@*:This file defines enhanced security settings for possible customer implementation. @*:Please do not edit. Instead, email kirksol with the requested change. @*:Thanks! ; Copyright (c) Microsoft Corporation. All rights reserved. ; ; Security Configuration Template for Security Configuration Editor ; ; Template Name: HiSecDC.INF ; Template Version: 05.10.HD.0000 [Profile Description] %SCEHiSecDCProfileDescription% [version] signature="$CHICAGO$" revision=1 [System Access] ;---------------------------------------------------------------- ;Account Policies - Password Policy ;---------------------------------------------------------------- MinimumPasswordAge = 2 MaximumPasswordAge = 42 MinimumPasswordLength = 8 PasswordComplexity = 1 PasswordHistorySize = 24 ClearTextPassword = 0 LSAAnonymousNameLookup = 0 EnableGuestAccount = 0 ;---------------------------------------------------------------- ;Account Policies - Lockout Policy ;---------------------------------------------------------------- LockoutBadCount = 5 ResetLockoutCount = 30 LockoutDuration = -1 ;---------------------------------------------------------------- ;Local Policies - Security Options ;---------------------------------------------------------------- ;DC Only ForceLogoffWhenHourExpire = 1 LSAAnonymousNameLookup = 0 ;NewAdministatorName = ;NewGuestName = ;SecureSystemPartition ;---------------------------------------------------------------- ;Event Log - Log Settings ;---------------------------------------------------------------- ;Audit Log Retention Period: ;0 = Overwrite Events As Needed ;1 = Overwrite Events As Specified by Retention Days Entry ;2 = Never Overwrite Events (Clear Log Manually) [System Log] RestrictGuestAccess = 1 [Security Log] AuditLogRetentionPeriod = 0 RestrictGuestAccess = 1 [Application Log] RestrictGuestAccess = 1 ;---------------------------------------------------------------------- ; Local Policies\Audit Policy ;---------------------------------------------------------------------- [Event Audit] AuditSystemEvents = 3 AuditObjectAccess = 3 AuditPrivilegeUse = 3 AuditPolicyChange = 3 AuditAccountManage = 3 AuditProcessTracking = 0 AuditDSAccess=3 AuditLogonEvents = 3 AuditAccountLogon=3 ;---------------------------------------------------------------------- ; Local Policies\SecurityOptions ;---------------------------------------------------------------------- [Registry Values] ; Registry value name in full path = Type, Value ; REG_SZ ( 1 ) ; REG_EXPAND_SZ ( 2 ) // with environment variables to expand ; REG_BINARY ( 3 ) ; REG_DWORD ( 4 ) ; REG_MULTI_SZ ( 7 ) MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0 MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0 MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,1 MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0 ;ForceGuest is not acknowledged on DC's: ;MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0 MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0 MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,5 MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0 MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0 MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1 MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1 MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1 MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl=4,0 MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1 MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1 MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,1 MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,1 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0 MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1 MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=4,2 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange=4,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1 MACHINE\Software\Microsoft\Driver Signing\Policy=3,2 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,"" MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,"" MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms=1,1 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies=1,1 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,1 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,2