archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/mergedcomponents/setupinfs/dsupt.inx

490 lines
33 KiB
Raw Normal View History

Add source files
4 years ago
  1. @*:This file defines default security settings.
  2. @*:Please do not edit. Instead, email kirksol with the requested change.
  3. @*:Thanks!
  4. ; (c) Microsoft Corporation 1997-2000
  5. ;
  6. ; Security Configuration Template for Security Configuration Editor
  7. ;
  8. ; Template Name: DSUpT.INF
  9. ; Template Version: 05.10.DT.0000
  10. ;
  11. ; Default Security for Windows NT 5.1 Terminal Servers that have been:
  12. ; 1. Upgraded from NT4 Terminal Server OR
  13. ; 2. Upgraded from Win2k Terminal Server that was running in App Mode.
  14. ; NOT used to upgrade Win2k\Whistler Terminal Servers running in remote admin mode (DSUp.inf should be used for that)
  15. @* This usually avoids overwriting changes made by TS AppCompat Scripts
  16. @* BUT!
  17. @* Now it is identical to DSUP.INX
  18. @* Hopefully we can remove this file as soon as TS App-Compat testing is
  19. @* complete. This should be removed before RTM. -- Sandy Coyne
  22. [Profile Description]
  23. %SCEDSUpProfileDescription%
  25. [version]
  26. signature="$CHICAGO$"
  27. revision=1
  29. ;----------------------------------------------------------------
  30. ;Event Log - Log Settings
  31. ;----------------------------------------------------------------
  33. [System Log]
  34. RestrictGuestAccess = 1
  36. [Security Log]
  37. RestrictGuestAccess = 1
  39. [Application Log]
  40. RestrictGuestAccess = 1
  42. ;----------------------------------------------------------------
  43. ;Registry Values
  44. ;----------------------------------------------------------------
  45. [Registry Values]
  46. ;On upgrade, we can only set reg values that meet the following criteria:
  47. ;a.) value did not exist on previous releases
  48. ;b.) default setting was changed from a less secure to a more secure state
  50. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
  52. MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
  53. MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
  54. MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
  55. MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy=4,0
  56. MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
  57. MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner=4,0
  58. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,0
  60. MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
  61. MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
  63. MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
  65. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
  67. ;We cannot set the following values which were new for Win2k, because
  68. ;Win2k customers may have already configured them differently.
  69. ;Therefore, the following may not be configured on upgrade from NT4.
  70. ;
  71. ;MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
  72. ;MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
  73. ;MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,0
  74. ;MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,0
  77. [Privilege Rights]
  78. ;
  79. ;World S-1-1-0
  80. ;
  81. ;NT Authority S-1-5
  82. ;TERMINAL_SERVER 13
  83. ;LOCAL_SERVICE 19
  84. ;NETWORK_SERVICE 20
  85. ;
  86. ;Built-In Domain SubAuthority = S-1-5-32
  87. ;ADMINISTRATORS 544
  88. ;USERS 545
  89. ;GUESTS 546
  90. ;POWER_USERS 547
  91. ;ACCOUNT_OPS 548
  92. ;SYSTEM_OPS 549
  93. ;PRINT_OPS 550
  94. ;BACKUP_OPS 551
  95. ;REPLICATOR 552
  96. ;RAS_SERVERS 553
  97. ;PREW2KCOMPACCESS 554
  98. ;REMOTE_DESKTOP_USERS 555
  99. ;NETWORK_CONFIGURATION_OPS 556
  100. ;
  101. SeAssignPrimaryTokenPrivilege = Add:, *S-1-5-19, *S-1-5-20
  102. SeAuditPrivilege = Add:, *S-1-5-19, *S-1-5-20
  103. SeIncreaseBasePriorityPrivilege = Remove:, *S-1-5-32-547
  104. SeIncreaseQuotaPrivilege = Add:, *S-1-5-19, *S-1-5-20
  105. SeManageVolumePrivilege = Add:, *S-1-5-32-544
  106. SeRemoteInteractiveLogonRight = Add:, *S-1-5-32-544, *S-1-5-32-555
  107. SeRemoteShutdownPrivilege = Remove:, *S-1-5-32-547
  108. SeSystemTimePrivilege = Remove:, *S-1-5-19, *S-1-5-20
  110. ;Undock was added in Win2k. Not adding Users because:
  111. ;a.) Win2k customers may have justifiably removed them.
  112. ;b.) NT4 upgrade adds interactive to the Power Users group.
  113. SeUndockPrivilege = Add:, *S-1-5-32-544, *S-1-5-32-547
  115. ;[Group Membership]
  116. ;During upgrade, use net api's to
  117. ;1 - add Authenticated Users and Interactive into the Users group
  118. ;Note, Interactive should NOT be added to Power Users as it is in NT4 Workstation Upgrade.
  121. [Service General Setting]
  122. ;Note: SCECLI is hooked so that startup mode is not configured during setup\dcpromo.
  123. ;autostarted on workstations and servers, standalone or joined
  124. Browser,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  125. Dhcp,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  126. TrkWks,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  127. Dnscache,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  128. Eventlog,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  129. PolicyAgent,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  130. dmserver,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  131. Messenger,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  132. PlugPlay,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  133. Spooler,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  134. ProtectedStorage,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  135. RpcSs,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  136. NtmsSvc,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  137. seclogon,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  138. SamSs,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  139. lanmanserver,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  140. SENS,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  141. Schedule,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  142. LmHosts,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  143. LanmanWorkstation,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  144. RemoteRegistry,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  146. ;Not autostarted, but non-default DACL - Remove PU ability to change template
  147. ClipSrv,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  148. NetDDE,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  149. NetDDEdsdm,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  150. AppMgmt,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  151. EventSystem,3,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  153. ;Not autostarted if machine is standalone
  154. ;Netlogon,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  155. ;W32Time,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  157. ;Not autostarted if Wksta
  158. Alerter,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  159. MSDTC,2,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  161. ;Server Only Services
  162. Dfs,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  163. LicenseService,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  164. SMTPSVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  166. ;IIS Specific Services - Leave them alone
  167. ;IISADMIN,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  168. ;W3SVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  169. ;MSFTPSVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  172. [Registry Keys]
  174. "MACHINE\Software",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  176. ;Not same as parent, and this is the target of a symlink - set explicitly.
  177. "MACHINE\SOFTWARE\Classes",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  178. "MACHINE\SOFTWARE\Classes\helpfile",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  179. "MACHINE\SOFTWARE\Classes\.hlp",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  181. "MACHINE\SOFTWARE\Microsoft\ADs\Providers\LDAP\Extensions",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  182. @@:@i:"MACHINE\SOFTWARE\Microsoft\ADs\Providers\NDS",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  183. @@:@i:"MACHINE\SOFTWARE\Microsoft\ADs\Providers\NWCOMPAT",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  184. "MACHINE\SOFTWARE\Microsoft\ADs\Providers\WinNT",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  186. "MACHINE\SOFTWARE\Microsoft\Command Processor",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  188. "MACHINE\SOFTWARE\Microsoft\Cryptography",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  189. "MACHINE\SOFTWARE\Microsoft\Cryptography\Calais",2,"D:AR(A;CI;GRGWSD;;;LS)"
  191. "MACHINE\SOFTWARE\Microsoft\Driver Signing",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  192. "MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  193. "MACHINE\SOFTWARE\Microsoft\Non-Driver Signing",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  194. "MACHINE\SOFTWARE\Microsoft\NetDDE",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  195. "MACHINE\SOFTWARE\Microsoft\Ole",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  196. "MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider",1,"D:AR"
  197. "MACHINE\SOFTWARE\Microsoft\Rpc",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  198. "MACHINE\SOFTWARE\Microsoft\Secure",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  199. "MACHINE\SOFTWARE\Microsoft\SystemCertificates",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  201. "MACHINE\Software\Microsoft\Windows\CurrentVersion",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  202. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  203. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  204. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  205. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  206. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony",2,"D:P(A;CIOI;GR;;;BU)(A;CIOI;GRGWSD;;;PU)(A;CIOI;GA;;;NS)(A;CIOI;GA;;;LS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  208. ;The following keys need to be writable by TERMINAL_SERVER_USER for App-Compat
  209. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  210. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  211. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  212. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  213. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  215. ;The following keys do not exist when we run.
  216. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy",1,"D:AR"
  217. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer",1,"D:AR"
  218. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies",1,"D:AR"
  219. "MACHINE\SOFTWARE\Microsoft\MSDTC",1,"D:AR"
  221. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  222. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
  223. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  224. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Classes",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  225. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  226. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  227. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  228. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  229. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  230. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  231. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib",2,"D:P(A;CI;GR;;;IU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;NS)"
  232. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009",1,"D:AR"
  233. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  234. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  235. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  236. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  237. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  238. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  239. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  240. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  242. "MACHINE\SOFTWARE\Policies",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  245. "MACHINE\System",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  247. "MACHINE\SYSTEM\Clone",1,"D:AR"
  249. "MACHINE\SYSTEM\ControlSet001",1,"D:AR"
  250. "MACHINE\SYSTEM\ControlSet002",1,"D:AR"
  251. "MACHINE\SYSTEM\ControlSet003",1,"D:AR"
  252. "MACHINE\SYSTEM\ControlSet004",1,"D:AR"
  253. "MACHINE\SYSTEM\ControlSet005",1,"D:AR"
  254. "MACHINE\SYSTEM\ControlSet006",1,"D:AR"
  255. "MACHINE\SYSTEM\ControlSet007",1,"D:AR"
  256. "MACHINE\SYSTEM\ControlSet008",1,"D:AR"
  257. "MACHINE\SYSTEM\ControlSet009",1,"D:AR"
  258. "MACHINE\SYSTEM\ControlSet010",1,"D:AR"
  260. "MACHINE\SYSTEM\CurrentControlSet\Control\Class",1,"D:AR"
  262. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout",2,"D:(A;CI;GR;;;WD)"
  263. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",2,"D:(A;CI;GR;;;WD)"
  264. "MACHINE\SYSTEM\CurrentControlSet\Control\Network",2,"D:(A;CI;GRGWSD;;;NO)"
  265. "MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg",2,"D:P(A;CI;GA;;;BA)(A;;GR;;;BO)(A;CI;GR;;;LS)"
  266. "MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive",2,"D:(A;CI;GRGWSD;;;PU)"
  267. "MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation",2,"D:(A;CI;GRGWSD;;;PU)"
  268. "MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security",2,"D:P(A;CI;GR;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  270. "MACHINE\SYSTEM\CurrentControlSet\Enum",1,"D:AR"
  272. "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles",1,"D:AR"
  274. ;Don't whack more restrictive security subkeys.
  275. "MACHINE\SYSTEM\CurrentControlSet\Services",0,"D:AR"
  277. ;Set security subkey permissions for those services created via default hives
  278. "MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  279. "MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  280. "MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  281. "MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  282. "MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  283. @@:@6:"MACHINE\SYSTEM\CurrentControlSet\Services\IASJet\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  284. "MACHINE\SYSTEM\CurrentControlSet\Services\kdc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  285. "MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  286. "MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  287. "MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  288. "MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  289. "MACHINE\SYSTEM\CurrentControlSet\Services\ScardDrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  290. "MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  291. "MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  292. "MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  294. ;Set security subkey permissions for those services created in GUI-mode setup before SCE runs
  295. "MACHINE\SYSTEM\CurrentControlSet\Services\IREnum\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  296. "MACHINE\SYSTEM\CurrentControlSet\Services\STISvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  297. "MACHINE\SYSTEM\CurrentControlSet\Services\WMI\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  299. "MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries",2,"D:(A;CI;GA;;;NS)"
  301. "USERS\.DEFAULT",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  302. "USERS\.DEFAULT\Software\Microsoft\NetDDE",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  303. "USERS\.DEFAULT\SOFTWARE\Microsoft\Protected Storage System Provider",1,"D:AR"
  304. "USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots",1,"D:AR"
  307. [File Security]
  309. ;---------------------------------------------------------------------------------------
  310. ;x86 Boot Files
  311. ;---------------------------------------------------------------------------------------
  312. @@:@i:"%BootDrive%\boot.ini",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  313. @@:@i:"%BootDrive%\ntdetect.com",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  314. @@:@i:"%BootDrive%\ntldr",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  315. @@:@i:"%BootDrive%\ntbootdd.sys",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  316. @@:@i:"%BootDrive%\autoexec.bat",2,"D:P(A;;GRGX;;;BU)(A;;GRGWGXSD;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  317. @@:@i:"%BootDrive%\config.sys",2,"D:P(A;;GRGX;;;BU)(A;;GRGWGXSD;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  319. ;---------------------------------------------------------------------------------------
  320. ;amd64 Boot Files
  321. ;---------------------------------------------------------------------------------------
  322. @@:@a:"%BootDrive%\boot.ini",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  323. @@:@a:"%BootDrive%\ntdetect.com",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  324. @@:@a:"%BootDrive%\ntldr",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  326. ;SetupSecurity will contain the new root acl. Ignore docs and settings if it's reapplied (e.g. on conversion from FAT)
  327. ;Probably not necessary on upgrade, but just in case.
  328. "%SystemDrive%\Documents and Settings",1,"D:AR"
  330. ;---------------------------------------------------------------------------------------------
  331. ;Program Files
  332. ;---------------------------------------------------------------------------------------------
  333. "%SceInfProgramFiles%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;S-1-5-13)"
  335. ;---------------------------------------------------------------------------------------------
  336. ;System Root (Typically \WINDOWS)
  337. ;---------------------------------------------------------------------------------------------
  338. "%SystemRoot%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  340. ;Directories that existed and inherited on NT4 out of the box.
  341. ;The text-mode files within these directories are individually secured below.
  342. ;Config, Cursors, Help, Media, Repair, System, Fonts, INF
  344. ;Directories that existed but did not inherit on NT4.
  345. "%SystemRoot%\repair",2,"D:P(A;CI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  347. ;Directories with a legacy history that now ship in the box.
  348. ;Allow Power User Modify on the directory, but Read Only to the files installed during setup.
  349. "%SystemRoot%\addins",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  350. "%SystemRoot%\Connection Wizard",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  351. "%SystemRoot%\java",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  352. "%SystemRoot%\msagent",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  353. "%SystemRoot%\twain_32",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  354. "%SystemRoot%\Web",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  356. ;Directories with a legacy history that no longer ship in the box
  357. "%SystemRoot%\speech",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  359. ;Directories with a legacy history being changed for security reasons
  360. "%SystemRoot%\Debug\UserMode",2,"D:PAR(A;;0x00100023;;;BU)(A;OIIO;0x00100006;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  361. "%SystemRoot%\help",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGX;;;S-1-5-13)"
  362. "%SystemRoot%\Temp",2,"D:P(A;CI;0x100026;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  364. ;Directories with no legacy to preserve. Power Users the same as Users
  365. "%SystemRoot%\AppPatch",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  366. "%SystemRoot%\Driver Cache",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  367. "%SystemRoot%\mui",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  368. "%SystemRoot%\Resources",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  369. "%SystemRoot%\Security",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  370. "%SystemRoot%\WinSxS",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  372. ;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
  373. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
  374. "%SystemRoot%\CSC",1,"D:AR"
  375. "%SystemRoot%\Installer",1,"D:AR"
  376. "%SystemRoot%\Prefetch",1,"D:AR"
  377. "%SystemRoot%\Profiles",1,"D:AR"
  378. "%SystemRoot%\Registration",1,"D:AR"
  379. "%SystemRoot%\Tasks",1,"D:AR"
  381. ;Directories that do not exist when security applied during setup - Creator does not specify directory security.
  382. ;Creator should specify FILE security in optional component INF that gets applied on clean-install AND upgrade.
  383. ;Omit (rather than ignore) to allow component-specified file security to be set on reapplication of defaults.
  384. ;Use MARTA (rather than omit) for any components that set protected run-time security.
  385. ;"%SystemRoot%\Downloaded Program Files",0,"D:AR"
  386. ;"%SystemRoot%\Offline Web Pages",0,"D:AR"
  387. ;"%SystemRoot%\IME",0,"D:AR"
  388. ;"%SystemRoot%\mww32",0,"D:AR"
  389. ;"%SystemRoot%\PCHEALTH",0,"D:AR"
  390. ;"%SystemRoot%\SchCache",0,"D:AR"
  391. ;"%SystemRoot%\srchasst",0,"D:AR"
  393. ;---------------------------------------------------------------------------------------------
  394. ;System Directory (Typically \Windows\System32)
  395. ;---------------------------------------------------------------------------------------------
  397. "%SystemDirectory%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  399. ;Directories that existed and inherited on NT4 out of the box.
  400. ;The text-mode files within these directories are individually secured below.
  401. ;OS2, RAS, Spool, Viewers, WINS, Certsrv
  403. ;Directories that existed but did not inherit on NT4.
  404. "%SystemDirectory%\config",2,"D:P(A;CI;GRGX;;;BU)(A;CI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  405. ;Profile for system account - moved from Docs and Settings in Whistler. Creator specifies security.
  406. "%SystemDirectory%\config\systemprofile",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
  407. "%SystemDirectory%\dhcp",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  408. "%SystemDirectory%\dllcache",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  409. "%SystemDirectory%\drivers",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  411. ;Directories with a legacy history that now ship in the box.
  412. ;Allow Power User Modify on the directory, but Read Only to the files installed during setup.
  413. "%SystemDirectory%\ShellExt",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  414. "%SystemDirectory%\wbem",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  415. "%SystemDirectory%\wbem\mof",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  417. ;Directories with a legacy history that no longer ship in the box
  418. ;
  420. ;Directories with a legacy history being changed for security reasons
  421. "%SystemDirectory%\catroot",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  422. "%SystemDirectory%\catroot2",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  423. "%SystemDirectory%\ias",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  425. ;Directories with no legacy to preserve. Power Users the same as Users
  426. "%SystemDirectory%\Export",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  427. "%SystemDirectory%\mui",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  429. ;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
  430. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
  431. "%SystemDirectory%\appmgmt",1,"D:AR"
  432. "%SystemDirectory%\DTCLog",1,"D:AR"
  433. "%SystemDirectory%\GroupPolicy",1,"D:AR"
  434. "%SystemDirectory%\msdtc",1,"D:AR"
  435. ;BugBug - Licensing service should use the Network Service profile directory - Remove the following line after B2.
  436. "%SystemDirectory%\LLS",1,"D:AR"
  437. "%SystemDirectory%\CPL.CFG",1,"D:AR"
  438. "%SystemDirectory%\NTMSData",1,"D:AR"
  439. "%SystemDirectory%\ReinstallBackups",1,"D:AR"
  440. "%SystemDirectory%\repl",1,"D:AR"
  441. "%SystemDirectory%\Setup",1,"D:AR"
  442. "%SystemDirectory%\spool\printers",1,"D:AR"
  444. ;Directories that do not exist when security applied during setup - Creator does not specify directory security.
  445. ;Creator should specify FILE security in optional component INF that gets applied on clean-install AND upgrade.
  446. ;Omit (rather than ignore) to allow component-specified file security to be set on reapplication of defaults.
  447. ;Use MARTA (rather than omit) for any components that set protected run-time security.
  448. ;"%SystemDirectory%\Cache",0,"D:AR"
  449. ;"%SystemDirectory%\clients",0,"D:AR"
  450. ;"%SystemDirectory%\Com",0,"D:AR"
  451. ;"%SystemDirectory%\inetsrv",0,"D:AR"
  452. ;"%SystemDirectory%\LogFiles",0,"D:AR"
  453. ;"%SystemDirectory%\Microsoft",0,"D:AR"
  454. ;"%SystemDirectory%\netmon",0,"D:AR"
  455. ;"%SystemDirectory%\npp",0,"D:AR"
  456. ;"%SystemDirectory%\oobe",0,"D:AR"
  457. ;"%SystemDirectory%\restore",0,"D:AR"
  458. ;"%SystemDirectory%\reminst",0,"D:AR"
  459. ;"%SystemDirectory%\rocket",0,"D:AR"
  460. ;"%SystemDirectory%\usmt",0,"D:AR"
  462. ;-----------------------------------------------------------------------------------------
  463. ;Individual File Settings.
  464. ;So that Power User Modify is not inherited from parent.
  465. ;-----------------------------------------------------------------------------------------
  466. "%Systemroot%\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  467. Exception="win.ini"
  468. "%Systemroot%\System\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  469. "%Systemroot%\Inf\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  470. Exception="msmail.inf"
  471. "%Systemroot%\Help\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  472. "%Systemroot%\Fonts\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  473. "%Systemroot%\Config\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  474. "%Systemroot%\Media\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  475. "%Systemroot%\Cursors\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  476. "%SystemRoot%\TAPI",2,"D:P(A;CIOI;GR;;;BU)(A;CIOI;GRGWSD;;;PU)(A;CIOI;GA;;;NS)(A;CIOI;GA;;;LS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  477. "%Systemdirectory%\hal.dll",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  478. "%Systemdirectory%\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  479. Exception="autoexec.nt"
  480. Exception="cmos.ram"
  481. Exception="config.nt"
  482. Exception="hpmon.dll"
  483. Exception="hpmon.hlp"
  484. Exception="localmon.dll"
  485. Exception="midimap.cfg"
  486. "%Systemdirectory%\OS2\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  487. "%Systemdirectory%\OS2\DLL\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  488. "%Systemdirectory%\RAS\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
  489. "%Systemdirectory%\Viewers\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"