archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/mergedcomponents/setupinfs/defltwk.inx

599 lines
37 KiB
Raw Normal View History

Add source files
4 years ago
  1. @*:This file defines default security settings.
  2. @*:Please do not edit. Instead, email kirksol with the requested change.
  3. @*:Thanks!
  4. ; (c) Microsoft Corporation 1997-2000
  5. ;
  6. ; Security Configuration Template for Security Configuration Editor
  7. ;
  8. ; Template Name: DefltWK.INF
  9. ; Template Version: 05.10.DW.0000
  10. ;
  11. ; Default Security for Windows NT 5.1 Professional
  13. [Profile Description]
  14. %SCEDefltWKProfileDescription%
  16. [version]
  17. signature="$CHICAGO$"
  18. revision=1
  20. [System Access]
  21. ;----------------------------------------------------------------
  22. ;Account Policies - Password Policy
  23. ;----------------------------------------------------------------
  24. MinimumPasswordAge = 0
  25. MaximumPasswordAge = 42
  26. MinimumPasswordLength = 0
  27. PasswordComplexity = 0
  28. PasswordHistorySize = 0
  29. RequireLogonToChangePassword = 0
  30. ClearTextPassword = 0
  31. LSAAnonymousNameLookup = 0
  32. EnableGuestAccount = 0
  34. ;----------------------------------------------------------------
  35. ;Account Policies - Lockout Policy
  36. ;----------------------------------------------------------------
  37. LockoutBadCount = 0
  38. ;ResetLockoutCount = 30
  39. ;LockoutDuration = 30
  41. ;----------------------------------------------------------------
  42. ;Local Policies - Security Options
  43. ;----------------------------------------------------------------
  44. ;DC Only
  45. ;ForceLogoffWhenHourExpire = 0
  47. ;NewAdministatorName =
  48. ;NewGuestName =
  50. ;----------------------------------------------------------------
  51. ;Event Log - Log Settings
  52. ;----------------------------------------------------------------
  53. ;Audit Log Retention Period:
  54. ;0 = Overwrite Events As Needed
  55. ;1 = Overwrite Events As Specified by Retention Days Entry
  56. ;2 = Never Overwrite Events (Clear Log Manually)
  58. [System Log]
  59. @@:@3:MaximumLogSize = 512
  60. @@:@6:MaximumLogSize = 2048
  61. AuditLogRetentionPeriod = 1
  62. RetentionDays = 7
  63. RestrictGuestAccess = 1
  65. [Security Log]
  66. MaximumLogSize = 512
  67. AuditLogRetentionPeriod = 1
  68. RetentionDays = 7
  69. RestrictGuestAccess = 1
  71. [Application Log]
  72. MaximumLogSize = 512
  73. AuditLogRetentionPeriod = 1
  74. RetentionDays = 7
  75. RestrictGuestAccess = 1
  77. ;----------------------------------------------------------------------
  78. ; Local Policies\Audit Policy
  79. ;----------------------------------------------------------------------
  80. [Event Audit]
  81. AuditSystemEvents = 0
  82. AuditObjectAccess = 0
  83. AuditPrivilegeUse = 0
  84. AuditPolicyChange = 0
  85. AuditAccountManage = 0
  86. AuditProcessTracking = 0
  87. ;AuditDSAccess = 0
  88. AuditAccountLogon = 0
  89. AuditLogonEvents = 0
  92. ;----------------------------------------------------------------
  93. ;Registry Values
  94. ;----------------------------------------------------------------
  95. [Registry Values]
  96. ; Registry value name in full path = Type, Value
  97. ; REG_SZ ( 1 )
  98. ; REG_EXPAND_SZ ( 2 ) // with environment variables to expand
  99. ; REG_BINARY ( 3 )
  100. ; REG_DWORD ( 4 )
  101. ; REG_MULTI_SZ ( 7 )
  103. MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
  104. MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
  105. MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
  106. MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
  107. @@:@3:MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,1
  108. @@:@6:MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
  109. MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy=4,0
  110. MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
  111. MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
  112. MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,0
  113. MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0
  114. MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0
  115. MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,0
  116. MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner=4,1
  117. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
  118. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
  120. ;Domain Controllers Only
  121. ;MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl=4,0
  123. MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,0
  125. MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
  126. MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
  127. MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
  129. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
  130. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
  131. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
  132. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
  134. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
  135. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
  136. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
  138. MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
  140. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
  141. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
  142. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
  143. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
  144. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
  145. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,0
  147. ;Potential to take on different values during and after setup
  148. ;MACHINE\Software\Microsoft\Driver Signing\Policy=3,1
  149. ;MACHINE\Software\Microsoft\Non-Driver Signing\Policy=3,0
  152. ;MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,1
  153. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
  154. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
  155. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,""
  156. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,1
  157. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
  159. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
  160. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
  162. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms=1,0
  163. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,0
  164. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies=1,0
  165. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,10
  166. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
  167. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
  168. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,0
  170. ;----------------------------------------------------------------------
  171. ; Privileges & Rights
  172. ;----------------------------------------------------------------------
  173. ;
  174. ;World S-1-1-0
  175. ;
  176. ;NT Authority S-1-5
  177. ;LOCAL_SERVICE 19
  178. ;NETWORK_SERVICE 20
  179. ;
  180. ;Built-In Domain SubAuthority = S-1-5-32
  181. ;ADMINISTRATORS 544
  182. ;USERS 545
  183. ;GUESTS 546
  184. ;POWER_USERS 547
  185. ;ACCOUNT_OPS 548
  186. ;SYSTEM_OPS 549
  187. ;PRINT_OPS 550
  188. ;BACKUP_OPS 551
  189. ;REPLICATOR 552
  190. ;RAS_SERVERS 553
  191. ;PREW2KCOMPACCESS 554
  192. ;REMOTE_DESKTOP_USERS 555
  193. ;NETWORK_CONFIGURATION_OPS 556
  196. [Privilege Rights]
  197. SeAssignPrimaryTokenPrivilege = *S-1-5-19, *S-1-5-20
  198. SeAuditPrivilege = *S-1-5-19, *S-1-5-20
  199. SeBatchLogonRight =
  200. SeBackupPrivilege = *S-1-5-32-544, *S-1-5-32-551
  201. SeChangeNotifyPrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-547, *S-1-5-32-545, *S-1-1-0
  202. SeCreatePagefilePrivilege = *S-1-5-32-544
  203. SeCreatePermanentPrivilege =
  204. SeCreateTokenPrivilege =
  205. SeDebugPrivilege = *S-1-5-32-544
  206. SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
  207. SeIncreaseQuotaPrivilege = *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  208. SeInteractiveLogonRight = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-547, *S-1-5-32-545, %SceInfGuest%
  209. SeLoadDriverPrivilege = *S-1-5-32-544
  210. SeLockMemoryPrivilege =
  211. SeMachineAccountPrivilege =
  212. SeManageVolumePrivilege = *S-1-5-32-544
  213. SeNetworkLogonRight = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-547, *S-1-5-32-545, *S-1-1-0
  214. SeProfileSingleProcessPrivilege = *S-1-5-32-544, *S-1-5-32-547
  215. SeRemoteInteractiveLogonRight = *S-1-5-32-544, *S-1-5-32-555
  216. SeRemoteShutdownPrivilege = *S-1-5-32-544
  217. SeRestorePrivilege = *S-1-5-32-544, *S-1-5-32-551
  218. SeSecurityPrivilege = *S-1-5-32-544
  219. SeServiceLogonRight =
  220. SeShutdownPrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-547, *S-1-5-32-545
  221. SeSystemEnvironmentPrivilege = *S-1-5-32-544
  222. SeSystemProfilePrivilege = *S-1-5-32-544
  223. SeSystemTimePrivilege = *S-1-5-32-544, *S-1-5-32-547
  224. SeTakeOwnershipPrivilege = *S-1-5-32-544
  225. SeTcbPrivilege =
  226. ;
  227. SeDenyInteractiveLogonRight = %SceInfGuest%
  228. SeDenyBatchLogonRight =
  229. SeDenyServiceLogonRight =
  230. SeDenyNetworkLogonRight = %SceInfGuest%
  231. SeDenyRemoteInteractiveLogonRight =
  232. ;
  233. SeUndockPrivilege = *S-1-5-32-544, *S-1-5-32-547, *S-1-5-32-545
  234. SeSyncAgentPrivilege =
  235. SeEnableDelegationPrivilege =
  237. [Group Membership]
  238. %SceInfUsers%__Memberof =
  239. %SceInfUsers%__Members = %SceInfAuthUsers%,%SceInfInteractive%
  242. [Service General Setting]
  243. ;Note - SCECLI is hooked so that startup mode is not configured during setup or dcpromo
  244. ;autostarted on workstations and servers, standalone or joined - Remove PU ability to stop\start.
  245. Browser,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  246. Dhcp,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  247. TrkWks,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  248. Dnscache,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  249. Eventlog,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  250. PolicyAgent,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  251. dmserver,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  252. Messenger,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  253. PlugPlay,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  254. Spooler,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  255. ProtectedStorage,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  256. RpcSs,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  257. NtmsSvc,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  258. seclogon,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  259. SamSs,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  260. lanmanserver,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  261. SENS,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  262. Schedule,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  263. LmHosts,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  264. LanmanWorkstation,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  265. RemoteRegistry,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  267. ;Not autostarted, but non-default DACL - Remove PU ability to change template
  268. ClipSrv,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  269. NetDDE,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  270. NetDDEdsdm,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  271. AppMgmt,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  272. EventSystem,3,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  274. ;Not autostarted if machine is standalone
  275. Netlogon,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  276. W32Time,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  278. ;Not autostarted if Wksta
  279. ;Alerter,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  280. ;MSDTC,2,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  282. ;Server Only Services
  283. ;Dfs,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  284. ;LicenseService,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  285. ;SMTPSVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  287. ;IIS Specific Services - Leave them alone
  288. ;IISADMIN,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  289. ;W3SVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  290. ;MSFTPSVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  293. [Registry Keys]
  295. "MACHINE\Software",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  297. ;Same as parent, but this is the target of a symlink - set explicitly.
  298. "MACHINE\SOFTWARE\Classes",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  299. "MACHINE\SOFTWARE\Classes\helpfile",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  300. "MACHINE\SOFTWARE\Classes\.hlp",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  302. "MACHINE\SOFTWARE\Microsoft\ADs\Providers\LDAP\Extensions",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  303. @@:@i:"MACHINE\SOFTWARE\Microsoft\ADs\Providers\NDS",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  304. @@:@i:"MACHINE\SOFTWARE\Microsoft\ADs\Providers\NWCOMPAT",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  305. "MACHINE\SOFTWARE\Microsoft\ADs\Providers\WinNT",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  307. "MACHINE\SOFTWARE\Microsoft\Command Processor",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  309. "MACHINE\SOFTWARE\Microsoft\Cryptography",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  310. "MACHINE\SOFTWARE\Microsoft\Cryptography\Calais",2,"D:AR(A;CI;GRGWSD;;;LS)"
  311. "MACHINE\SOFTWARE\Microsoft\Driver Signing",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  312. "MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  313. "MACHINE\SOFTWARE\Microsoft\Non-Driver Signing",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  314. "MACHINE\SOFTWARE\Microsoft\NetDDE",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  315. "MACHINE\SOFTWARE\Microsoft\Ole",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  316. "MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider",1,"D:AR"
  317. "MACHINE\SOFTWARE\Microsoft\Rpc",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  318. "MACHINE\SOFTWARE\Microsoft\Secure",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  319. "MACHINE\SOFTWARE\Microsoft\SystemCertificates",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  321. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  322. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  323. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  324. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  326. ;The following keys do not exist when we run
  327. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy",1,"D:AR"
  328. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer",1,"D:AR"
  329. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies",1,"D:AR"
  330. "MACHINE\SOFTWARE\Microsoft\MSDTC",1,"D:AR"
  332. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony",2,"D:P(A;CIOI;GR;;;BU)(A;CIOI;GRGWSD;;;PU)(A;CIOI;GA;;;NS)(A;CIOI;GA;;;LS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  334. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  335. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  336. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;BO)"
  337. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Classes",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  338. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  339. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  340. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  341. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  342. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  343. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  344. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib",2,"D:P(A;CI;GR;;;IU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;NS)"
  345. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009",1,"D:AR"
  346. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  347. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  348. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  349. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  350. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  351. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  352. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  354. "MACHINE\SOFTWARE\Policies",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  357. "MACHINE\System",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  359. "MACHINE\SYSTEM\Clone",1,"D:AR"
  361. "MACHINE\SYSTEM\ControlSet001",1,"D:AR"
  362. "MACHINE\SYSTEM\ControlSet002",1,"D:AR"
  363. "MACHINE\SYSTEM\ControlSet003",1,"D:AR"
  364. "MACHINE\SYSTEM\ControlSet004",1,"D:AR"
  365. "MACHINE\SYSTEM\ControlSet005",1,"D:AR"
  366. "MACHINE\SYSTEM\ControlSet006",1,"D:AR"
  367. "MACHINE\SYSTEM\ControlSet007",1,"D:AR"
  368. "MACHINE\SYSTEM\ControlSet008",1,"D:AR"
  369. "MACHINE\SYSTEM\ControlSet009",1,"D:AR"
  370. "MACHINE\SYSTEM\ControlSet010",1,"D:AR"
  372. "MACHINE\SYSTEM\CurrentControlSet\Control\Class",0,"D:AR"
  374. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout",2,"D:(A;CI;GR;;;WD)"
  375. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",2,"D:(A;CI;GR;;;WD)"
  376. "MACHINE\SYSTEM\CurrentControlSet\Control\Network",2,"D:(A;CI;GRGWSD;;;NO)"
  377. "MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg",2,"D:P(A;CI;GA;;;BA)(A;;GR;;;BO)(A;CI;GR;;;LS)"
  378. "MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive",2,"D:(A;CI;GRGWSD;;;PU)"
  379. "MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation",2,"D:(A;CI;GRGWSD;;;PU)"
  380. "MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security",2,"D:P(A;CI;GR;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  382. ;Set security subkey permissions for those services created via default hives
  383. "MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  384. "MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  385. "MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  386. "MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  387. "MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  388. @@:@6:"MACHINE\SYSTEM\CurrentControlSet\Services\IASJet\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  389. "MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  390. "MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  391. "MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  392. "MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  393. "MACHINE\SYSTEM\CurrentControlSet\Services\ScardDrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  394. "MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  395. "MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  396. "MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  398. ;Set security subkey permissions for those services created in GUI-mode setup before SCE runs
  399. "MACHINE\SYSTEM\CurrentControlSet\Services\IREnum\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  400. "MACHINE\SYSTEM\CurrentControlSet\Services\STISvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  401. "MACHINE\SYSTEM\CurrentControlSet\Services\WMI\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  404. "MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries",2,"D:(A;CI;GA;;;NS)"
  406. "MACHINE\SYSTEM\CurrentControlSet\Enum",1,"D:AR"
  408. "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles",1,"D:AR"
  410. "USERS\.DEFAULT",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  411. "USERS\.DEFAULT\Software\Microsoft\NetDDE",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  412. "USERS\.DEFAULT\SOFTWARE\Microsoft\Protected Storage System Provider",1,"D:AR"
  413. "USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots",1,"D:AR"
  415. [File Security]
  417. ;---------------------------------------------------------------------------------------
  418. ;x86 Boot Files
  419. ;---------------------------------------------------------------------------------------
  420. @@:@i:"%BootDrive%\boot.ini",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  421. @@:@i:"%BootDrive%\ntdetect.com",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  422. @@:@i:"%BootDrive%\ntldr",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  423. @@:@i:"%BootDrive%\ntbootdd.sys",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  424. @@:@i:"%BootDrive%\autoexec.bat",2,"D:P(A;;GRGX;;;BU)(A;;GRGWGXSD;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  425. @@:@i:"%BootDrive%\config.sys",2,"D:P(A;;GRGX;;;BU)(A;;GRGWGXSD;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  427. ;---------------------------------------------------------------------------------------
  428. ;amd64 Boot Files
  429. ;---------------------------------------------------------------------------------------
  430. @@:@a:"%BootDrive%\boot.ini",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  431. @@:@a:"%BootDrive%\ntdetect.com",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  432. @@:@a:"%BootDrive%\ntldr",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  434. ;Setup Security will contain the new root acl. Ignore D and S in case setup security reapplied (e.g. after conversion from FAT)
  435. "%SystemDrive%\Documents and Settings",1,"D:AR"
  437. ;---------------------------------------------------------------------------------------------
  438. ;ProgramFiles
  439. ;---------------------------------------------------------------------------------------------
  440. ;Need to use the SceInfProgramFiles environment var to handle the Win9x upgrade case which is treated like clean-install
  441. ;"%SystemDrive%\%SCEInfProgramFiles%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  443. "%SceInfProgramFiles%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  446. ;---------------------------------------------------------------------------------------------
  447. ;System Root (Typically \WINDOWS)
  448. ;---------------------------------------------------------------------------------------------
  449. "%SystemRoot%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  451. ;Directories that existed and inherited on NT4 out of the box.
  452. ;The text-mode files within these directories are individually secured below.
  453. ;Config, Cursors, Help, Media, Repair, System, Fonts, INF
  455. ;Directories that existed but did not inherit on NT4.
  456. "%SystemRoot%\repair",2,"D:P(A;CI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  458. ;Directories with a legacy history that now ship in the box.
  459. ;Allow Power User Modify on the directory, but Read Only to the files installed during setup.
  460. "%SystemRoot%\addins",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  461. "%SystemRoot%\Connection Wizard",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  462. "%SystemRoot%\java",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  463. "%SystemRoot%\msagent",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  464. "%SystemRoot%\twain_32",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  465. "%SystemRoot%\Web",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  467. ;Directories with a legacy history that no longer ship in the box
  468. "%SystemRoot%\speech",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  470. ;Directories with a legacy history being changed for security reasons
  471. "%SystemRoot%\Debug\UserMode",2,"D:PAR(A;;0x00100023;;;BU)(A;OIIO;0x00100006;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  472. "%SystemRoot%\Temp",2,"D:P(A;CI;0x100026;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  474. ;Directories with no legacy to preserve. Power Users the same as Users
  475. "%SystemRoot%\AppPatch",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  476. "%SystemRoot%\Driver Cache",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  477. "%SystemRoot%\mui",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  478. "%SystemRoot%\Resources",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  479. "%SystemRoot%\Security",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  480. "%SystemRoot%\WinSxS",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  482. ;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
  483. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
  484. "%SystemRoot%\CSC",1,"D:AR"
  485. "%SystemRoot%\Installer",1,"D:AR"
  486. "%SystemRoot%\Prefetch",1,"D:AR"
  487. "%SystemRoot%\Profiles",1,"D:AR"
  488. "%SystemRoot%\Registration",1,"D:AR"
  489. "%SystemRoot%\Tasks",1,"D:AR"
  491. ;Directories that do not exist when security applied during setup - Creator does not specify directory security.
  492. ;Creator should specify FILE security in optional component INF that gets applied on clean-install AND upgrade.
  493. ;Omit (rather than ignore) to allow component-specified file security to be set on reapplication of defaults.
  494. ;Use MARTA (rather than omit) for any components that set protected run-time security.
  495. ;"%SystemRoot%\Downloaded Program Files",0,"D:AR"
  496. ;"%SystemRoot%\Offline Web Pages",0,"D:AR"
  497. ;"%SystemRoot%\IME",0,"D:AR"
  498. ;"%SystemRoot%\mww32",0,"D:AR"
  499. ;"%SystemRoot%\PCHEALTH",0,"D:AR"
  500. ;"%SystemRoot%\SchCache",0,"D:AR"
  501. ;"%SystemRoot%\srchasst",0,"D:AR"
  503. ;---------------------------------------------------------------------------------------------
  504. ;System Directory (Typically \Windows\System32)
  505. ;---------------------------------------------------------------------------------------------
  507. "%SystemDirectory%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  509. ;Directories that existed and inherited on NT4 out of the box.
  510. ;The text-mode files within these directories are individually secured below.
  511. ;OS2, RAS, Spool, Viewers, WINS
  513. ;So spooler can load drivers while impersonating the forced Guest
  514. "%SystemDirectory%\spool\drivers",2,"D:(A;CIOI;GRGX;;;WD)"
  516. ;Directories that existed but did not inherit on NT4.
  517. "%SystemDirectory%\config",2,"D:P(A;CI;GRGX;;;BU)(A;CI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  518. ;Profile for system account - moved from Docs and Settings in Whistler. Creator specifies security.
  519. "%SystemDirectory%\config\systemprofile",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  520. "%SystemDirectory%\dhcp",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  521. "%SystemDirectory%\dllcache",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  522. "%SystemDirectory%\drivers",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  524. ;Directories with a legacy history that now ship in the box.
  525. ;Allow Power User Modify on the directory, but Read Only to the files installed during setup.
  526. "%SystemDirectory%\mui",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  527. "%SystemDirectory%\ShellExt",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  528. "%SystemDirectory%\wbem",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  529. "%SystemDirectory%\wbem\mof",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  531. ;Directories with a legacy history that no longer ship in the box
  532. ;
  534. ;Directories with a legacy history being changed for security reasons
  535. "%SystemDirectory%\catroot",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  536. "%SystemDirectory%\catroot2",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  537. "%SystemDirectory%\ias",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  539. ;Directories with no legacy to preserve. Power Users the same as Users
  540. "%SystemDirectory%\Export",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  542. ;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
  543. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
  544. "%SystemDirectory%\appmgmt",1,"D:AR"
  545. "%SystemDirectory%\DTCLog",1,"D:AR"
  546. "%SystemDirectory%\GroupPolicy",1,"D:AR"
  547. "%SystemDirectory%\msdtc",1,"D:AR"
  548. "%SystemDirectory%\NTMSData",1,"D:AR"
  549. "%SystemDirectory%\ReinstallBackups",1,"D:AR"
  550. "%SystemDirectory%\repl",1,"D:AR"
  551. "%SystemDirectory%\Setup",1,"D:AR"
  552. "%SystemDirectory%\spool\printers",1,"D:AR"
  554. ;Directories that do not exist when security applied during setup - Creator does not specify directory security.
  555. ;Creator should specify FILE security in optional component INF that gets applied on clean-install AND upgrade.
  556. ;Omit (rather than ignore) to allow component-specified file security to be set on reapplication of defaults.
  557. ;Use MARTA (rather than omit) for any components that set protected run-time security.
  558. ;"%SystemDirectory%\Cache",0,"D:AR"
  559. ;"%SystemDirectory%\Com",0,"D:AR"
  560. ;"%SystemDirectory%\clients",0,"D:AR"
  561. ;"%SystemDirectory%\inetsrv",0,"D:AR"
  562. ;"%SystemDirectory%\LogFiles",0,"D:AR"
  563. ;"%SystemDirectory%\Microsoft",0,"D:AR"
  564. ;"%SystemDirectory%\npp",0,"D:AR"
  565. ;"%SystemDirectory%\oobe",0,"D:AR"
  566. ;"%SystemDirectory%\restore",0,"D:AR"
  567. ;"%SystemDirectory%\reminst",0,"D:AR"
  568. ;"%SystemDirectory%\rocket",0,"D:AR"
  569. ;"%SystemDirectory%\usmt",0,"D:AR"
  572. ;-----------------------------------------------------------------------------------------
  573. ;Individual File Settings.
  574. ;So that Power User Modify is not inherited from parent.
  575. ;-----------------------------------------------------------------------------------------
  576. "%Systemroot%\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  577. Exception="win.ini"
  578. "%Systemroot%\System\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  579. "%Systemroot%\Inf\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  580. Exception="msmail.inf"
  581. "%Systemroot%\Help\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  582. "%Systemroot%\Fonts\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  583. "%Systemroot%\Config\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  584. "%Systemroot%\Media\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  585. "%Systemroot%\Cursors\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  586. "%Systemdirectory%\hal.dll",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  587. "%Systemdirectory%\spoolss.dll",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  588. "%Systemdirectory%\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  589. Exception="autoexec.nt"
  590. Exception="cmos.ram"
  591. Exception="config.nt"
  592. Exception="hpmon.dll"
  593. Exception="hpmon.hlp"
  594. Exception="localmon.dll"
  595. Exception="midimap.cfg"
  596. "%Systemdirectory%\OS2\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  597. "%Systemdirectory%\OS2\DLL\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  598. "%Systemdirectory%\RAS\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  599. "%Systemdirectory%\Viewers\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"