archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/mergedcomponents/setupinfs/defltsv.inx

615 lines
38 KiB
Raw Normal View History

Add source files
4 years ago
  1. @*:This file defines default security settings.
  2. @*:Please do not edit. Instead, email kirksol with the requested change.
  3. @*:Thanks!
  4. ; (c) Microsoft Corporation 1997-2000
  5. ;
  6. ; Security Configuration Template for Security Configuration Editor
  7. ;
  8. ; Template Name: DefltSV.INF
  9. ; Template Version: 05.10.DS.0000
  10. ;
  11. ; Default Security For Windows NT 5.1 Server.
  13. [Profile Description]
  14. %SCEDefltSVProfileDescription%
  16. [version]
  17. signature="$CHICAGO$"
  18. revision=1
  21. [System Access]
  22. ;----------------------------------------------------------------
  23. ;Account Policies - Password Policy
  24. ;----------------------------------------------------------------
  25. MinimumPasswordAge = 0
  26. MaximumPasswordAge = 42
  27. MinimumPasswordLength = 0
  28. PasswordComplexity = 0
  29. PasswordHistorySize = 0
  30. RequireLogonToChangePassword = 0
  31. ClearTextPassword = 0
  33. ;----------------------------------------------------------------
  34. ;Account Policies - Lockout Policy
  35. ;----------------------------------------------------------------
  36. ;No Account Lockout
  37. LockoutBadCount = 0
  39. ;The following are not configured when No Account Lockout
  40. ;ResetLockoutCount = 30
  41. ;LockoutDuration = 30
  44. ;----------------------------------------------------------------
  45. ;Local Policies - Security Options
  46. ;----------------------------------------------------------------
  47. ;DC Only
  48. ;ForceLogoffWhenHourExpire = 0
  50. ;NewAdministatorName =
  51. ;NewGuestName =
  52. ;SecureSystemPartition
  54. ;----------------------------------------------------------------
  55. ;Event Log - Log Settings
  56. ;----------------------------------------------------------------
  57. ;Audit Log Retention Period:
  58. ;0 = Overwrite Events As Needed
  59. ;1 = Overwrite Events As Specified by Retention Days Entry
  60. ;2 = Never Overwrite Events (Clear Log Manually)
  62. [System Log]
  63. @@:@3:MaximumLogSize = 512
  64. @@:@6:MaximumLogSize = 2048
  65. AuditLogRetentionPeriod = 1
  66. RetentionDays = 7
  67. RestrictGuestAccess = 1
  69. [Security Log]
  70. MaximumLogSize = 512
  71. AuditLogRetentionPeriod = 1
  72. RetentionDays = 7
  73. RestrictGuestAccess = 1
  75. [Application Log]
  76. MaximumLogSize = 512
  77. AuditLogRetentionPeriod = 1
  78. RetentionDays = 7
  79. RestrictGuestAccess = 1
  81. ;----------------------------------------------------------------
  82. ;Local Policies - Audit Policy
  83. ;----------------------------------------------------------------
  85. [Event Audit]
  87. ;Auditing is Off by Default
  88. AuditAccountLogon = 0
  89. AuditAccountManage = 0
  90. AuditSystemEvents = 0
  91. AuditLogonEvents = 0
  92. AuditObjectAccess = 0
  93. AuditPrivilegeUse = 0
  94. AuditPolicyChange = 0
  95. AuditProcessTracking = 0
  96. ;AuditDSAccess = 0
  97. CrashOnAuditFull = 0
  99. ;----------------------------------------------------------------
  100. ;Registry Values
  101. ;----------------------------------------------------------------
  102. [Registry Values]
  103. ; Registry value name in full path = Type, Value
  104. ; REG_SZ ( 1 )
  105. ; REG_EXPAND_SZ ( 2 ) // with environment variables to expand
  106. ; REG_BINARY ( 3 )
  107. ; REG_DWORD ( 4 )
  108. ; REG_MULTI_SZ ( 7 )
  110. MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
  111. MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
  112. MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
  113. MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
  114. MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
  115. MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy=4,0
  116. MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
  117. MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
  118. MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,0
  119. MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0
  120. MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0
  121. MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,0
  122. MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner=4,0
  123. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
  124. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,0
  126. ;Domain Controllers Only
  127. ;MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl=4,0
  129. MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1
  131. MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
  132. MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
  133. MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
  135. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
  136. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
  137. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
  138. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
  140. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
  141. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
  142. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
  144. MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
  146. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
  147. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
  148. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
  149. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
  150. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
  151. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,0
  153. ;Potential to take on different values during and after setup
  154. ;MACHINE\Software\Microsoft\Driver Signing\Policy=3,1
  155. ;MACHINE\Software\Microsoft\Non-Driver Signing\Policy=3,0
  157. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
  158. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
  159. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
  160. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,""
  161. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0
  162. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
  165. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
  166. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
  168. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms=1,0
  169. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,0
  170. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies=1,0
  171. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,10
  172. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
  173. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
  174. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,0
  176. ;----------------------------------------------------------------------
  177. ; Privileges & Rights
  178. ;----------------------------------------------------------------------
  179. ;
  180. ;World S-1-1-0
  181. ;
  182. ;NT Authority S-1-5
  183. ;TERMINAL_SERVER 13
  184. ;LOCAL_SERVICE 19
  185. ;NETWORK_SERVICE 20
  186. ;
  187. ;Built-In Domain SubAuthority = S-1-5-32
  188. ;ADMINISTRATORS 544
  189. ;USERS 545
  190. ;GUESTS 546
  191. ;POWER_USERS 547
  192. ;ACCOUNT_OPS 548
  193. ;SYSTEM_OPS 549
  194. ;PRINT_OPS 550
  195. ;BACKUP_OPS 551
  196. ;REPLICATOR 552
  197. ;RAS_SERVERS 553
  198. ;PREW2KCOMPACCESS 554
  199. ;REMOTE_DESKTOP_USERS 555
  200. ;NETWORK_CONFIGURATION_OPS 556
  202. [Privilege Rights]
  203. SeAssignPrimaryTokenPrivilege = *S-1-5-19, *S-1-5-20
  204. SeAuditPrivilege = *S-1-5-19, *S-1-5-20
  205. SeBackupPrivilege = *S-1-5-32-544, *S-1-5-32-551
  206. SeBatchLogonRight =
  207. SeChangeNotifyPrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-547, *S-1-5-32-545, *S-1-1-0
  208. SeCreatePagefilePrivilege = *S-1-5-32-544
  209. SeCreatePermanentPrivilege =
  210. SeCreateTokenPrivilege =
  211. SeDebugPrivilege = *S-1-5-32-544
  212. SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
  213. SeIncreaseQuotaPrivilege = *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  214. SeInteractiveLogonRight = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-547, *S-1-5-32-545, %SceInfGuest%
  215. SeLoadDriverPrivilege = *S-1-5-32-544
  216. SeLockMemoryPrivilege =
  217. SeMachineAccountPrivilege =
  218. SeManageVolumePrivilege = *S-1-5-32-544
  219. SeNetworkLogonRight = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-547, *S-1-5-32-545, *S-1-1-0
  220. SeProfileSingleProcessPrivilege = *S-1-5-32-544, *S-1-5-32-547
  221. SeRemoteInteractiveLogonRight = *S-1-5-32-544, *S-1-5-32-555
  222. SeRemoteShutdownPrivilege = *S-1-5-32-544
  223. SeRestorePrivilege = *S-1-5-32-544, *S-1-5-32-551
  224. SeSecurityPrivilege = *S-1-5-32-544
  225. SeServiceLogonRight =
  226. SeShutdownPrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-547
  227. SeSystemEnvironmentPrivilege = *S-1-5-32-544
  228. SeSystemProfilePrivilege = *S-1-5-32-544
  229. SeSystemTimePrivilege = *S-1-5-32-544, *S-1-5-32-547
  230. SeTakeOwnershipPrivilege = *S-1-5-32-544
  231. SeTcbPrivilege =
  232. ;
  233. SeDenyInteractiveLogonRight =
  234. SeDenyBatchLogonRight =
  235. SeDenyServiceLogonRight =
  236. SeDenyNetworkLogonRight =
  237. SeDenyRemoteInteractiveLogonRight =
  238. ;
  239. SeUndockPrivilege = *S-1-5-32-544, *S-1-5-32-547, *S-1-5-32-545
  240. SeSyncAgentPrivilege =
  241. SeEnableDelegationPrivilege =
  244. [Group Membership]
  245. %SceInfUsers%__Memberof =
  246. %SceInfUsers%__Members = %SceInfAuthUsers%,%SceInfInteractive%
  248. [Service General Setting]
  249. ;Note - SCECLI is hooked so that startup mode is not configured during setup or dcpromo
  250. ;autostarted on workstations and servers, standalone or joined
  251. Browser,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  252. Dhcp,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  253. TrkWks,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  254. Dnscache,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  255. Eventlog,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  256. PolicyAgent,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  257. dmserver,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  258. Messenger,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  259. PlugPlay,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  260. Spooler,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  261. ProtectedStorage,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  262. RpcSs,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  263. NtmsSvc,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  264. seclogon,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  265. SamSs,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  266. lanmanserver,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  267. SENS,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  268. Schedule,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  269. LmHosts,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  270. LanmanWorkstation,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  271. RemoteRegistry,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  273. ;Not autostarted, but non-default DACL - Remove PU ability to change template
  274. ClipSrv,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  275. NetDDE,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  276. NetDDEdsdm,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  277. AppMgmt,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  278. EventSystem,3,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  280. ;Not autostarted if machine is standalone
  281. Netlogon,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  282. W32Time,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  284. ;Not autostarted if Wksta
  285. Alerter,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  286. MSDTC,2,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  288. ;Server Only Services
  289. Dfs,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  290. LicenseService,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  291. SMTPSVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  293. ;IIS Specific Services - Leave them alone
  294. ;IISADMIN,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  295. ;W3SVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  296. ;MSFTPSVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  299. [Registry Keys]
  301. "MACHINE\Software",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  303. ;Not same as parent, and this is the target of a symlink - set explicitly.
  304. "MACHINE\SOFTWARE\Classes",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  305. "MACHINE\SOFTWARE\Classes\helpfile",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  306. "MACHINE\SOFTWARE\Classes\.hlp",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  308. "MACHINE\SOFTWARE\Microsoft\ADs\Providers\LDAP\Extensions",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  309. @@:@i:"MACHINE\SOFTWARE\Microsoft\ADs\Providers\NDS",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  310. @@:@i:"MACHINE\SOFTWARE\Microsoft\ADs\Providers\NWCOMPAT",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  311. "MACHINE\SOFTWARE\Microsoft\ADs\Providers\WinNT",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  313. "MACHINE\SOFTWARE\Microsoft\Command Processor",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  315. "MACHINE\SOFTWARE\Microsoft\Cryptography",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  316. "MACHINE\SOFTWARE\Microsoft\Cryptography\Calais",2,"D:AR(A;CI;GRGWSD;;;LS)"
  318. "MACHINE\SOFTWARE\Microsoft\Driver Signing",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  319. "MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  320. "MACHINE\SOFTWARE\Microsoft\Non-Driver Signing",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  321. "MACHINE\SOFTWARE\Microsoft\NetDDE",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  322. "MACHINE\SOFTWARE\Microsoft\Ole",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  323. "MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider",1,"D:AR"
  324. "MACHINE\SOFTWARE\Microsoft\Rpc",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  325. "MACHINE\SOFTWARE\Microsoft\Secure",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  326. "MACHINE\SOFTWARE\Microsoft\SystemCertificates",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  328. "MACHINE\Software\Microsoft\Windows\CurrentVersion",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  329. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  330. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  331. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  332. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  334. ;The following keys need to be writable by TERMINAL_SERVER_USER for App-Compat
  335. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  336. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  337. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  338. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  339. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  341. ;The following keys do not exist when we run.
  342. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy",1,"D:AR"
  343. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer",1,"D:AR"
  344. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies",1,"D:AR"
  345. "MACHINE\SOFTWARE\Microsoft\MSDTC",1,"D:AR"
  347. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony",2,"D:P(A;CIOI;GR;;;BU)(A;CIOI;GRGWSD;;;PU)(A;CIOI;GA;;;NS)(A;CIOI;GA;;;LS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  349. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  350. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  351. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  352. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Classes",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  353. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  354. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  355. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  356. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  357. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  358. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  359. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib",2,"D:P(A;CI;GR;;;IU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;NS)"
  360. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009",1,"D:AR"
  361. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  362. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  363. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  364. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  365. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  366. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  367. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  368. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  370. "MACHINE\SOFTWARE\Policies",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  373. "MACHINE\System",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  375. "MACHINE\SYSTEM\Clone",1,"D:AR"
  377. "MACHINE\SYSTEM\ControlSet001",1,"D:AR"
  378. "MACHINE\SYSTEM\ControlSet002",1,"D:AR"
  379. "MACHINE\SYSTEM\ControlSet003",1,"D:AR"
  380. "MACHINE\SYSTEM\ControlSet004",1,"D:AR"
  381. "MACHINE\SYSTEM\ControlSet005",1,"D:AR"
  382. "MACHINE\SYSTEM\ControlSet006",1,"D:AR"
  383. "MACHINE\SYSTEM\ControlSet007",1,"D:AR"
  384. "MACHINE\SYSTEM\ControlSet008",1,"D:AR"
  385. "MACHINE\SYSTEM\ControlSet009",1,"D:AR"
  386. "MACHINE\SYSTEM\ControlSet010",1,"D:AR"
  388. "MACHINE\SYSTEM\CurrentControlSet\Control\Class",0,"D:AR"
  390. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout",2,"D:(A;CI;GR;;;WD)"
  391. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",2,"D:(A;CI;GR;;;WD)"
  392. "MACHINE\SYSTEM\CurrentControlSet\Control\Network",2,"D:(A;CI;GRGWSD;;;NO)"
  393. "MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg",2,"D:P(A;CI;GA;;;BA)(A;;GR;;;BO)(A;CI;GR;;;LS)"
  394. "MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive",2,"D:(A;CI;GRGWSD;;;PU)"
  395. "MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation",2,"D:(A;CI;GRGWSD;;;PU)"
  396. "MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security",2,"D:P(A;CI;GR;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  398. ;Set security subkey permissions for those services created via default hives
  399. "MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  400. "MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  401. "MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  402. "MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  403. "MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  404. @@:@6:"MACHINE\SYSTEM\CurrentControlSet\Services\IASJet\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  405. "MACHINE\SYSTEM\CurrentControlSet\Services\kdc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  406. "MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  407. "MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  408. "MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  409. "MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  410. "MACHINE\SYSTEM\CurrentControlSet\Services\ScardDrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  411. "MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  412. "MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  413. "MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  415. ;Set security subkey permissions for those services created in GUI-mode setup before SCE runs
  416. "MACHINE\SYSTEM\CurrentControlSet\Services\IREnum\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  417. "MACHINE\SYSTEM\CurrentControlSet\Services\STISvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  418. "MACHINE\SYSTEM\CurrentControlSet\Services\WMI\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  420. "MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries",2,"D:(A;CI;GA;;;NS)"
  422. "MACHINE\SYSTEM\CurrentControlSet\Enum",1,"D:AR"
  424. "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles",1,"D:AR"
  426. "USERS\.DEFAULT",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  427. "USERS\.DEFAULT\Software\Microsoft\NetDDE",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  428. "USERS\.DEFAULT\SOFTWARE\Microsoft\Protected Storage System Provider",1,"D:AR"
  429. "USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots",1,"D:AR"
  431. [File Security]
  433. ;---------------------------------------------------------------------------------------
  434. ;x86 Boot Files
  435. ;---------------------------------------------------------------------------------------
  436. @@:@i:"%BootDrive%\boot.ini",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  437. @@:@i:"%BootDrive%\ntdetect.com",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  438. @@:@i:"%BootDrive%\ntldr",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  439. @@:@i:"%BootDrive%\ntbootdd.sys",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  440. @@:@i:"%BootDrive%\autoexec.bat",2,"D:P(A;;GRGX;;;BU)(A;;GRGWGXSD;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  441. @@:@i:"%BootDrive%\config.sys",2,"D:P(A;;GRGX;;;BU)(A;;GRGWGXSD;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  443. ;---------------------------------------------------------------------------------------
  444. ;amd64 Boot Files
  445. ;---------------------------------------------------------------------------------------
  446. @@:@a:"%BootDrive%\boot.ini",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  447. @@:@a:"%BootDrive%\ntdetect.com",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  448. @@:@a:"%BootDrive%\ntldr",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  450. ;SetupSecurity will contain the new root acl. Ignore docs and settings if it's reapplied (e.g. on conversion from FAT)
  451. "%SystemDrive%\Documents and Settings",1,"D:AR"
  453. ;---------------------------------------------------------------------------------------------
  454. ;ProgramFiles
  455. ;---------------------------------------------------------------------------------------------
  456. "%SceInfProgramFiles%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;S-1-5-13)"
  458. ;---------------------------------------------------------------------------------------------
  459. ;System Root (Typically \WINDOWS)
  460. ;---------------------------------------------------------------------------------------------
  461. "%SystemRoot%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  463. ;Directories that existed and inherited on NT4 out of the box.
  464. ;The text-mode files within these directories are individually secured below.
  465. ;Config, Cursors, Help, Media, Repair, System, Fonts, INF
  467. ;Directories that existed but did not inherit on NT4.
  468. "%SystemRoot%\repair",2,"D:P(A;CI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  470. ;Directories with a legacy history that now ship in the box.
  471. ;Allow Power User Modify on the directory, but Read Only to the files installed during setup.
  472. "%SystemRoot%\addins",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  473. "%SystemRoot%\Connection Wizard",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  474. "%SystemRoot%\java",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  475. "%SystemRoot%\msagent",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  476. "%SystemRoot%\security",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  477. "%SystemRoot%\speech",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  478. "%SystemRoot%\TAPI",2,"D:P(A;CIOI;GR;;;BU)(A;CIOI;GRGWSD;;;PU)(A;CIOI;GA;;;NS)(A;CIOI;GA;;;LS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  479. "%SystemRoot%\twain_32",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  480. "%SystemRoot%\Web",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  482. ;Directories with a legacy history that no longer ship in the box
  483. "%SystemRoot%\speech",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  485. ;Directories with a legacy history being changed for security reasons
  486. "%SystemRoot%\Debug\UserMode",2,"D:PAR(A;;0x00100023;;;BU)(A;OIIO;0x00100006;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  487. "%SystemRoot%\help",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGX;;;S-1-5-13)"
  488. "%SystemRoot%\Temp",2,"D:P(A;CI;0x100026;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  490. ;Directories with no legacy to preserve. Power Users the same as Users
  491. "%SystemRoot%\AppPatch",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  492. "%SystemRoot%\Driver Cache",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  493. "%SystemRoot%\mui",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  494. "%SystemRoot%\Resources",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  495. "%SystemRoot%\Security",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  496. "%SystemRoot%\WinSxS",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  498. ;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
  499. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
  500. "%SystemRoot%\CSC",1,"D:AR"
  501. "%SystemRoot%\Installer",1,"D:AR"
  502. "%SystemRoot%\Prefetch",1,"D:AR"
  503. "%SystemRoot%\Profiles",1,"D:AR"
  504. "%SystemRoot%\Registration",1,"D:AR"
  505. "%SystemRoot%\Tasks",1,"D:AR"
  507. ;Directories that do not exist when security applied during setup - Creator does not specify directory security.
  508. ;Creator should specify FILE security in optional component INF that gets applied on clean-install AND upgrade.
  509. ;Omit (rather than ignore) to allow component-specified file security to be set on reapplication of defaults.
  510. ;Use MARTA (rather than omit) for any components that set protected run-time security.
  511. ;"%SystemRoot%\Downloaded Program Files",0,"D:AR"
  512. ;"%SystemRoot%\Offline Web Pages",0,"D:AR"
  513. ;"%SystemRoot%\IME",0,"D:AR"
  514. ;"%SystemRoot%\mww32",0,"D:AR"
  515. ;"%SystemRoot%\PCHEALTH",0,"D:AR"
  516. ;"%SystemRoot%\SchCache",0,"D:AR"
  517. ;"%SystemRoot%\srchasst",0,"D:AR"
  519. ;---------------------------------------------------------------------------------------------
  520. ;System Directory (Typically \Windows\System32)
  521. ;---------------------------------------------------------------------------------------------
  523. "%SystemDirectory%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  525. ;Directories that existed and inherited on NT4 out of the box.
  526. ;The text-mode files within these directories are individually secured below.
  527. ;OS2, RAS, Spool, Viewers, WINS, Certsrv
  529. ;Directories that existed but did not inherit on NT4.
  530. "%SystemDirectory%\config",2,"D:P(A;CI;GRGX;;;BU)(A;CI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  531. ;Profile for system account - moved from Docs and Settings in Whistler. Creator specifies security.
  532. "%SystemDirectory%\config\systemprofile",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  533. "%SystemDirectory%\dhcp",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  534. "%SystemDirectory%\dllcache",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  535. "%SystemDirectory%\drivers",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  537. ;Directories with a legacy history that now ship in the box.
  538. ;Allow Power User Modify on the directory, but Read Only to the files installed during setup.
  539. "%SystemDirectory%\ShellExt",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  540. "%SystemDirectory%\wbem",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  541. "%SystemDirectory%\wbem\mof",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  543. ;Directories with a legacy history that no longer ship in the box
  544. ;
  546. ;Directories with a legacy history being changed for security reasons
  547. "%SystemDirectory%\catroot",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  548. "%SystemDirectory%\catroot2",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  549. "%SystemDirectory%\ias",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  551. ;Directories with no legacy to preserve. Power Users the same as Users
  552. "%SystemDirectory%\Export",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  553. "%SystemDirectory%\mui",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  555. ;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
  556. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
  557. "%SystemDirectory%\appmgmt",1,"D:AR"
  558. "%SystemDirectory%\DTCLog",1,"D:AR"
  559. "%SystemDirectory%\GroupPolicy",1,"D:AR"
  560. "%SystemDirectory%\msdtc",1,"D:AR"
  561. ;BugBug - Licensing service should use the Network Service profile directory - Remove the following line after B2.
  562. "%SystemDirectory%\LLS",1,"D:AR"
  563. "%SystemDirectory%\CPL.CFG",1,"D:AR"
  564. "%SystemDirectory%\NTMSData",1,"D:AR"
  565. "%SystemDirectory%\ReinstallBackups",1,"D:AR"
  566. "%SystemDirectory%\repl",1,"D:AR"
  567. "%SystemDirectory%\Setup",1,"D:AR"
  568. "%SystemDirectory%\spool\printers",1,"D:AR"
  570. ;Directories that do not exist when security applied during setup - Creator does not specify directory security.
  571. ;Creator should specify FILE security in optional component INF that gets applied on clean-install AND upgrade.
  572. ;Omit (rather than ignore) to allow component-specified file security to be set on reapplication of defaults.
  573. ;Use MARTA (rather than omit) for any components that set protected run-time security.
  574. ;"%SystemDirectory%\Cache",0,"D:AR"
  575. ;"%SystemDirectory%\clients",0,"D:AR"
  576. ;"%SystemDirectory%\Com",0,"D:AR"
  577. ;"%SystemDirectory%\inetsrv",0,"D:AR"
  578. ;"%SystemDirectory%\LogFiles",0,"D:AR"
  579. ;"%SystemDirectory%\Microsoft",0,"D:AR"
  580. ;"%SystemDirectory%\netmon",0,"D:AR"
  581. ;"%SystemDirectory%\npp",0,"D:AR"
  582. ;"%SystemDirectory%\oobe",0,"D:AR"
  583. ;"%SystemDirectory%\restore",0,"D:AR"
  584. ;"%SystemDirectory%\reminst",0,"D:AR"
  585. ;"%SystemDirectory%\rocket",0,"D:AR"
  586. ;"%SystemDirectory%\usmt",0,"D:AR"
  588. ;-----------------------------------------------------------------------------------------
  589. ;Individual File Settings.
  590. ;So that Power User Modify is not inherited from parent.
  591. ;-----------------------------------------------------------------------------------------
  592. "%Systemroot%\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  593. Exception="win.ini"
  594. "%Systemroot%\System\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  595. "%Systemroot%\Inf\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  596. Exception="msmail.inf"
  597. "%Systemroot%\Help\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  598. "%Systemroot%\Fonts\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  599. "%Systemroot%\Config\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  600. "%Systemroot%\Media\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  601. "%Systemroot%\Cursors\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  602. "%Systemdirectory%\hal.dll",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  603. "%Systemdirectory%\spoolss.dll",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  604. "%Systemdirectory%\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  605. Exception="autoexec.nt"
  606. Exception="cmos.ram"
  607. Exception="config.nt"
  608. Exception="hpmon.dll"
  609. Exception="hpmon.hlp"
  610. Exception="localmon.dll"
  611. Exception="midimap.cfg"
  612. "%Systemdirectory%\OS2\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  613. "%Systemdirectory%\OS2\DLL\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  614. "%Systemdirectory%\RAS\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  615. "%Systemdirectory%\Viewers\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"