616 lines
38 KiB
Plaintext
616 lines
38 KiB
Plaintext
@*:This file defines default security settings.
|
|
@*:Please do not edit. Instead, email kirksol with the requested change.
|
|
@*:Thanks!
|
|
; (c) Microsoft Corporation 1997-2000
|
|
;
|
|
; Security Configuration Template for Security Configuration Editor
|
|
;
|
|
; Template Name: DefltSV.INF
|
|
; Template Version: 05.10.DS.0000
|
|
;
|
|
; Default Security For Windows NT 5.1 Server.
|
|
|
|
[Profile Description]
|
|
%SCEDefltSVProfileDescription%
|
|
|
|
[version]
|
|
signature="$CHICAGO$"
|
|
revision=1
|
|
|
|
|
|
[System Access]
|
|
;----------------------------------------------------------------
|
|
;Account Policies - Password Policy
|
|
;----------------------------------------------------------------
|
|
MinimumPasswordAge = 0
|
|
MaximumPasswordAge = 42
|
|
MinimumPasswordLength = 0
|
|
PasswordComplexity = 0
|
|
PasswordHistorySize = 0
|
|
RequireLogonToChangePassword = 0
|
|
ClearTextPassword = 0
|
|
|
|
;----------------------------------------------------------------
|
|
;Account Policies - Lockout Policy
|
|
;----------------------------------------------------------------
|
|
;No Account Lockout
|
|
LockoutBadCount = 0
|
|
|
|
;The following are not configured when No Account Lockout
|
|
;ResetLockoutCount = 30
|
|
;LockoutDuration = 30
|
|
|
|
|
|
;----------------------------------------------------------------
|
|
;Local Policies - Security Options
|
|
;----------------------------------------------------------------
|
|
;DC Only
|
|
;ForceLogoffWhenHourExpire = 0
|
|
|
|
;NewAdministatorName =
|
|
;NewGuestName =
|
|
;SecureSystemPartition
|
|
|
|
;----------------------------------------------------------------
|
|
;Event Log - Log Settings
|
|
;----------------------------------------------------------------
|
|
;Audit Log Retention Period:
|
|
;0 = Overwrite Events As Needed
|
|
;1 = Overwrite Events As Specified by Retention Days Entry
|
|
;2 = Never Overwrite Events (Clear Log Manually)
|
|
|
|
[System Log]
|
|
@@:@3:MaximumLogSize = 512
|
|
@@:@6:MaximumLogSize = 2048
|
|
AuditLogRetentionPeriod = 1
|
|
RetentionDays = 7
|
|
RestrictGuestAccess = 1
|
|
|
|
[Security Log]
|
|
MaximumLogSize = 512
|
|
AuditLogRetentionPeriod = 1
|
|
RetentionDays = 7
|
|
RestrictGuestAccess = 1
|
|
|
|
[Application Log]
|
|
MaximumLogSize = 512
|
|
AuditLogRetentionPeriod = 1
|
|
RetentionDays = 7
|
|
RestrictGuestAccess = 1
|
|
|
|
;----------------------------------------------------------------
|
|
;Local Policies - Audit Policy
|
|
;----------------------------------------------------------------
|
|
|
|
[Event Audit]
|
|
|
|
;Auditing is Off by Default
|
|
AuditAccountLogon = 0
|
|
AuditAccountManage = 0
|
|
AuditSystemEvents = 0
|
|
AuditLogonEvents = 0
|
|
AuditObjectAccess = 0
|
|
AuditPrivilegeUse = 0
|
|
AuditPolicyChange = 0
|
|
AuditProcessTracking = 0
|
|
;AuditDSAccess = 0
|
|
CrashOnAuditFull = 0
|
|
|
|
;----------------------------------------------------------------
|
|
;Registry Values
|
|
;----------------------------------------------------------------
|
|
[Registry Values]
|
|
; Registry value name in full path = Type, Value
|
|
; REG_SZ ( 1 )
|
|
; REG_EXPAND_SZ ( 2 ) // with environment variables to expand
|
|
; REG_BINARY ( 3 )
|
|
; REG_DWORD ( 4 )
|
|
; REG_MULTI_SZ ( 7 )
|
|
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,0
|
|
|
|
;Domain Controllers Only
|
|
;MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl=4,0
|
|
|
|
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1
|
|
|
|
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
|
|
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
|
|
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
|
|
|
|
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
|
|
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
|
|
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
|
|
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
|
|
|
|
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
|
|
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
|
|
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
|
|
|
|
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
|
|
|
|
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
|
|
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
|
|
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
|
|
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
|
|
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
|
|
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,0
|
|
|
|
;Potential to take on different values during and after setup
|
|
;MACHINE\Software\Microsoft\Driver Signing\Policy=3,1
|
|
;MACHINE\Software\Microsoft\Non-Driver Signing\Policy=3,0
|
|
|
|
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
|
|
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
|
|
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
|
|
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,""
|
|
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0
|
|
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
|
|
|
|
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
|
|
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms=1,0
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,0
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies=1,0
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,10
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
|
|
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,0
|
|
|
|
;----------------------------------------------------------------------
|
|
; Privileges & Rights
|
|
;----------------------------------------------------------------------
|
|
;
|
|
;World S-1-1-0
|
|
;
|
|
;NT Authority S-1-5
|
|
;TERMINAL_SERVER 13
|
|
;LOCAL_SERVICE 19
|
|
;NETWORK_SERVICE 20
|
|
;
|
|
;Built-In Domain SubAuthority = S-1-5-32
|
|
;ADMINISTRATORS 544
|
|
;USERS 545
|
|
;GUESTS 546
|
|
;POWER_USERS 547
|
|
;ACCOUNT_OPS 548
|
|
;SYSTEM_OPS 549
|
|
;PRINT_OPS 550
|
|
;BACKUP_OPS 551
|
|
;REPLICATOR 552
|
|
;RAS_SERVERS 553
|
|
;PREW2KCOMPACCESS 554
|
|
;REMOTE_DESKTOP_USERS 555
|
|
;NETWORK_CONFIGURATION_OPS 556
|
|
|
|
[Privilege Rights]
|
|
SeAssignPrimaryTokenPrivilege = *S-1-5-19, *S-1-5-20
|
|
SeAuditPrivilege = *S-1-5-19, *S-1-5-20
|
|
SeBackupPrivilege = *S-1-5-32-544, *S-1-5-32-551
|
|
SeBatchLogonRight =
|
|
SeChangeNotifyPrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-547, *S-1-5-32-545, *S-1-1-0
|
|
SeCreatePagefilePrivilege = *S-1-5-32-544
|
|
SeCreatePermanentPrivilege =
|
|
SeCreateTokenPrivilege =
|
|
SeDebugPrivilege = *S-1-5-32-544
|
|
SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
|
|
SeIncreaseQuotaPrivilege = *S-1-5-32-544, *S-1-5-19, *S-1-5-20
|
|
SeInteractiveLogonRight = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-547, *S-1-5-32-545, %SceInfGuest%
|
|
SeLoadDriverPrivilege = *S-1-5-32-544
|
|
SeLockMemoryPrivilege =
|
|
SeMachineAccountPrivilege =
|
|
SeManageVolumePrivilege = *S-1-5-32-544
|
|
SeNetworkLogonRight = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-547, *S-1-5-32-545, *S-1-1-0
|
|
SeProfileSingleProcessPrivilege = *S-1-5-32-544, *S-1-5-32-547
|
|
SeRemoteInteractiveLogonRight = *S-1-5-32-544, *S-1-5-32-555
|
|
SeRemoteShutdownPrivilege = *S-1-5-32-544
|
|
SeRestorePrivilege = *S-1-5-32-544, *S-1-5-32-551
|
|
SeSecurityPrivilege = *S-1-5-32-544
|
|
SeServiceLogonRight =
|
|
SeShutdownPrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-547
|
|
SeSystemEnvironmentPrivilege = *S-1-5-32-544
|
|
SeSystemProfilePrivilege = *S-1-5-32-544
|
|
SeSystemTimePrivilege = *S-1-5-32-544, *S-1-5-32-547
|
|
SeTakeOwnershipPrivilege = *S-1-5-32-544
|
|
SeTcbPrivilege =
|
|
;
|
|
SeDenyInteractiveLogonRight =
|
|
SeDenyBatchLogonRight =
|
|
SeDenyServiceLogonRight =
|
|
SeDenyNetworkLogonRight =
|
|
SeDenyRemoteInteractiveLogonRight =
|
|
;
|
|
SeUndockPrivilege = *S-1-5-32-544, *S-1-5-32-547, *S-1-5-32-545
|
|
SeSyncAgentPrivilege =
|
|
SeEnableDelegationPrivilege =
|
|
|
|
|
|
[Group Membership]
|
|
%SceInfUsers%__Memberof =
|
|
%SceInfUsers%__Members = %SceInfAuthUsers%,%SceInfInteractive%
|
|
|
|
[Service General Setting]
|
|
;Note - SCECLI is hooked so that startup mode is not configured during setup or dcpromo
|
|
;autostarted on workstations and servers, standalone or joined
|
|
Browser,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
Dhcp,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
TrkWks,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
Dnscache,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
Eventlog,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
PolicyAgent,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
dmserver,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
Messenger,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
PlugPlay,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
Spooler,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
ProtectedStorage,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
RpcSs,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
NtmsSvc,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
seclogon,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
SamSs,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
lanmanserver,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
SENS,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
Schedule,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
LmHosts,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
LanmanWorkstation,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
RemoteRegistry,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
|
|
;Not autostarted, but non-default DACL - Remove PU ability to change template
|
|
ClipSrv,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
NetDDE,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
NetDDEdsdm,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
AppMgmt,3,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
EventSystem,3,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
|
|
;Not autostarted if machine is standalone
|
|
Netlogon,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
W32Time,2,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLORC;;;PU)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
|
|
;Not autostarted if Wksta
|
|
Alerter,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
MSDTC,2,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
|
|
;Server Only Services
|
|
Dfs,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
LicenseService,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
SMTPSVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
|
|
;IIS Specific Services - Leave them alone
|
|
;IISADMIN,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
;W3SVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
;MSFTPSVC,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
|
|
|
|
|
|
[Registry Keys]
|
|
|
|
"MACHINE\Software",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
|
|
|
|
;Not same as parent, and this is the target of a symlink - set explicitly.
|
|
"MACHINE\SOFTWARE\Classes",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Classes\helpfile",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Classes\.hlp",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
|
|
"MACHINE\SOFTWARE\Microsoft\ADs\Providers\LDAP\Extensions",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
@@:@i:"MACHINE\SOFTWARE\Microsoft\ADs\Providers\NDS",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
@@:@i:"MACHINE\SOFTWARE\Microsoft\ADs\Providers\NWCOMPAT",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\ADs\Providers\WinNT",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
|
|
"MACHINE\SOFTWARE\Microsoft\Command Processor",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
|
|
"MACHINE\SOFTWARE\Microsoft\Cryptography",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Cryptography\Calais",2,"D:AR(A;CI;GRGWSD;;;LS)"
|
|
|
|
"MACHINE\SOFTWARE\Microsoft\Driver Signing",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Non-Driver Signing",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\NetDDE",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Ole",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider",1,"D:AR"
|
|
"MACHINE\SOFTWARE\Microsoft\Rpc",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Secure",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\SystemCertificates",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
|
|
"MACHINE\Software\Microsoft\Windows\CurrentVersion",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
|
|
;The following keys need to be writable by TERMINAL_SERVER_USER for App-Compat
|
|
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
|
|
|
|
;The following keys do not exist when we run.
|
|
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy",1,"D:AR"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer",1,"D:AR"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies",1,"D:AR"
|
|
"MACHINE\SOFTWARE\Microsoft\MSDTC",1,"D:AR"
|
|
|
|
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony",2,"D:P(A;CIOI;GR;;;BU)(A;CIOI;GRGWSD;;;PU)(A;CIOI;GA;;;NS)(A;CIOI;GA;;;LS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Classes",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib",2,"D:P(A;CI;GR;;;IU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;NS)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009",1,"D:AR"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports",2,"D:P(A;CI;GR;;;BU)(A;CI;GRGWSD;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
|
|
"MACHINE\SOFTWARE\Policies",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
|
|
|
|
"MACHINE\System",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
|
|
"MACHINE\SYSTEM\Clone",1,"D:AR"
|
|
|
|
"MACHINE\SYSTEM\ControlSet001",1,"D:AR"
|
|
"MACHINE\SYSTEM\ControlSet002",1,"D:AR"
|
|
"MACHINE\SYSTEM\ControlSet003",1,"D:AR"
|
|
"MACHINE\SYSTEM\ControlSet004",1,"D:AR"
|
|
"MACHINE\SYSTEM\ControlSet005",1,"D:AR"
|
|
"MACHINE\SYSTEM\ControlSet006",1,"D:AR"
|
|
"MACHINE\SYSTEM\ControlSet007",1,"D:AR"
|
|
"MACHINE\SYSTEM\ControlSet008",1,"D:AR"
|
|
"MACHINE\SYSTEM\ControlSet009",1,"D:AR"
|
|
"MACHINE\SYSTEM\ControlSet010",1,"D:AR"
|
|
|
|
"MACHINE\SYSTEM\CurrentControlSet\Control\Class",0,"D:AR"
|
|
|
|
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout",2,"D:(A;CI;GR;;;WD)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",2,"D:(A;CI;GR;;;WD)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Control\Network",2,"D:(A;CI;GRGWSD;;;NO)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg",2,"D:P(A;CI;GA;;;BA)(A;;GR;;;BO)(A;CI;GR;;;LS)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive",2,"D:(A;CI;GRGWSD;;;PU)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation",2,"D:(A;CI;GRGWSD;;;PU)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security",2,"D:P(A;CI;GR;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
|
|
;Set security subkey permissions for those services created via default hives
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
@@:@6:"MACHINE\SYSTEM\CurrentControlSet\Services\IASJet\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\kdc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\ScardDrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
|
|
;Set security subkey permissions for those services created in GUI-mode setup before SCE runs
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\IREnum\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\STISvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\WMI\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
|
|
"MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries",2,"D:(A;CI;GA;;;NS)"
|
|
|
|
"MACHINE\SYSTEM\CurrentControlSet\Enum",1,"D:AR"
|
|
|
|
"MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles",1,"D:AR"
|
|
|
|
"USERS\.DEFAULT",2,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"USERS\.DEFAULT\Software\Microsoft\NetDDE",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
|
|
"USERS\.DEFAULT\SOFTWARE\Microsoft\Protected Storage System Provider",1,"D:AR"
|
|
"USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots",1,"D:AR"
|
|
|
|
[File Security]
|
|
|
|
;---------------------------------------------------------------------------------------
|
|
;x86 Boot Files
|
|
;---------------------------------------------------------------------------------------
|
|
@@:@i:"%BootDrive%\boot.ini",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
@@:@i:"%BootDrive%\ntdetect.com",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
@@:@i:"%BootDrive%\ntldr",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
@@:@i:"%BootDrive%\ntbootdd.sys",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
@@:@i:"%BootDrive%\autoexec.bat",2,"D:P(A;;GRGX;;;BU)(A;;GRGWGXSD;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
@@:@i:"%BootDrive%\config.sys",2,"D:P(A;;GRGX;;;BU)(A;;GRGWGXSD;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
|
|
;---------------------------------------------------------------------------------------
|
|
;amd64 Boot Files
|
|
;---------------------------------------------------------------------------------------
|
|
@@:@a:"%BootDrive%\boot.ini",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
@@:@a:"%BootDrive%\ntdetect.com",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
@@:@a:"%BootDrive%\ntldr",2,"D:P(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
|
|
;SetupSecurity will contain the new root acl. Ignore docs and settings if it's reapplied (e.g. on conversion from FAT)
|
|
"%SystemDrive%\Documents and Settings",1,"D:AR"
|
|
|
|
;---------------------------------------------------------------------------------------------
|
|
;ProgramFiles
|
|
;---------------------------------------------------------------------------------------------
|
|
"%SceInfProgramFiles%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGXSD;;;S-1-5-13)"
|
|
|
|
;---------------------------------------------------------------------------------------------
|
|
;System Root (Typically \WINDOWS)
|
|
;---------------------------------------------------------------------------------------------
|
|
"%SystemRoot%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
|
|
;Directories that existed and inherited on NT4 out of the box.
|
|
;The text-mode files within these directories are individually secured below.
|
|
;Config, Cursors, Help, Media, Repair, System, Fonts, INF
|
|
|
|
;Directories that existed but did not inherit on NT4.
|
|
"%SystemRoot%\repair",2,"D:P(A;CI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
|
|
;Directories with a legacy history that now ship in the box.
|
|
;Allow Power User Modify on the directory, but Read Only to the files installed during setup.
|
|
"%SystemRoot%\addins",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemRoot%\Connection Wizard",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemRoot%\java",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemRoot%\msagent",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemRoot%\security",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemRoot%\speech",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemRoot%\TAPI",2,"D:P(A;CIOI;GR;;;BU)(A;CIOI;GRGWSD;;;PU)(A;CIOI;GA;;;NS)(A;CIOI;GA;;;LS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemRoot%\twain_32",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemRoot%\Web",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
|
|
;Directories with a legacy history that no longer ship in the box
|
|
"%SystemRoot%\speech",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
|
|
;Directories with a legacy history being changed for security reasons
|
|
"%SystemRoot%\Debug\UserMode",2,"D:PAR(A;;0x00100023;;;BU)(A;OIIO;0x00100006;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
|
|
"%SystemRoot%\help",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)(A;CIOI;GRGWGX;;;S-1-5-13)"
|
|
"%SystemRoot%\Temp",2,"D:P(A;CI;0x100026;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
|
|
;Directories with no legacy to preserve. Power Users the same as Users
|
|
"%SystemRoot%\AppPatch",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemRoot%\Driver Cache",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemRoot%\mui",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemRoot%\Resources",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemRoot%\Security",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemRoot%\WinSxS",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
|
|
;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
|
|
;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
|
|
"%SystemRoot%\CSC",1,"D:AR"
|
|
"%SystemRoot%\Installer",1,"D:AR"
|
|
"%SystemRoot%\Prefetch",1,"D:AR"
|
|
"%SystemRoot%\Profiles",1,"D:AR"
|
|
"%SystemRoot%\Registration",1,"D:AR"
|
|
"%SystemRoot%\Tasks",1,"D:AR"
|
|
|
|
;Directories that do not exist when security applied during setup - Creator does not specify directory security.
|
|
;Creator should specify FILE security in optional component INF that gets applied on clean-install AND upgrade.
|
|
;Omit (rather than ignore) to allow component-specified file security to be set on reapplication of defaults.
|
|
;Use MARTA (rather than omit) for any components that set protected run-time security.
|
|
;"%SystemRoot%\Downloaded Program Files",0,"D:AR"
|
|
;"%SystemRoot%\Offline Web Pages",0,"D:AR"
|
|
;"%SystemRoot%\IME",0,"D:AR"
|
|
;"%SystemRoot%\mww32",0,"D:AR"
|
|
;"%SystemRoot%\PCHEALTH",0,"D:AR"
|
|
;"%SystemRoot%\SchCache",0,"D:AR"
|
|
;"%SystemRoot%\srchasst",0,"D:AR"
|
|
|
|
;---------------------------------------------------------------------------------------------
|
|
;System Directory (Typically \Windows\System32)
|
|
;---------------------------------------------------------------------------------------------
|
|
|
|
"%SystemDirectory%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
|
|
;Directories that existed and inherited on NT4 out of the box.
|
|
;The text-mode files within these directories are individually secured below.
|
|
;OS2, RAS, Spool, Viewers, WINS, Certsrv
|
|
|
|
;Directories that existed but did not inherit on NT4.
|
|
"%SystemDirectory%\config",2,"D:P(A;CI;GRGX;;;BU)(A;CI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
;Profile for system account - moved from Docs and Settings in Whistler. Creator specifies security.
|
|
"%SystemDirectory%\config\systemprofile",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
|
|
"%SystemDirectory%\dhcp",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemDirectory%\dllcache",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemDirectory%\drivers",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
|
|
;Directories with a legacy history that now ship in the box.
|
|
;Allow Power User Modify on the directory, but Read Only to the files installed during setup.
|
|
"%SystemDirectory%\ShellExt",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemDirectory%\wbem",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemDirectory%\wbem\mof",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
|
|
;Directories with a legacy history that no longer ship in the box
|
|
;
|
|
|
|
;Directories with a legacy history being changed for security reasons
|
|
"%SystemDirectory%\catroot",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemDirectory%\catroot2",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemDirectory%\ias",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
|
|
;Directories with no legacy to preserve. Power Users the same as Users
|
|
"%SystemDirectory%\Export",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
"%SystemDirectory%\mui",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;PU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
|
|
|
|
;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
|
|
;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
|
|
"%SystemDirectory%\appmgmt",1,"D:AR"
|
|
"%SystemDirectory%\DTCLog",1,"D:AR"
|
|
"%SystemDirectory%\GroupPolicy",1,"D:AR"
|
|
"%SystemDirectory%\msdtc",1,"D:AR"
|
|
;BugBug - Licensing service should use the Network Service profile directory - Remove the following line after B2.
|
|
"%SystemDirectory%\LLS",1,"D:AR"
|
|
"%SystemDirectory%\CPL.CFG",1,"D:AR"
|
|
"%SystemDirectory%\NTMSData",1,"D:AR"
|
|
"%SystemDirectory%\ReinstallBackups",1,"D:AR"
|
|
"%SystemDirectory%\repl",1,"D:AR"
|
|
"%SystemDirectory%\Setup",1,"D:AR"
|
|
"%SystemDirectory%\spool\printers",1,"D:AR"
|
|
|
|
;Directories that do not exist when security applied during setup - Creator does not specify directory security.
|
|
;Creator should specify FILE security in optional component INF that gets applied on clean-install AND upgrade.
|
|
;Omit (rather than ignore) to allow component-specified file security to be set on reapplication of defaults.
|
|
;Use MARTA (rather than omit) for any components that set protected run-time security.
|
|
;"%SystemDirectory%\Cache",0,"D:AR"
|
|
;"%SystemDirectory%\clients",0,"D:AR"
|
|
;"%SystemDirectory%\Com",0,"D:AR"
|
|
;"%SystemDirectory%\inetsrv",0,"D:AR"
|
|
;"%SystemDirectory%\LogFiles",0,"D:AR"
|
|
;"%SystemDirectory%\Microsoft",0,"D:AR"
|
|
;"%SystemDirectory%\netmon",0,"D:AR"
|
|
;"%SystemDirectory%\npp",0,"D:AR"
|
|
;"%SystemDirectory%\oobe",0,"D:AR"
|
|
;"%SystemDirectory%\restore",0,"D:AR"
|
|
;"%SystemDirectory%\reminst",0,"D:AR"
|
|
;"%SystemDirectory%\rocket",0,"D:AR"
|
|
;"%SystemDirectory%\usmt",0,"D:AR"
|
|
|
|
;-----------------------------------------------------------------------------------------
|
|
;Individual File Settings.
|
|
;So that Power User Modify is not inherited from parent.
|
|
;-----------------------------------------------------------------------------------------
|
|
"%Systemroot%\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
Exception="win.ini"
|
|
"%Systemroot%\System\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"%Systemroot%\Inf\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
Exception="msmail.inf"
|
|
"%Systemroot%\Help\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"%Systemroot%\Fonts\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"%Systemroot%\Config\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"%Systemroot%\Media\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"%Systemroot%\Cursors\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"%Systemdirectory%\hal.dll",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"%Systemdirectory%\spoolss.dll",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"%Systemdirectory%\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
Exception="autoexec.nt"
|
|
Exception="cmos.ram"
|
|
Exception="config.nt"
|
|
Exception="hpmon.dll"
|
|
Exception="hpmon.hlp"
|
|
Exception="localmon.dll"
|
|
Exception="midimap.cfg"
|
|
"%Systemdirectory%\OS2\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"%Systemdirectory%\OS2\DLL\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"%Systemdirectory%\RAS\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|
|
"%Systemdirectory%\Viewers\*",2,"D:P(A;;GRGX;;;BU)(A;;GRGX;;;PU)(A;;GA;;;BA)(A;;GA;;;SY)"
|