------------------------------
  53. ;Event Log - Log Settings
  54. ;----------------------------------------------------------------
  55. ;Audit Log Retention Period:
  56. ;0 = Overwrite Events As Needed
  57. ;1 = Overwrite Events As Specified by Retention Days Entry
  58. ;2 = Never Overwrite Events (Clear Log Manually)
  60. [System Log]
  61. MaximumLogSize = 8192
  62. AuditLogRetentionPeriod = 0
  63. RestrictGuestAccess = 1
  65. [Security Log]
  66. MaximumLogSize = 8192
  67. AuditLogRetentionPeriod = 0
  68. RestrictGuestAccess = 1
  70. [Application Log]
  71. MaximumLogSize = 8192
  72. AuditLogRetentionPeriod = 0
  73. RestrictGuestAccess = 1
  75. ;----------------------------------------------------------------------
  76. ; Local Policies\Audit Policy
  77. ;----------------------------------------------------------------------
  78. [Event Audit]
  79. AuditSystemEvents = 3
  80. AuditObjectAccess = 0
  81. AuditPrivilegeUse = 0
  82. AuditPolicyChange = 3
  83. AuditAccountManage = 3
  84. AuditProcessTracking = 0
  85. AuditAccountLogon = 3
  86. AuditLogonEvents = 3
  89. ;----------------------------------------------------------------
  90. ;Registry Values
  91. ;----------------------------------------------------------------
  92. [Registry Values]
  93. ; Registry value name in full path = Type, Value
  94. ; REG_SZ ( 1 )
  95. ; REG_EXPAND_SZ ( 2 ) // with environment variables to expand
  96. ; REG_BINARY ( 3 )
  97. ; REG_DWORD ( 4 )
  98. ; REG_MULTI_SZ ( 7 )
  100. MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
  101. MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
  102. MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
  103. MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
  104. MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy=4,0
  105. MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,1
  106. MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
  107. MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
  108. MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,2
  109. MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0
  110. MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0
  111. MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,0
  112. MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner=4,1
  113. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
  114. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
  116. ;Domain Controllers Only
  117. ;MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl=4,0
  119. MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,0
  121. MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
  122. MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
  123. MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
  125. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
  126. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
  127. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
  128. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
  129. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
  131. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
  132. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
  133. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
  135. MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
  137. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
  138. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
  139. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
  140. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
  141. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
  142. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,0
  144. ;Potential to take on different values during and after setup
  145. ;MACHINE\Software\Microsoft\Driver Signing\Policy=3,1
  146. ;MACHINE\Software\Microsoft\Non-Driver Signing\Policy=3,0
  149. ;MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,1
  150. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
  151. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
  152. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,""
  153. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0
  154. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,1
  155. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
  157. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
  158. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
  160. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms=1,0
  161. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,0
  162. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies=1,0
  163. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,10
  164. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
  165. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
  166. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,0
  168. MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0
  170. ;----------------------------------------------------------------------
  171. ; Privileges & Rights
  172. ;----------------------------------------------------------------------
  173. ;
  174. ;World S-1-1-0
  175. ;
  176. ;NT Authority S-1-5
  177. ;LOCAL_SERVICE 19
  178. ;NETWORK_SERVICE 20
  179. ;
  180. ;Built-In Domain SubAuthority = S-1-5-32
  181. ;ADMINISTRATORS 544
  182. ;USERS 545
  183. ;GUESTS 546
  184. ;POWER_USERS 547
  185. ;ACCOUNT_OPS 548
  186. ;SYSTEM_OPS 549
  187. ;PRINT_OPS 550
  188. ;BACKUP_OPS 551
  189. ;REPLICATOR 552
  190. ;RAS_SERVERS 553
  191. ;PREW2KCOMPACCESS 554
  192. ;REMOTE_DESKTOP_USERS 555
  193. ;NETWORK_CONFIGURATION_OPS 556
  194. ;
  195. [Privilege Rights]
  196. SeAssignPrimaryTokenPrivilege = *S-1-5-19, *S-1-5-20
  197. SeAuditPrivilege = *S-1-5-19, *S-1-5-20
  198. SeBatchLogonRight =
  199. SeBackupPrivilege = *S-1-5-32-544
  200. SeChangeNotifyPrivilege = *S-1-5-32-544, *S-1-5-32-545, *S-1-1-0
  201. SeCreatePagefilePrivilege = *S-1-5-32-544
  202. SeCreateGlobalPrivilege = *S-1-5-6, *S-1-5-32-544
  203. SeCreatePermanentPrivilege =
  204. SeCreateTokenPrivilege =
  205. SeDebugPrivilege = *S-1-5-32-544
  206. SeImpersonatePrivilege = *S-1-5-6, *S-1-5-32-544
  207. SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
  208. SeIncreaseQuotaPrivilege = *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  209. SeInteractiveLogonRight = *S-1-5-32-544, *S-1-5-32-545, %SceInfGuest%
  210. SeLoadDriverPrivilege = *S-1-5-32-544
  211. SeLockMemoryPrivilege =
  212. SeMachineAccountPrivilege =
  213. SeManageVolumePrivilege = *S-1-5-32-544
  214. SeNetworkLogonRight = %SceInfGuest%, *S-1-5-32-545
  215. SeProfileSingleProcessPrivilege = *S-1-5-32-544
  216. SeRemoteInteractiveLogonRight = *S-1-5-32-544
  217. SeRemoteShutdownPrivilege = *S-1-5-32-544
  218. SeRestorePrivilege = *S-1-5-32-544
  219. SeSecurityPrivilege = *S-1-5-32-544
  220. SeServiceLogonRight =
  221. SeShutdownPrivilege = *S-1-5-32-544, *S-1-5-32-545
  222. SeSystemEnvironmentPrivilege = *S-1-5-32-544
  223. SeSystemProfilePrivilege = *S-1-5-32-544
  224. SeSystemTimePrivilege = *S-1-5-32-544
  225. SeTakeOwnershipPrivilege = *S-1-5-32-544
  226. SeTcbPrivilege =
  227. ;
  228. SeDenyInteractiveLogonRight = %SceInfGuest%
  229. SeDenyBatchLogonRight =
  230. SeDenyServiceLogonRight =
  231. SeDenyNetworkLogonRight = %SceInfGuest%
  232. SeDenyRemoteInteractiveLogonRight =
  233. ;
  234. SeUndockPrivilege = *S-1-5-32-544, *S-1-5-32-545
  235. SeSyncAgentPrivilege =
  236. SeEnableDelegationPrivilege =
  238. [Group Membership]
  239. %SceInfUsers%__Memberof =
  240. %SceInfUsers%__Members = %SceInfAuthUsers%,%SceInfInteractive%
  243. [Service General Setting]
  244. ;Note: startup type should not be configured during setup\dcpromo.
  245. ;autostarted on workstations and servers, standalone or joined - Remove PU ability to stop\start.
  246. Browser,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  247. Dhcp,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  248. TrkWks,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  249. Dnscache,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  250. Eventlog,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  251. PolicyAgent,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  252. dmserver,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  253. Messenger,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  254. PlugPlay,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  255. Spooler,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  256. ProtectedStorage,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  257. RpcSs,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  258. NtmsSvc,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  259. seclogon,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  260. SamSs,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  261. lanmanserver,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  262. SENS,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  263. Schedule,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  264. Sysmonlog,,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCRPLOCR;;;LU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  265. LmHosts,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  266. LanmanWorkstation,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  267. RemoteRegistry,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  269. ;Not autostarted, but non-default DACL - Remove PU ability to change template
  270. ClipSrv,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  271. NetDDE,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  272. NetDDEdsdm,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  273. EventSystem,,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  275. ;Not autostarted if machine is standalone
  276. Netlogon,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  277. W32Time,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  279. ;Not autostarted if Wksta
  280. ;Alerter,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  281. ;MSDTC,,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  283. ;Server Only Services
  284. ;Dfs,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  285. ;LicenseService,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  287. ;IIS Specific Services - Leave them alone
  288. ;IISADMIN,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  289. ;W3SVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  290. ;MSFTPSVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  291. ;SMTPSVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  294. [Registry Keys]
  296. "MACHINE\Software",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  298. ;Same as parent, but this is the target of a symlink - set explicitly.
  299. "MACHINE\SOFTWARE\Classes",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  301. "MACHINE\SOFTWARE\Microsoft\Cryptography\Calais",2,"D:AR(A;CI;GRGWSD;;;LS)"
  303. "MACHINE\SOFTWARE\Microsoft\NetDDE",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  304. "MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider",1,"D:AR"
  306. ;The following keys do not exist when we run
  307. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy",1,"D:AR"
  308. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer",1,"D:AR"
  309. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies",1,"D:AR"
  310. "MACHINE\SOFTWARE\Microsoft\MSDTC",1,"D:AR"
  312. ;Different than parent
  313. "MACHINE\SOFTWARE\Microsoft\wbem",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GA;;;NS)(A;CI;GR;;;BU)"
  314. "MACHINE\SOFTWARE\Microsoft\wbem\CIMOM",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;BU)"
  315. "MACHINE\SOFTWARE\Microsoft\wbem\Transports",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;BU)"
  316. "MACHINE\SOFTWARE\Microsoft\wbem\ESS",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;BU)"
  317. "MACHINE\SOFTWARE\Microsoft\wbem\FWD",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;BU)"
  320. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony",2,"D:P(A;CIOI;GR;;;BU)(A;CIOI;GRGWSD;;;PU)(A;CIOI;GA;;;NS)(A;CIOI;GA;;;LS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  322. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;LS)(A;CI;GR;;;NS)(A;CI;GR;;;LU)(A;CI;GR;;;MU)"
  323. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009",1,"D:AR"
  324. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;LS)(A;CI;GR;;;NS)(A;CI;GR;;;LU)(A;CI;GR;;;MU)"
  327. "MACHINE\System",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  329. "MACHINE\SYSTEM\Clone",1,"D:AR"
  331. "MACHINE\SYSTEM\ControlSet001",1,"D:AR"
  332. "MACHINE\SYSTEM\ControlSet002",1,"D:AR"
  333. "MACHINE\SYSTEM\ControlSet003",1,"D:AR"
  334. "MACHINE\SYSTEM\ControlSet004",1,"D:AR"
  335. "MACHINE\SYSTEM\ControlSet005",1,"D:AR"
  336. "MACHINE\SYSTEM\ControlSet006",1,"D:AR"
  337. "MACHINE\SYSTEM\ControlSet007",1,"D:AR"
  338. "MACHINE\SYSTEM\ControlSet008",1,"D:AR"
  339. "MACHINE\SYSTEM\ControlSet009",1,"D:AR"
  340. "MACHINE\SYSTEM\ControlSet010",1,"D:AR"
  342. "MACHINE\SYSTEM\CurrentControlSet\Control\Class",0,"D:AR"
  344. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout",2,"D:(A;CI;GR;;;WD)"
  345. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",2,"D:(A;CI;GR;;;WD)"
  346. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Audit",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  347. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\JD",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  348. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Skew1",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  349. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\GBG",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  350. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Data",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  351. "MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg",2,"D:P(A;CI;GA;;;BA)(A;CI;GR;;;LS)"
  352. "MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  353. "MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security",2,"D:P(A;CI;GR;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  355. "MACHINE\SYSTEM\CurrentControlSet\Enum",1,"D:AR"
  357. "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles",1,"D:AR"
  359. ;Set security subkey permissions for those services created via default hives
  360. "MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  361. "MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  362. "MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  363. "MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  364. @*:Fix for 477845 causes regression for 32625
  365. ;"MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  366. @*:We still can add a SACL to it though.
  367. "MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security",2,"S:AR(AU;OICISAFA;DCLCSDWDWO;;;WD)"
  368. @@:@6:"MACHINE\SYSTEM\CurrentControlSet\Services\IASJet\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  369. "MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  370. "MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  371. "MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  372. "MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  373. "MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  374. "MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  375. "MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  377. ;Set security subkey permissions for those services created in GUI-mode setup before SCE runs
  378. "MACHINE\SYSTEM\CurrentControlSet\Services\IREnum\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  379. "MACHINE\SYSTEM\CurrentControlSet\Services\STISvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  380. "MACHINE\SYSTEM\CurrentControlSet\Services\WMI\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  382. "MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries",2,"D:(A;CI;GA;;;NS)(A;CI;CCDCLCSWSDRC;;;LU)"
  384. "USERS\.DEFAULT",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  385. "USERS\.DEFAULT\Software\Microsoft\NetDDE",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  386. "USERS\.DEFAULT\SOFTWARE\Microsoft\Protected Storage System Provider",1,"D:AR"
  387. "USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots",1,"D:AR"
  389. [File Security]
  391. ;---------------------------------------------------------------------------------------
  392. ;x86 Boot Files
  393. ;---------------------------------------------------------------------------------------
  394. @@:@i:"%BootDrive%\boot.ini",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  395. @@:@i:"%BootDrive%\ntdetect.com",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  396. @@:@i:"%BootDrive%\ntldr",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  397. @@:@i:"%BootDrive%\ntbootdd.sys",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  398. @@:@i:"%BootDrive%\autoexec.bat",2,"D:P(A;;GRGX;;;BU)(A;;GA;;;BA)(A;;GA;;;SY)"
  399. @@:@i:"%BootDrive%\config.sys",2,"D:P(A;;GRGX;;;BU)(A;;GA;;;BA)(A;;GA;;;SY)"
  401. ;---------------------------------------------------------------------------------------
  402. ;amd64 Boot Files
  403. ;---------------------------------------------------------------------------------------
  404. @@:@a:"%BootDrive%\boot.ini",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  405. @@:@a:"%BootDrive%\ntdetect.com",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  406. @@:@a:"%BootDrive%\ntldr",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  408. ;---------------------------------------------------------------------------------------
  409. ;System Drive
  410. ;---------------------------------------------------------------------------------------
  411. ;SetupSecurity will contain the new root acl. Ignore docs and settings if it's reapplied (e.g. on conversion from FAT)
  412. "%SystemDrive%\Documents and Settings",1,"D:AR"
  413. ; Directories that might not exist when security is applied; but are listed here
  414. ; so that they get secured correctly on converting the file system to NTFS
  415. "%SystemDrive%\perflogs",2,"D:P(A;CIOI;GRGX;;;MU)(A;CIOI;GRGWGXSDRC;;;NS)(A;CIOI;GRGWGXSDRC;;;LU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  416. "%SystemDrive%\System Volume Information",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  417. "%SystemDrive%\wmpub",2,"D:P(A;CIOI;GRGWGXSD;;;BU)(A;CIOI;GRGWGXSD;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  419. ;---------------------------------------------------------------------------------------------
  420. ;ProgramFiles
  421. ;---------------------------------------------------------------------------------------------
  423. "%SceInfProgramFiles%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  424. "%SceInfProgramFiles%\WindowsUpdate",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  427. ;---------------------------------------------------------------------------------------------
  428. ;System Root (Typically \WINDOWS)
  429. ;---------------------------------------------------------------------------------------------
  430. "%SystemRoot%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  432. ;Differences from parent
  433. "%SystemRoot%\Debug",2,"D:P(A;;GX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  434. "%SystemRoot%\Debug\UserMode",2,"D:PAR(A;;0x00100023;;;BU)(A;OIIO;0x00100006;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  435. "%SystemRoot%\repair",2,"D:P(A;CI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  436. "%SystemRoot%\Temp",2,"D:P(A;CI;0x100026;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  437. "%SystemRoot%\Web\printers\prtcabs",2,"D:(A;CIOI;GRGXGWSD;;;NS)"
  439. ;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
  440. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
  441. "%SystemRoot%\CSC",1,"D:AR"
  443. ;Profiles folder (typically %SystemRoot%\Profiles)
  444. "%Profiles%",1,"D:AR"
  446. ; Directories that might not exist when security is applied; but are listed here
  447. ; so that they get secured correctly on converting the file system to NTFS
  448. "%SystemRoot%\Installer",2,"D:P(A;CIOI;GRGX;;;WD)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  449. "%SystemRoot%\PCHEALTH\HELPCTR",2,"D:P(A;CIOI;GRGX;;;WD)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  450. "%SystemRoot%\PCHEALTH\HELPCTR\Config",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  451. "%SystemRoot%\PCHEALTH\HELPCTR\DataColl",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  452. "%SystemRoot%\PCHEALTH\HELPCTR\PackageStore",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  453. "%SystemRoot%\prefetch",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  454. "%SystemRoot%\Registration",2,"D:P(A;OI;GRGX;;;WD)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  455. "%SystemRoot%\Registration\CRMLog",0,"D:P(A;;0x1200ab;;;BU)(A;OIIO;GRGWSD;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  456. "%SystemRoot%\Tasks",2,"D:P(A;;0x1200ab;;;AU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  458. ;Directories that do not exist when security applied during setup - Creator does not specify directory security.
  459. ;Creator should specify FILE security in optional component INF that gets applied on clean-install AND upgrade.
  460. ;Omit (rather than ignore) to allow component-specified file security to be set on reapplication of defaults.
  461. ;Use MARTA (rather than omit) for any components that set protected run-time security.
  462. ;"%SystemRoot%\Downloaded Program Files",0,"D:AR"
  463. ;"%SystemRoot%\Offline Web Pages",0,"D:AR"
  464. ;"%SystemRoot%\IME",0,"D:AR"
  465. ;"%SystemRoot%\mww32",0,"D:AR"
  466. ;"%SystemRoot%\PCHEALTH",0,"D:AR"
  467. ;"%SystemRoot%\SchCache",0,"D:AR"
  468. ;"%SystemRoot%\srchasst",0,"D:AR"
  470. "%SystemDirectory%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  472. ;Differences from parent
  473. "%SystemDirectory%\config",2,"D:P(A;CI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  474. ;Profile for system account - moved from Docs and Settings in Whistler. Creator specifies security.
  475. "%SystemDirectory%\config\systemprofile",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  476. "%SystemDirectory%\dllcache",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  477. "%SystemDirectory%\ias",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  478. "%SystemDirectory%\LogFiles\ShutDown",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  479. "%SystemDirectory%\setup",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  480. "%SystemDirectory%\wbem\mof",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  481. "%SystemDirectory%\wbem\repository",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  482. "%SystemDirectory%\wbem\logs",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGXGW;;;NS)(A;CIOI;GRGXGW;;;LS)"
  483. "%SystemDirectory%\wbem\AutoRecover",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  484. "%Systemdirectory%\wpa.bak",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  485. "%Systemdirectory%\wpa.dbl",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  486. ;So spooler can load drivers while impersonating the forced Guest
  487. "%SystemDirectory%\spool\drivers",2,"D:(A;CIOI;GRGX;;;WD)"
  489. ;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
  490. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
  491. "%SystemDirectory%\appmgmt",1,"D:AR"
  492. "%SystemDirectory%\DTCLog",1,"D:AR"
  493. "%SystemDirectory%\GroupPolicy",1,"D:AR"
  494. "%SystemDirectory%\NTMSData",1,"D:AR"
  495. "%SystemDirectory%\ReinstallBackups",1,"D:AR"
  496. "%SystemDirectory%\repl",1,"D:AR"
  498. ; Directories that might not exist when security is applied; but are listed here
  499. ; so that they get secured correctly on converting the file system to NTFS
  500. "%SystemDirectory%\com\dmp",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  501. "%SystemDirectory%\FxsTmp",2,"D:P(A;;0x100003;;;BU)(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICIIO;FA;;;CO)"
  502. "%SystemDirectory%\LLS",2,"D:(A;CIOI;GA;;;NS)"
  503. "%SystemDirectory%\LLS\CPL.CFG",2,"D:P(A;CIOI;GA;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  504. "%SystemDirectory%\LLS\LlsCert.LLS",2,"D:P(A;CIOI;GA;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  505. "%SystemDirectory%\LLS\LlsMap.LLS",2,"D:P(A;CIOI;GA;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  506. "%SystemDirectory%\LLS\LlsUser.LLS",2,"D:P(A;CIOI;GA;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  507. "%SystemDirectory%\LogFiles\Fax\Incoming",2,"D:P(A;CIOI;GA;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  508. "%SystemDirectory%\LogFiles\Fax\Outgoing",2,"D:P(A;CIOI;GA;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  509. "%SystemDirectory%\LogFiles\wms",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  510. "%SystemDirectory%\LServer",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  511. "%SystemDirectory%\msdtc",2,"D:P(A;OICI;GRGWGX;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  512. "%SystemDirectory%\msmq",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  513. "%SystemDirectory%\spool\printers",2,"D:P(A;CI;0x1000ae;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  514. "%SystemDirectory%\tssesdir",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  515. "%SystemDirectory%\Windows media",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  517. ;Directories that do not exist when security applied during setup - Creator does not specify directory security.
  518. ;Creator should specify FILE security in optional component INF that gets applied on clean-install AND upgrade.
  519. ;Omit (rather than ignore) to allow component-specified file security to be set on reapplication of defaults.
  520. ;Use MARTA (rather than omit) for any components that set protected run-time security.
  521. ;"%SystemDirectory%\Cache",0,"D:AR"
  522. ;"%SystemDirectory%\Com",0,"D:AR"
  523. ;"%SystemDirectory%\clients",0,"D:AR"
  524. ;"%SystemDirectory%\inetsrv",0,"D:AR"
  525. ;"%SystemDirectory%\Microsoft",0,"D:AR"
  526. ;"%SystemDirectory%\npp",0,"D:AR"
  527. ;"%SystemDirectory%\oobe",0,"D:AR"
  528. ;"%SystemDirectory%\restore",0,"D:AR"
  529. ;"%SystemDirectory%\reminst",0,"D:AR"
  530. ;"%SystemDirectory%\rocket",0,"D:AR"
  531. ;"%SystemDirectory%\usmt",0,"D:AR"