archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/mergedcomponents/setupinfs/defdcgpo.inx

128 lines
4.6 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. @*:This file defines default security settings.
  2. @*:Please do not edit. Instead, email kirksol with the requested change.
  3. @*:Thanks!
  4. ; Copyright (c) Microsoft Corporation. All rights reserved.
  5. ;
  6. ; Security Configuration Template for Security Configuration Editor
  7. ;
  8. ; Template Name: DefDCGPO.INF
  9. ; Template Version: 05.10.DG.0000
  10. ;
  11. ; Minimal Default DC Policy for Windows NT 5.1 Domain Controllers.
  12. ; Used for Disaster Recovery Purposes.
  14. [version]
  15. signature="$CHICAGO$"
  16. revision=1
  18. [Event Audit]
  19. AuditAccountLogon = 1
  20. AuditAccountManage = 0
  21. AuditLogonEvents = 1
  22. AuditObjectAccess = 0
  23. AuditPrivilegeUse = 0
  24. AuditPolicyChange = 0
  25. AuditProcessTracking = 0
  26. AuditSystemEvents = 0
  27. AuditDSAccess = 0
  29. ;----------------------------------------------------------------
  30. ;Registry Values
  31. ;----------------------------------------------------------------
  32. [Registry Values]
  33. ; Registry value name in full path = Type, Value
  34. ; REG_SZ ( 1 )
  35. ; REG_EXPAND_SZ ( 2 ) // with environment variables to expand
  36. ; REG_BINARY ( 3 )
  37. ; REG_DWORD ( 4 )
  38. ; REG_MULTI_SZ ( 7 )
  40. ;Copied to Default DC GPO if first DC
  42. ;We need to make sure Server-Side Packet Signing is on in the DC case.
  43. ;The rest of the registry values are maintained from the server.
  44. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1
  45. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,1
  47. ;All DC's should be consistent wrt secure channel signing and LMC
  48. MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,2
  49. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
  50. MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=4,1
  53. ;----------------------------------------------------------------------
  54. ; Privileges & Rights
  55. ;----------------------------------------------------------------------
  56. ;
  57. ;World S-1-1-0
  58. ;
  59. ;NT Authority S-1-5
  60. ;ENTERPRISE_CONTROLLERS 9
  61. ;AUTHENTICATED_USER 11
  62. ;LOCAL_SERVICE 19
  63. ;NETWORK_SERVICE 20
  64. ;
  65. ;Built-In Domain SubAuthority = S-1-5-32
  66. ;ADMINISTRATORS 544
  67. ;USERS 545
  68. ;GUESTS 546
  69. ;POWER_USERS 547
  70. ;ACCOUNT_OPS 548
  71. ;SYSTEM_OPS 549
  72. ;PRINT_OPS 550
  73. ;BACKUP_OPS 551
  74. ;REPLICATOR 552
  75. ;RAS_SERVERS 553
  76. ;PREW2KCOMPACCESS 554
  77. ;REMOTE_DESKTOP_USERS 555
  78. ;NETWORK_CONFIGURATION_OPS 556
  79. ;
  80. [Privilege Rights]
  81. ;Add Whatever a DC should have by default.
  82. ;Remove Power Users from every right since it no longer exists but may have been added.
  83. ;Remove Whatever *Default* Server Rights don't belong on a DC
  84. ;If Server and DC Defaults are the same, then only power users is removed
  85. ;If You remove Everyone, Remove Authenticated Users as well.
  86. ;
  87. SeAssignPrimaryTokenPrivilege = *S-1-5-19, *S-1-5-20
  88. SeAuditPrivilege = *S-1-5-19, *S-1-5-20
  89. SeBackupPrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549
  90. SeBatchLogonRight =
  91. SeChangeNotifyPrivilege = *S-1-5-32-544, *S-1-5-11, *S-1-1-0, *S-1-5-32-554
  92. SeCreateGlobalPrivilege = *S-1-5-6, *S-1-5-32-544
  93. SeCreatePagefilePrivilege = *S-1-5-32-544
  94. SeCreatePermanentPrivilege =
  95. SeCreateTokenPrivilege =
  96. SeDebugPrivilege = *S-1-5-32-544
  97. SeImpersonatePrivilege = *S-1-5-6, *S-1-5-32-544
  98. SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
  99. SeIncreaseQuotaPrivilege = *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  100. SeInteractiveLogonRight = *S-1-5-32-548, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549, *S-1-5-32-550
  101. SeLoadDriverPrivilege = *S-1-5-32-544
  102. SeLockMemoryPrivilege =
  103. SeMachineAccountPrivilege = *S-1-5-11
  104. ;SeManageVolumePrivilege = *S-1-5-32-544
  105. SeNetworkLogonRight = *S-1-5-32-544, *S-1-5-11, *S-1-1-0, *S-1-5-9, *S-1-5-32-554
  106. SeProfileSingleProcessPrivilege = *S-1-5-32-544
  107. ;SeRemoteInteractiveLogonRight = *S-1-5-32-544
  108. SeRemoteShutdownPrivilege = *S-1-5-32-544, *S-1-5-32-549
  109. SeRestorePrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549
  110. SeSecurityPrivilege = *S-1-5-32-544
  111. SeServiceLogonRight =
  112. SeShutdownPrivilege = *S-1-5-32-548, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549, *S-1-5-32-550
  113. SeSystemEnvironmentPrivilege = *S-1-5-32-544
  114. SeSystemProfilePrivilege = *S-1-5-32-544
  115. SeSystemTimePrivilege = *S-1-5-32-544, *S-1-5-32-549
  116. SeTakeOwnershipPrivilege = *S-1-5-32-544
  117. SeTcbPrivilege =
  118. ;
  119. SeDenyInteractiveLogonRight =
  120. SeDenyBatchLogonRight =
  121. SeDenyServiceLogonRight =
  122. SeDenyNetworkLogonRight =
  123. ;SeDenyRemoteInteractiveLogonRight =
  124. ;
  125. SeUndockPrivilege = *S-1-5-32-544
  126. SeSyncAgentPrivilege =
  127. SeEnableDelegationPrivilege = *S-1-5-32-544