archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/mergedcomponents/setupinfs/defltdc.inx

417 lines
29 KiB
Raw Normal View History

Add source files
4 years ago
  1. @*:This file defines default security settings.
  2. @*:Please do not edit. Instead, email kirksol with the requested change.
  3. @*:Thanks!
  4. ; (c) Microsoft Corporation 1997-2000
  5. ;
  6. ; Security Configuration Template for Security Configuration Editor
  7. ;
  8. ; Template Name: DefltDC.INF
  9. ; Template Version: 05.10.DD.0000
  10. ;
  11. ; Default Security for Windows NT 5.1 Domain Controllers.
  12. ; Account Policies not set - Use DCFirst if first DC, else pull from existing domain.
  14. [version]
  15. signature="$CHICAGO$"
  16. revision=1
  18. ;----------------------------------------------------------------
  19. ;Event Log - Log Settings
  20. ;----------------------------------------------------------------
  21. ;Audit Log Retention Period:
  22. ;0 = Overwrite Events As Needed
  23. ;1 = Overwrite Events As Specified by Retention Days Entry
  24. ;2 = Never Overwrite Events (Clear Log Manually)
  26. [System Log]
  27. @@:@3:MaximumLogSize = 512
  28. @@:@6:MaximumLogSize = 2048
  29. AuditLogRetentionPeriod = 1
  30. RetentionDays = 7
  31. RestrictGuestAccess = 1
  33. [Security Log]
  34. MaximumLogSize = 512
  35. AuditLogRetentionPeriod = 1
  36. RetentionDays = 7
  37. RestrictGuestAccess = 1
  39. [Application Log]
  40. MaximumLogSize = 512
  41. AuditLogRetentionPeriod = 1
  42. RetentionDays = 7
  43. RestrictGuestAccess = 1
  45. [Event Audit]
  47. ;Auditing is Off by Default
  48. AuditAccountLogon = 0
  49. AuditAccountManage = 0
  50. AuditLogonEvents = 0
  51. AuditObjectAccess = 0
  52. AuditPrivilegeUse = 0
  53. AuditPolicyChange = 0
  54. AuditProcessTracking = 0
  55. AuditSystemEvents = 0
  56. AuditDSAccess = 0
  58. ;----------------------------------------------------------------
  59. ;Registry Values
  60. ;----------------------------------------------------------------
  61. [Registry Values]
  62. ; Registry value name in full path = Type, Value
  63. ; REG_SZ ( 1 )
  64. ; REG_EXPAND_SZ ( 2 ) // with environment variables to expand
  65. ; REG_BINARY ( 3 )
  66. ; REG_DWORD ( 4 )
  67. ; REG_MULTI_SZ ( 7 )
  69. ;Copied to Default DC GPO if first DC
  71. ;We need to make sure Server-Side Packet Signing is on in the DC case.
  72. ;The rest of the registry values are maintained from the server.
  73. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1
  75. ;All DC's should be consistent wrt secure channel signing
  76. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
  79. ;----------------------------------------------------------------------
  80. ; Privileges & Rights
  81. ;----------------------------------------------------------------------
  82. ;
  83. ;World S-1-1-0
  84. ;
  85. ;NT Authority S-1-5
  86. ;ENTERPRISE_CONTROLLERS 9
  87. ;AUTHENTICATED_USER 11
  88. ;LOCAL_SERVICE 19
  89. ;NETWORK_SERVICE 20
  90. ;
  91. ;Built-In Domain SubAuthority = S-1-5-32
  92. ;ADMINISTRATORS 544
  93. ;USERS 545
  94. ;GUESTS 546
  95. ;POWER_USERS 547
  96. ;ACCOUNT_OPS 548
  97. ;SYSTEM_OPS 549
  98. ;PRINT_OPS 550
  99. ;BACKUP_OPS 551
  100. ;REPLICATOR 552
  101. ;RAS_SERVERS 553
  102. ;PREW2KCOMPACCESS 554
  103. ;REMOTE_DESKTOP_USERS 555
  104. ;NETWORK_CONFIGURATION_OPS 556
  105. ;
  106. [Privilege Rights]
  107. ;Add Whatever a DC should have by default.
  108. ;Remove Power Users from every right since it no longer exists but may have been added.
  109. ;Remove Whatever *Default* Server Rights don't belong on a DC
  110. ;If Server and DC Defaults are the same, then only power users is removed
  111. ;If You remove Everyone, Remove Authenticated Users as well.
  112. ;
  113. SeAssignPrimaryTokenPrivilege = Add:, *S-1-5-19, *S-1-5-20, Remove:, *S-1-5-32-547
  114. SeAuditPrivilege = Add:, *S-1-5-19, *S-1-5-20, Remove:, *S-1-5-32-547
  115. SeBackupPrivilege = Add:, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549, Remove:, *S-1-5-32-547
  116. SeBatchLogonRight = Remove:, *S-1-5-32-547
  117. SeChangeNotifyPrivilege = Add:, *S-1-5-32-544, *S-1-5-11, *S-1-1-0, *S-1-5-32-554, Remove:, *S-1-5-32-551, *S-1-5-32-547, *S-1-5-32-545
  118. SeCreatePagefilePrivilege = Add:, *S-1-5-32-544, Remove:, *S-1-5-32-547
  119. SeCreatePermanentPrivilege = Remove:, *S-1-5-32-547
  120. SeCreateTokenPrivilege = Remove:, *S-1-5-32-547
  121. SeDebugPrivilege = Add:, *S-1-5-32-544, Remove:, *S-1-5-32-547
  122. SeIncreaseBasePriorityPrivilege = Add:, *S-1-5-32-544, Remove:, *S-1-5-32-547
  123. SeIncreaseQuotaPrivilege = Add:, *S-1-5-32-544, *S-1-5-19, *S-1-5-20, Remove:, *S-1-5-32-547
  124. SeInteractiveLogonRight = Add:, *S-1-5-32-548, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549, *S-1-5-32-550, Remove:, *S-1-5-32-547, *S-1-5-11, *S-1-5-32-546, %SceInfGuest%, *S-1-5-32-545, *S-1-1-0
  125. SeLoadDriverPrivilege = Add:, *S-1-5-32-544, Remove:, *S-1-5-32-547
  126. SeLockMemoryPrivilege = Remove:, *S-1-5-32-547
  127. SeMachineAccountPrivilege = Add:, *S-1-5-11, Remove:, *S-1-5-32-547
  128. SeManageVolumePrivilege = Add:, *S-1-5-32-544, Remove:, *S-1-5-32-547
  129. SeNetworkLogonRight = Add:, *S-1-5-32-544, *S-1-5-11, *S-1-1-0, *S-1-5-9, *S-1-5-32-554, Remove:, *S-1-5-32-551, *S-1-5-32-547, *S-1-5-32-546, %SceInfGuest%, *S-1-5-32-545
  130. SeProfileSingleProcessPrivilege = Add:, *S-1-5-32-544, Remove:, *S-1-5-32-547
  131. SeRemoteInteractiveLogonRight = Add:, *S-1-5-32-544, Remove:, *S-1-5-32-555, *S-1-5-32-547, *S-1-5-11, *S-1-5-32-546, %SceInfGuest%, *S-1-5-32-545, *S-1-1-0
  132. SeRemoteShutdownPrivilege = Add:, *S-1-5-32-544, *S-1-5-32-549, Remove:, *S-1-5-32-547
  133. SeRestorePrivilege = Add:, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549, Remove:, *S-1-5-32-547
  134. SeSecurityPrivilege = Add:, *S-1-5-32-544, Remove:, *S-1-5-32-547
  135. SeServiceLogonRight = Remove:, *S-1-5-32-547
  136. SeShutdownPrivilege = Add:, *S-1-5-32-548, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549, *S-1-5-32-550, Remove:, *S-1-5-32-547, *S-1-5-11, *S-1-5-32-546, %SceInfGuest%, *S-1-5-32-545, *S-1-1-0
  137. SeSystemEnvironmentPrivilege = Add:, *S-1-5-32-544, Remove:, *S-1-5-32-547
  138. SeSystemProfilePrivilege = Add:, *S-1-5-32-544, Remove:, *S-1-5-32-547
  139. SeSystemTimePrivilege = Add:, *S-1-5-32-544, *S-1-5-32-549, Remove:, *S-1-5-32-547, *S-1-5-19, *S-1-5-20
  140. SeTakeOwnershipPrivilege = Add:, *S-1-5-32-544, Remove:, *S-1-5-32-547
  141. SeTcbPrivilege = Remove:, *S-1-5-32-547
  142. ;
  143. SeDenyInteractiveLogonRight = Remove:, *S-1-5-32-547
  144. SeDenyBatchLogonRight = Remove:, *S-1-5-32-547
  145. SeDenyServiceLogonRight = Remove:, *S-1-5-32-547
  146. SeDenyNetworkLogonRight = Remove:, *S-1-5-32-547
  147. SeDenyRemoteInteractiveLogonRight = Remove:, *S-1-5-32-547
  148. ;
  149. SeUndockPrivilege = Add:, *S-1-5-32-544, Remove:, *S-1-5-32-547, *S-1-5-32-545
  150. SeSyncAgentPrivilege = Remove:, *S-1-5-32-547
  151. SeEnableDelegationPrivilege = Add:, *S-1-5-32-544, Remove:, *S-1-5-32-547
  153. [Service General Setting]
  154. ;Note - SCECLI is hooked so that startup mode is not configured during setup or dcpromo
  155. ;autostarted on workstations and servers, standalone or joined
  156. Browser,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  157. Dhcp,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  158. TrkWks,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  159. Dnscache,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  160. Eventlog,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  161. PolicyAgent,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  162. dmserver,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  163. Messenger,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  164. PlugPlay,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  165. Spooler,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  166. ProtectedStorage,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  167. RpcSs,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  168. NtmsSvc,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  169. seclogon,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  170. SamSs,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  171. lanmanserver,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  172. SENS,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  173. Schedule,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  174. LmHosts,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  175. LanmanWorkstation,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  176. RemoteRegistry,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  178. ;Not autostarted, but non-default DACL - Remove PU ability to change template
  179. ClipSrv,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  180. NetDDE,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  181. NetDDEdsdm,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  182. AppMgmt,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  183. EventSystem,3,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  185. ;Not autostarted if machine is standalone
  186. Netlogon,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  187. W32Time,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  189. ;Not autostarted if Wksta
  190. Alerter,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  191. MSDTC,2,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  193. ;Server Only Services
  194. Dfs,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  195. LicenseService,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  196. SMTPSVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  198. ;IIS Specific Services - Leave them alone
  199. ;IISADMIN,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  200. ;W3SVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  201. ;MSFTPSVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  204. [Registry Keys]
  206. "MACHINE\SOFTWARE",2,"D:P(A;CI;GR;;;AU)(A;CI;GRGWSD;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  208. ;Same as parent, but this is the target of a symlink - set explicitly.
  209. "MACHINE\SOFTWARE\Classes",2,"D:P(A;CI;GR;;;AU)(A;CI;GRGWSD;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  211. "MACHINE\SOFTWARE\Microsoft\ADs\Providers\LDAP\Extensions",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  212. @@:@i:"MACHINE\SOFTWARE\Microsoft\ADs\Providers\NDS",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  213. @@:@i:"MACHINE\SOFTWARE\Microsoft\ADs\Providers\NWCOMPAT",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  214. "MACHINE\SOFTWARE\Microsoft\ADs\Providers\WinNT",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  216. "MACHINE\SOFTWARE\Microsoft\Command Processor",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  218. "MACHINE\SOFTWARE\Microsoft\Cryptography",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  219. "MACHINE\SOFTWARE\Microsoft\Cryptography\Calais",2,"D:AR(A;CI;GRGWSD;;;LS)"
  220. "MACHINE\SOFTWARE\Microsoft\Driver Signing",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  221. "MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  222. "MACHINE\SOFTWARE\Microsoft\Non-Driver Signing",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  223. "MACHINE\SOFTWARE\Microsoft\NetDDE",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)"
  224. "MACHINE\SOFTWARE\Microsoft\NTDS",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  225. "MACHINE\SOFTWARE\Microsoft\Ole",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  226. "MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider",1,"D:AR"
  227. "MACHINE\SOFTWARE\Microsoft\Rpc",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  228. "MACHINE\SOFTWARE\Microsoft\SystemCertificates",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  230. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  231. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  232. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  233. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  234. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  236. ;Don't overwrite the following keys which are protected and secured by the component
  237. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy",1,"D:AR"
  238. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer",1,"D:AR"
  239. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies",1,"D:AR"
  240. "MACHINE\SOFTWARE\Microsoft\MSDTC",1,"D:AR"
  242. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony",2,"D:P(A;CIOI;GR;;;BU)(A;CIOI;GRGWSD;;;PU)(A;CIOI;GA;;;NS)(A;CIOI;GA;;;LS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  244. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  245. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  246. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;BO)"
  247. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Classes",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  248. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  249. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  250. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  251. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  252. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  253. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  254. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib",2,"D:P(A;CI;GR;;;IU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;NS)"
  255. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009",1,"D:AR"
  256. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  257. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  258. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  259. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  260. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  262. "MACHINE\SOFTWARE\Policies",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  264. "MACHINE\SYSTEM",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  266. "MACHINE\SYSTEM\Clone",1,"D:AR"
  268. "MACHINE\SYSTEM\ControlSet001",1,"D:AR"
  269. "MACHINE\SYSTEM\ControlSet002",1,"D:AR"
  270. "MACHINE\SYSTEM\ControlSet003",1,"D:AR"
  271. "MACHINE\SYSTEM\ControlSet004",1,"D:AR"
  272. "MACHINE\SYSTEM\ControlSet005",1,"D:AR"
  273. "MACHINE\SYSTEM\ControlSet006",1,"D:AR"
  274. "MACHINE\SYSTEM\ControlSet007",1,"D:AR"
  275. "MACHINE\SYSTEM\ControlSet008",1,"D:AR"
  276. "MACHINE\SYSTEM\ControlSet009",1,"D:AR"
  277. "MACHINE\SYSTEM\ControlSet010",1,"D:AR"
  279. "MACHINE\SYSTEM\CurrentControlSet\Control",2,"D:P(A;CI;GR;;;AU)(A;CI;GRGWSD;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  282. "MACHINE\SYSTEM\CurrentControlSet\Control\Class",0,"D:AR"
  283. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout",2,"D:(A;CI;GR;;;WD)"
  284. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",2,"D:(A;CI;GR;;;WD)"
  285. "MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  286. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  287. "MACHINE\SYSTEM\CurrentControlSet\Control\Network",2,"D:(A;CI;GRGWSD;;;NO)"
  288. "MACHINE\SYSTEM\CurrentControlSet\Control\PriorityControl",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  289. "MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)"
  290. "MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg",2,"D:P(A;CI;GA;;;BA)(A;;GR;;;BO)(A;CI;GR;;;LS)"
  291. "MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security",2,"D:P(A;CI;GR;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  293. "MACHINE\SYSTEM\CurrentControlSet\Enum",1,"D:AR"
  295. "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles",1,"D:AR"
  297. ;Don't whack more restrictive security subkeys during DCPromo
  298. "MACHINE\SYSTEM\CurrentControlSet\Services",0,"D:P(A;CI;GR;;;AU)(A;CI;GRGWSD;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  299. "MACHINE\SYSTEM\CurrentControlSet\Services\EventLog",0,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  300. "MACHINE\SYSTEM\CurrentControlSet\Services\KDC",0,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  301. "MACHINE\SYSTEM\CurrentControlSet\Services\NTDS",0,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  302. "MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS",0,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  303. "MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries",2,"D:(A;CI;GA;;;NS)"
  305. "MACHINE\SYSTEM\CurrentControlSet\Services\WinTrust",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  307. "USERS\.DEFAULT",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  308. "USERS\.DEFAULT\Software\Microsoft\NetDDE",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)"
  309. "USERS\.DEFAULT\SOFTWARE\Microsoft\Protected Storage System Provider",1,"D:AR"
  310. "USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots",1,"D:AR"
  313. [File Security]
  315. ;---------------------------------------------------------------------------------------
  316. ;x86 Boot Files
  317. ;---------------------------------------------------------------------------------------
  318. @@:@i:"%BootDrive%\boot.ini",2,"D:P(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  319. @@:@i:"%BootDrive%\ntdetect.com",2,"D:P(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  320. @@:@i:"%BootDrive%\ntldr",2,"D:P(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  321. @@:@i:"%BootDrive%\ntbootdd.sys",2,"D:P(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  322. @@:@i:"%BootDrive%\autoexec.bat",2,"D:P(A;;GRGX;;;AU)(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  323. @@:@i:"%BootDrive%\config.sys",2,"D:P(A;;GRGX;;;AU)(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  325. ;---------------------------------------------------------------------------------------
  326. ;amd64 Boot Files
  327. ;---------------------------------------------------------------------------------------
  328. @@:@a:"%BootDrive%\boot.ini",2,"D:P(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  329. @@:@a:"%BootDrive%\ntdetect.com",2,"D:P(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  330. @@:@a:"%BootDrive%\ntldr",2,"D:P(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  332. ;SetupSecurity will contain the new root acl. Ignore docs and settings if it's reapplied (e.g. on conversion from FAT)
  333. "%SystemDrive%\Documents and Settings",1,"D:AR"
  335. ;---------------------------------------------------------------------------------------------
  336. ;ProgramFiles
  337. ;---------------------------------------------------------------------------------------------
  338. "%SceInfProgramFiles%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGWGXSD;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  340. ;---------------------------------------------------------------------------------------------
  341. ;System Root (Typically \WINDOWS)
  342. ;---------------------------------------------------------------------------------------------
  343. "%SystemRoot%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGWGXSD;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  345. ;Different from parent
  346. "%SystemRoot%\Debug\UserMode",2,"D:PAR(A;;0x00100023;;;AU)(A;OIIO;0x00100006;;;AU)(A;CIOI;GRGWGXSD;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  347. "%SystemRoot%\AppPatch",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  348. "%SystemRoot%\Driver Cache",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  349. "%SystemRoot%\mui",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  350. "%SystemRoot%\Resources",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  351. "%SystemRoot%\repair",2,"D:P(A;CI;GRGX;;;AU)(A;CIOI;GRGWGXSD;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  352. "%SystemRoot%\security",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  353. "%SystemRoot%\Temp",2,"D:P(A;CI;0x100026;;;AU)(A;CIOI;GRGWGXSD;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  354. "%SystemRoot%\WinSxS",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  356. ;Directories that did not exist when security applied during clean-install Server - Creator specifies directory security.
  357. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security during DCPromo.
  358. ;Previous directory security should be compatible with DC's or component should reset during DCPromo.
  359. "%SystemRoot%\CSC",1,"D:AR"
  360. "%SystemRoot%\Installer",1,"D:AR"
  361. "%SystemRoot%\Prefetch",1,"D:AR"
  362. "%SystemRoot%\Profiles",1,"D:AR"
  363. "%SystemRoot%\repair",2,"D:P(A;CI;GRGX;;;AU)(A;CIOI;GRGWGXSD;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  364. "%SystemRoot%\security",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  365. "%SystemRoot%\TAPI",2,"D:P(A;CIOI;GR;;;BU)(A;CIOI;GRGWSD;;;PU)(A;CIOI;GA;;;NS)(A;CIOI;GA;;;LS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  366. "%Systemroot%\tasks",1,"D:AR"
  368. ;---------------------------------------------------------------------------------------------
  369. ;System Directory (Typically \Windows\System32)
  370. ;---------------------------------------------------------------------------------------------
  371. "%SystemDirectory%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGWGXSD;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  373. ;Differences from parent
  374. "%SystemDirectory%\catroot",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  375. "%SystemDirectory%\catroot2",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  376. "%SystemDirectory%\config",2,"D:P(A;CI;GRGX;;;AU)(A;CI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  377. ;Profile for system account - moved from Docs and Settings in Whistler. Creator specifies security.
  378. "%SystemDirectory%\config\systemprofile",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  379. "%SystemDirectory%\dhcp",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  380. "%SystemDirectory%\dllcache",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  381. "%SystemDirectory%\Export",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  382. "%SystemDirectory%\GroupPolicy",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  383. "%SystemDirectory%\ias",2,"D:P(A;CIOI;GRGWGXSD;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  384. "%SystemDirectory%\mui",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  385. "%SystemDirectory%\spool",2,"D:(A;CIOI;GA;;;PO)"
  386. "%SystemDirectory%\spool\printers",2,"D:P(A;CI;DCLCSWWPLO;;;BU)(A;CI;DCLCSWWPLO;;;SO)(A;CIOI;GA;;;PO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  388. "%SystemDirectory%\Autoexec.nt",2,"D:P(A;;GRGX;;;AU)(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  389. "%SystemDirectory%\CMOS.RAM",2,"D:P(A;;GRGX;;;AU)(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  390. "%SystemDirectory%\Config.nt",2,"D:P(A;;GRGX;;;AU)(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  391. "%SystemDirectory%\Midimap.cfg",2,"D:P(A;;GRGX;;;AU)(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  393. ;Directories that did not exist when security applied during clean-install Server - Creator specifies directory security.
  394. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security during DCPromo.
  395. ;Previous directory security should be compatible with DC's or component should reset during DCPromo.
  396. "%SystemDirectory%\appmgmt",1,"D:AR"
  397. "%SystemDirectory%\DTCLog",1,"D:AR"
  398. "%SystemDirectory%\msdtc",1,"D:AR"
  399. ;BugBug - Licensing service should use the Network Service profile directory - Remove the following line after B2.
  400. "%SystemDirectory%\LLS",1,"D:AR"
  401. "%SystemDirectory%\CPL.CFG",1,"D:AR"
  402. "%SystemDirectory%\NTMSData",1,"D:AR"
  403. "%SystemDirectory%\ReinstallBackups",1,"D:AR"
  404. "%SystemDirectory%\repl",1,"D:AR"
  405. "%SystemDirectory%\Setup",1,"D:AR"
  407. ;---------------------------------------------------------------------------------------------
  408. ;DS Data and Log Directories. Engine resolves via registry.
  409. ;---------------------------------------------------------------------------------------------
  410. ;Relying on fact that engine lets last one win when DSLog and DSDit are the same.
  411. "%DSDIT%",2,"D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)"
  412. "%DSLOG%",2,"D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;OICIIO;GA;;;CO)(A;CI;0x100004;;;LS)"
  413. ;---------------------------------------------------------------------------------------------
  414. ;Sysvol. Engine resolves via registry.
  415. ;---------------------------------------------------------------------------------------------
  416. "%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  417. "%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;PA)"