Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

466 lines
24 KiB

  1. @*:This file defines default security settings.
  2. @*:Please do not edit. Instead, email kirksol with the requested change.
  3. @*:Thanks!
  4. ; (c) Microsoft Corporation 1997-2000
  5. ;
  6. ; Security Configuration Template for Security Configuration Manager
  7. ;
  8. ; Template Name: DefltWK.INF
  9. ; Template Version: 05.10.DP.0000
  10. ;
  11. ; Default Security for NT 5.1 Personal Edition.
  12. ; DefltP.INF is copied to DefltWK.INF on the Personal SKU as specified in Layout.inf for personal.
  13. [Profile Description]
  14. %SCEDefltProfileDescription%
  15. [version]
  16. signature="$CHICAGO$"
  17. revision=1
  18. [System Access]
  19. ;----------------------------------------------------------------
  20. ;Account Policies - Password Policy
  21. ;----------------------------------------------------------------
  22. MinimumPasswordAge = 0
  23. MaximumPasswordAge = -1
  24. MinimumPasswordLength = 0
  25. PasswordComplexity = 0
  26. PasswordHistorySize = 0
  27. RequireLogonToChangePassword = 0
  28. ClearTextPassword = 0
  29. LSAAnonymousNameLookup = 0
  30. EnableGuestAccount = 0
  31. ;----------------------------------------------------------------
  32. ;Account Policies - Lockout Policy
  33. ;----------------------------------------------------------------
  34. LockoutBadCount = 0
  35. ;ResetLockoutCount = 30
  36. ;LockoutDuration = 30
  37. ;----------------------------------------------------------------
  38. ;Local Policies - Security Options
  39. ;----------------------------------------------------------------
  40. ;DC Only
  41. ;ForceLogoffWhenHourExpire = 0
  42. ;NewAdministatorName =
  43. ;NewGuestName =
  44. ;SecureSystemPartition
  45. ;----------------------------------------------------------------
  46. ;Event Log - Log Settings
  47. ;----------------------------------------------------------------
  48. ;Audit Log Retention Period:
  49. ;0 = Overwrite Events As Needed
  50. ;1 = Overwrite Events As Specified by Retention Days Entry
  51. ;2 = Never Overwrite Events (Clear Log Manually)
  52. [System Log]
  53. @@:@3:MaximumLogSize = 512
  54. @@:@6:MaximumLogSize = 2048
  55. AuditLogRetentionPeriod = 0
  56. RestrictGuestAccess = 1
  57. [Security Log]
  58. MaximumLogSize = 512
  59. AuditLogRetentionPeriod = 0
  60. RestrictGuestAccess = 1
  61. [Application Log]
  62. MaximumLogSize = 512
  63. AuditLogRetentionPeriod = 0
  64. RestrictGuestAccess = 1
  65. ;----------------------------------------------------------------------
  66. ; Local Policies\Audit Policy
  67. ;----------------------------------------------------------------------
  68. [Event Audit]
  69. AuditSystemEvents = 3
  70. AuditObjectAccess = 0
  71. AuditPrivilegeUse = 0
  72. AuditPolicyChange = 3
  73. AuditAccountManage = 3
  74. AuditProcessTracking = 0
  75. AuditAccountLogon = 3
  76. AuditLogonEvents = 3
  77. ;----------------------------------------------------------------
  78. ;Registry Values
  79. ;----------------------------------------------------------------
  80. [Registry Values]
  81. ; Registry value name in full path = Type, Value
  82. ; REG_SZ ( 1 )
  83. ; REG_EXPAND_SZ ( 2 ) // with environment variables to expand
  84. ; REG_BINARY ( 3 )
  85. ; REG_DWORD ( 4 )
  86. ; REG_MULTI_SZ ( 7 )
  87. MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
  88. MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
  89. MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
  90. MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
  91. MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy=4,0
  92. MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,1
  93. MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
  94. MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
  95. MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,0
  96. MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0
  97. MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0
  98. MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,0
  99. MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner=4,1
  100. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
  101. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
  102. ;Domain Controllers Only
  103. ;MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl=4,0
  104. MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,0
  105. MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
  106. MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
  107. MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
  108. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
  109. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
  110. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
  111. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
  112. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
  113. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
  114. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
  115. MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
  116. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
  117. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
  118. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
  119. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
  120. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
  121. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,0
  122. ;Potential to take on different values during and after setup
  123. ;MACHINE\Software\Microsoft\Driver Signing\Policy=3,1
  124. ;MACHINE\Software\Microsoft\Non-Driver Signing\Policy=3,0
  125. ;MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,1
  126. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
  127. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
  128. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,""
  129. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,1
  130. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
  131. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
  132. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
  133. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms=1,0
  134. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,0
  135. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies=1,0
  136. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,10
  137. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
  138. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
  139. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,0
  140. ;----------------------------------------------------------------------
  141. ; Privileges & Rights
  142. ;----------------------------------------------------------------------
  143. ;
  144. ;World S-1-1-0
  145. ;
  146. ;NT Authority S-1-5
  147. ;LOCAL_SERVICE 19
  148. ;NETWORK_SERVICE 20
  149. ;
  150. ;Built-In Domain SubAuthority = S-1-5-32
  151. ;ADMINISTRATORS 544
  152. ;USERS 545
  153. ;GUESTS 546
  154. ;POWER_USERS 547
  155. ;ACCOUNT_OPS 548
  156. ;SYSTEM_OPS 549
  157. ;PRINT_OPS 550
  158. ;BACKUP_OPS 551
  159. ;REPLICATOR 552
  160. ;RAS_SERVERS 553
  161. ;PREW2KCOMPACCESS 554
  162. ;REMOTE_DESKTOP_USERS 555
  163. ;NETWORK_CONFIGURATION_OPS 556
  164. ;
  165. [Privilege Rights]
  166. SeAssignPrimaryTokenPrivilege = *S-1-5-19, *S-1-5-20
  167. SeAuditPrivilege = *S-1-5-19, *S-1-5-20
  168. SeBatchLogonRight =
  169. SeBackupPrivilege = *S-1-5-32-544
  170. SeChangeNotifyPrivilege = *S-1-5-32-544, *S-1-5-32-545, *S-1-1-0
  171. SeCreatePagefilePrivilege = *S-1-5-32-544
  172. SeCreatePermanentPrivilege =
  173. SeCreateTokenPrivilege =
  174. SeDebugPrivilege = *S-1-5-32-544
  175. SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
  176. SeIncreaseQuotaPrivilege = *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  177. SeInteractiveLogonRight = *S-1-5-32-544, *S-1-5-32-545, %SceInfGuest%
  178. SeLoadDriverPrivilege = *S-1-5-32-544
  179. SeLockMemoryPrivilege =
  180. SeMachineAccountPrivilege =
  181. SeManageVolumePrivilege = *S-1-5-32-544
  182. SeNetworkLogonRight = %SceInfGuest%, *S-1-5-32-545
  183. SeProfileSingleProcessPrivilege = *S-1-5-32-544
  184. SeRemoteInteractiveLogonRight = *S-1-5-32-544
  185. SeRemoteShutdownPrivilege = *S-1-5-32-544
  186. SeRestorePrivilege = *S-1-5-32-544
  187. SeSecurityPrivilege = *S-1-5-32-544
  188. SeServiceLogonRight =
  189. SeShutdownPrivilege = *S-1-5-32-544, *S-1-5-32-545
  190. SeSystemEnvironmentPrivilege = *S-1-5-32-544
  191. SeSystemProfilePrivilege = *S-1-5-32-544
  192. SeSystemTimePrivilege = *S-1-5-32-544
  193. SeTakeOwnershipPrivilege = *S-1-5-32-544
  194. SeTcbPrivilege =
  195. ;
  196. SeDenyInteractiveLogonRight = %SceInfGuest%
  197. SeDenyBatchLogonRight =
  198. SeDenyServiceLogonRight =
  199. SeDenyNetworkLogonRight = %SceInfGuest%
  200. SeDenyRemoteInteractiveLogonRight =
  201. ;
  202. SeUndockPrivilege = *S-1-5-32-544, *S-1-5-32-545
  203. SeSyncAgentPrivilege =
  204. SeEnableDelegationPrivilege =
  205. [Group Membership]
  206. %SceInfUsers%__Memberof =
  207. %SceInfUsers%__Members = %SceInfAuthUsers%,%SceInfInteractive%
  208. [Service General Setting]
  209. ;Note - SCECLI is hooked so that startup mode is not configured during setup or dcpromo
  210. ;autostarted on workstations and servers, standalone or joined - Remove PU ability to stop\start.
  211. Browser,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  212. Dhcp,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  213. TrkWks,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  214. Dnscache,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  215. Eventlog,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  216. PolicyAgent,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  217. dmserver,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  218. Messenger,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  219. PlugPlay,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  220. Spooler,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  221. ProtectedStorage,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  222. RpcSs,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  223. NtmsSvc,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  224. seclogon,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  225. SamSs,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  226. lanmanserver,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  227. SENS,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  228. Schedule,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  229. LmHosts,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  230. LanmanWorkstation,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  231. RemoteRegistry,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  232. ;Not autostarted, but non-default DACL - Remove PU ability to change template
  233. ClipSrv,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  234. NetDDE,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  235. NetDDEdsdm,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  236. AppMgmt,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  237. EventSystem,3,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  238. ;Not autostarted if machine is standalone
  239. Netlogon,3,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  240. W32Time,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  241. ;Not autostarted if Wksta
  242. ;Alerter,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  243. ;MSDTC,2,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  244. ;Server Only Services
  245. ;Dfs,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  246. ;LicenseService,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  247. ;SMTPSVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  248. ;IIS Specific Services - Leave them alone
  249. ;IISADMIN,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  250. ;W3SVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  251. ;MSFTPSVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  252. [Registry Keys]
  253. "MACHINE\Software",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  254. ;Same as parent, but this is the target of a symlink - set explicitly.
  255. "MACHINE\SOFTWARE\Classes",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  256. "MACHINE\SOFTWARE\Microsoft\Cryptography\Calais",2,"D:AR(A;CI;GRGWSD;;;LS)"
  257. "MACHINE\SOFTWARE\Microsoft\NetDDE",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  258. "MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider",1,"D:AR"
  259. ;The following keys do not exist when we run
  260. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy",1,"D:AR"
  261. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer",1,"D:AR"
  262. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies",1,"D:AR"
  263. "MACHINE\SOFTWARE\Microsoft\MSDTC",1,"D:AR"
  264. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony",2,"D:P(A;CIOI;GR;;;BU)(A;CIOI;GRGWSD;;;PU)(A;CIOI;GA;;;NS)(A;CIOI;GA;;;LS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  265. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib",2,"D:P(A;CI;GR;;;IU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;NS)"
  266. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009",1,"D:AR"
  267. "MACHINE\System",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  268. "MACHINE\SYSTEM\Clone",1,"D:AR"
  269. "MACHINE\SYSTEM\ControlSet001",1,"D:AR"
  270. "MACHINE\SYSTEM\ControlSet002",1,"D:AR"
  271. "MACHINE\SYSTEM\ControlSet003",1,"D:AR"
  272. "MACHINE\SYSTEM\ControlSet004",1,"D:AR"
  273. "MACHINE\SYSTEM\ControlSet005",1,"D:AR"
  274. "MACHINE\SYSTEM\ControlSet006",1,"D:AR"
  275. "MACHINE\SYSTEM\ControlSet007",1,"D:AR"
  276. "MACHINE\SYSTEM\ControlSet008",1,"D:AR"
  277. "MACHINE\SYSTEM\ControlSet009",1,"D:AR"
  278. "MACHINE\SYSTEM\ControlSet010",1,"D:AR"
  279. "MACHINE\SYSTEM\CurrentControlSet\Control\Class",0,"D:AR"
  280. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout",2,"D:(A;CI;GR;;;WD)"
  281. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",2,"D:(A;CI;GR;;;WD)"
  282. "MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg",2,"D:P(A;CI;GA;;;BA)(A;CI;GR;;;LS)"
  283. "MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security",2,"D:P(A;CI;GR;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  284. "MACHINE\SYSTEM\CurrentControlSet\Enum",1,"D:AR"
  285. "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles",1,"D:AR"
  286. ;Set security subkey permissions for those services created via default hives
  287. "MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  288. "MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  289. "MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  290. "MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  291. "MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  292. @@:@6:"MACHINE\SYSTEM\CurrentControlSet\Services\IASJet\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  293. "MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  294. "MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  295. "MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  296. "MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  297. "MACHINE\SYSTEM\CurrentControlSet\Services\ScardDrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  298. "MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  299. "MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  300. "MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  301. ;Set security subkey permissions for those services created in GUI-mode setup before SCE runs
  302. "MACHINE\SYSTEM\CurrentControlSet\Services\IREnum\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  303. "MACHINE\SYSTEM\CurrentControlSet\Services\STISvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  304. "MACHINE\SYSTEM\CurrentControlSet\Services\WMI\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  305. "MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries",2,"D:(A;CI;GA;;;NS)"
  306. "USERS\.DEFAULT",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  307. "USERS\.DEFAULT\Software\Microsoft\NetDDE",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  308. "USERS\.DEFAULT\SOFTWARE\Microsoft\Protected Storage System Provider",1,"D:AR"
  309. "USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots",1,"D:AR"
  310. [File Security]
  311. ;---------------------------------------------------------------------------------------
  312. ;x86 Boot Files
  313. ;---------------------------------------------------------------------------------------
  314. @@:@i:"%BootDrive%\boot.ini",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  315. @@:@i:"%BootDrive%\ntdetect.com",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  316. @@:@i:"%BootDrive%\ntldr",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  317. @@:@i:"%BootDrive%\ntbootdd.sys",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  318. @@:@i:"%BootDrive%\autoexec.bat",2,"D:P(A;;GRGX;;;BU)(A;;GA;;;BA)(A;;GA;;;SY)"
  319. @@:@i:"%BootDrive%\config.sys",2,"D:P(A;;GRGX;;;BU)(A;;GA;;;BA)(A;;GA;;;SY)"
  320. ;---------------------------------------------------------------------------------------
  321. ;amd64 Boot Files
  322. ;---------------------------------------------------------------------------------------
  323. @@:@a:"%BootDrive%\boot.ini",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  324. @@:@a:"%BootDrive%\ntdetect.com",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  325. @@:@a:"%BootDrive%\ntldr",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  326. ;SetupSecurity will contain the new root acl. Ignore docs and settings if it's reapplied (e.g. on conversion from FAT)
  327. "%SystemDrive%\Documents and Settings",1,"D:AR"
  328. ;---------------------------------------------------------------------------------------------
  329. ;ProgramFiles
  330. ;---------------------------------------------------------------------------------------------
  331. "%SceInfProgramFiles%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  332. ;---------------------------------------------------------------------------------------------
  333. ;System Root (Typically \WINDOWS)
  334. ;---------------------------------------------------------------------------------------------
  335. "%SystemRoot%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  336. ;Differences from parent
  337. "%SystemRoot%\Debug\UserMode",2,"D:PAR(A;;0x00100023;;;BU)(A;OIIO;0x00100006;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  338. "%SystemRoot%\repair",2,"D:P(A;CI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  339. "%SystemRoot%\Temp",2,"D:P(A;CI;0x100026;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  340. ;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
  341. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
  342. "%SystemRoot%\CSC",1,"D:AR"
  343. "%SystemRoot%\Installer",1,"D:AR"
  344. "%SystemRoot%\Prefetch",1,"D:AR"
  345. "%SystemRoot%\Profiles",1,"D:AR"
  346. "%SystemRoot%\Registration",1,"D:AR"
  347. "%SystemRoot%\Tasks",1,"D:AR"
  348. ;Directories that do not exist when security applied during setup - Creator does not specify directory security.
  349. ;Creator should specify FILE security in optional component INF that gets applied on clean-install AND upgrade.
  350. ;Omit (rather than ignore) to allow component-specified file security to be set on reapplication of defaults.
  351. ;Use MARTA (rather than omit) for any components that set protected run-time security.
  352. ;"%SystemRoot%\Downloaded Program Files",0,"D:AR"
  353. ;"%SystemRoot%\Offline Web Pages",0,"D:AR"
  354. ;"%SystemRoot%\IME",0,"D:AR"
  355. ;"%SystemRoot%\mww32",0,"D:AR"
  356. ;"%SystemRoot%\PCHEALTH",0,"D:AR"
  357. ;"%SystemRoot%\SchCache",0,"D:AR"
  358. ;"%SystemRoot%\srchasst",0,"D:AR"
  359. "%SystemDirectory%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  360. ;Differences from parent
  361. "%SystemDirectory%\config",2,"D:P(A;CI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  362. ;Profile for system account - moved from Docs and Settings in Whistler. Creator specifies security.
  363. "%SystemDirectory%\config\systemprofile",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  364. "%SystemDirectory%\dllcache",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  365. "%SystemDirectory%\ias",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  366. ;So spooler can load drivers while impersonating the forced Guest
  367. "%SystemDirectory%\spool\drivers",2,"D:(A;CIOI;GRGX;;;WD)"
  368. ;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
  369. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
  370. "%SystemDirectory%\appmgmt",1,"D:AR"
  371. "%SystemDirectory%\DTCLog",1,"D:AR"
  372. "%SystemDirectory%\GroupPolicy",1,"D:AR"
  373. "%SystemDirectory%\msdtc",1,"D:AR"
  374. "%SystemDirectory%\NTMSData",1,"D:AR"
  375. "%SystemDirectory%\ReinstallBackups",1,"D:AR"
  376. "%SystemDirectory%\repl",1,"D:AR"
  377. "%SystemDirectory%\Setup",1,"D:AR"
  378. "%SystemDirectory%\spool\printers",1,"D:AR"
  379. ;Directories that do not exist when security applied during setup - Creator does not specify directory security.
  380. ;Creator should specify FILE security in optional component INF that gets applied on clean-install AND upgrade.
  381. ;Omit (rather than ignore) to allow component-specified file security to be set on reapplication of defaults.
  382. ;Use MARTA (rather than omit) for any components that set protected run-time security.
  383. ;"%SystemDirectory%\Cache",0,"D:AR"
  384. ;"%SystemDirectory%\Com",0,"D:AR"
  385. ;"%SystemDirectory%\clients",0,"D:AR"
  386. ;"%SystemDirectory%\inetsrv",0,"D:AR"
  387. ;"%SystemDirectory%\LogFiles",0,"D:AR"
  388. ;"%SystemDirectory%\Microsoft",0,"D:AR"
  389. ;"%SystemDirectory%\npp",0,"D:AR"
  390. ;"%SystemDirectory%\oobe",0,"D:AR"
  391. ;"%SystemDirectory%\restore",0,"D:AR"
  392. ;"%SystemDirectory%\reminst",0,"D:AR"
  393. ;"%SystemDirectory%\rocket",0,"D:AR"
  394. ;"%SystemDirectory%\usmt",0,"D:AR"