You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
171 lines
8.7 KiB
171 lines
8.7 KiB
;Supplies defaults recommendations for SCM UI
|
|
;Specify default system settings where possible
|
|
;If there are SKU differences present the more secure setting
|
|
|
|
[Version]
|
|
signature="$CHICAGO$"
|
|
[Service General Setting]
|
|
PlaceHolder,4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
[Registry Keys]
|
|
"PlaceHolder",2,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
|
|
[File Security]
|
|
"PlaceHolder",2,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)"
|
|
|
|
[System Access]
|
|
;----------------------------------------------------------------
|
|
;Account Policies - Password Policy
|
|
;----------------------------------------------------------------
|
|
MinimumPasswordAge = 0
|
|
MaximumPasswordAge = 42
|
|
MinimumPasswordLength = 0
|
|
PasswordComplexity = 0
|
|
PasswordHistorySize = 0
|
|
RequireLogonToChangePassword = 0
|
|
ClearTextPassword = 0
|
|
LSAAnonymousNameLookup = 0
|
|
EnableGuestAccount = 0
|
|
|
|
;----------------------------------------------------------------
|
|
;Account Policies - Lockout Policy
|
|
;----------------------------------------------------------------
|
|
LockoutBadCount = 0
|
|
;ResetLockoutCount = 30
|
|
;LockoutDuration = 30
|
|
|
|
;----------------------------------------------------------------
|
|
;Local Policies - Security Options
|
|
;----------------------------------------------------------------
|
|
;DC Only
|
|
;ForceLogoffWhenHourExpire = 0
|
|
|
|
;NewAdministatorName =
|
|
;NewGuestName =
|
|
;SecureSystemPartition
|
|
|
|
;----------------------------------------------------------------
|
|
;Event Log - Log Settings
|
|
;----------------------------------------------------------------
|
|
;Audit Log Retention Period:
|
|
;0 = Overwrite Events As Needed
|
|
;1 = Overwrite Events As Specified by Retention Days Entry
|
|
;2 = Never Overwrite Events (Clear Log Manually)
|
|
|
|
[System Log]
|
|
MaximumLogSize = 16384
|
|
AuditLogRetentionPeriod = 0
|
|
RetentionDays = 7
|
|
RestrictGuestAccess = 1
|
|
|
|
[Security Log]
|
|
MaximumLogSize = 16384
|
|
AuditLogRetentionPeriod = 0
|
|
RetentionDays = 7
|
|
RestrictGuestAccess = 1
|
|
|
|
[Application Log]
|
|
MaximumLogSize = 16384
|
|
AuditLogRetentionPeriod = 0
|
|
RetentionDays = 7
|
|
RestrictGuestAccess = 1
|
|
|
|
;----------------------------------------------------------------------
|
|
; Local Policies\Audit Policy
|
|
;----------------------------------------------------------------------
|
|
[Event Audit]
|
|
AuditSystemEvents = 0
|
|
AuditObjectAccess = 0
|
|
AuditPrivilegeUse = 0
|
|
AuditPolicyChange = 0
|
|
AuditAccountManage = 0
|
|
AuditProcessTracking = 0
|
|
;AuditDSAccess = 0
|
|
AuditAccountLogon = 1
|
|
AuditLogonEvents = 1
|
|
|
|
|
|
;----------------------------------------------------------------
|
|
;Registry Values
|
|
;----------------------------------------------------------------
|
|
[Registry Values]
|
|
; Registry value name in full path = Type, Value
|
|
; REG_SZ ( 1 )
|
|
; REG_EXPAND_SZ ( 2 ) // with environment variables to expand
|
|
; REG_BINARY ( 3 )
|
|
; REG_DWORD ( 4 )
|
|
; REG_MULTI_SZ ( 7 )
|
|
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner=4,1
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
|
|
|
|
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog
|
|
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
|
|
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl=4,0
|
|
|
|
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,0
|
|
|
|
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
|
|
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
|
|
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,Posix
|
|
|
|
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
|
|
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
|
|
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
|
|
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
|
|
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
|
|
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7,COMNAP,COMNODE,SQL\QUERY,SPOOLSS,LLSRPC,EPMAPPER,LOCATOR,TrkWks,TrkSvr
|
|
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares=7,COMCFG,DFS$
|
|
|
|
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
|
|
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
|
|
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
|
|
|
|
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
|
|
|
|
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
|
|
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
|
|
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange=4,0
|
|
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
|
|
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
|
|
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
|
|
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,0
|
|
|
|
MACHINE\Software\Microsoft\Driver Signing\Policy=3,1
|
|
|
|
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
|
|
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
|
|
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
|
|
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,""
|
|
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0
|
|
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,1
|
|
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
|
|
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
|
|
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms=1,0
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,0
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies=1,0
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,10
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,0
|
|
|
|
MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection=4,0
|
|
MACHINE\Software\Policies\Microsoft\Cryptography\PasswordCacheTimeout=4,300
|
|
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0
|
|
|