; (c) Microsoft Corporation 1997-2000 ; ; Security Configuration Template for Security Configuration Editor ; ; Template Name: SCERegVl.INF ; Template Version: 05.00.DR.0000 ; ; Revision History ; 0000 - Original [version] signature="$CHICAGO$" DriverVer=07/01/2001,5.1.2600.0 [Register Registry Values] ; ; Syntax: RegPath,RegType,DisplayName,DisplayType,Options ; where ; RegPath: Includes the registry keypath and value ; RegType: 1 - REG_SZ, 2 - REG_EXPAND_SZ, 3 - REG_BINARY, 4 - REG_DWORD, 7 - REG_MULTI_SZ ; Display Name: Is a localizable string defined in the [strings] section ; Display type: 0 - boolean, 1 - Number, 2 - String, 3 - Choices, 4 - Multivalued, 5 - Bitmask ; Options: If Displaytype is 3 (Choices) or 5 (Bitmask), then specify the range of values and corresponding display strings ; in value|displaystring format separated by a comma. MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects,4,%AuditBaseObjects%,0 MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail,4,%CrashOnAuditFail%,0 MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds,4,%DisableDomainCreds%,0 MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous,4,%EveryoneIncludesAnonymous%,0 MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest,4,%ForceGuest%,3,0|%Classic%,1|%GuestBased% MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing,3,%FullPrivilegeAuditing%,0 MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse,4,%LimitBlankPasswordUse%,0 MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel,4,%LmCompatibilityLevel%,3,0|%LMCLevel0%,1|%LMCLevel1%,2|%LMCLevel2%,3|%LMCLevel3%,4|%LMCLevel4%,5|%LMCLevel5% MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec,4,%NTLMMinClientSec%,5,16|%NTLMIntegrity%,32|%NTLMConfidentiality%,524288|%NTLMv2Session%,536870912|%NTLM128% MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec,4,%NTLMMinServerSec%,5,16|%NTLMIntegrity%,32|%NTLMConfidentiality%,524288|%NTLMv2Session%,536870912|%NTLM128% MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash,4,%NoLMHash%,0 MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner,4,%NoDefaultAdminOwner%,3,0|%DefaultOwner0%,1|%DefaultOwner1% MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous,4,%RestrictAnonymous%,0 MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM,4,%RestrictAnonymousSAM%,0 MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl,4,%SubmitControl%,0 MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy,4,%FIPS%,0 MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers,4,%AddPrintDrivers%,0 MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine,7,%AllowedPaths%,4 MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive,4,%ObCaseInsensitive%,0 MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown,4,%ClearPageFileAtShutdown%,0 MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode,4,%ProtectionMode%,0 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature,4,%EnableSMBSignServer%,0 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature,4,%RequireSMBSignServer%,0 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff,4,%EnableForcedLogoff%,0 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect,4,%AutoDisconnect%,1,%Unit-Minutes% MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes,7,%NullPipes%,4 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares,7,%NullShares%,4 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature,4,%EnableSMBSignRDR%,0 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature,4,%RequireSMBSignRDR%,0 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword,4,%EnablePlainTextPassword%,0 MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity,4,%LDAPClientIntegrity%,3,0|%LDAPClient0%,1|%LDAPClient1%,2|%LDAPClient2% MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange,4,%DisablePWChange%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge,4,%MaximumPWAge%,1,%Unit-Days% MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange,4,%RefusePWChange%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel,4,%SignSecureChannel%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel,4,%SealSecureChannel%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal,4,%SignOrSeal%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey,4,%StrongKey%,0 MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity,4,%LDAPServerIntegrity%,3,1|%LDAPServer1%,2|%LDAPServer2% MACHINE\Software\Microsoft\Driver Signing\Policy,3,%DriverSigning%,3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2% MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD,4,%DisableCAD%,0 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName,4,%DontDisplayLastUserName%,0 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption,1,%LegalNoticeCaption%,2 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText,7,%LegalNoticeText%,4 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon,4,%ShutdownWithoutLogon%,0 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon,4,%UndockWithoutLogon%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel,4,%RCAdmin%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand,4,%RCSet%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms,1,%AllocateCDRoms%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD,1,%AllocateDASD%,3,0|%AllocateDASD0%,1|%AllocateDASD1%,2|%AllocateDASD2% MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies,1,%AllocateFloppies%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount,1,%CachedLogonsCount%,1,%Unit-Logons% MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon,4,%ForceUnlockLogon%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning,4,%PasswordExpiryWarning%,1,%Unit-Days% MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption,1,%ScRemove%,3,0|%ScRemove0%,1|%ScRemove1%,2|%ScRemove2% ;***** ADDED for NSA security templates MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon,1,%AutoAdmin%,0 MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode,4,%SafeDll%,0 ;***** ADDED for NSA security templates ; delete these values from the UI - Rdr in case NT4 w SCE MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CmdConsSecurityLevel MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\AddPrintDrivers MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnableSecuritySignature MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\RequireSecuritySignature MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnablePlainTextPassword MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnableSecuritySignature MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\RequireSecuritySignature MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnablePlainTextPassword MACHINE\Software\Microsoft\Windows\CurrentVersion\NetCache\EncryptEntireCache MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\AlgorithmID MACHINE\Software\Microsoft\Non-Driver Signing\Policy [Strings] ;================================ Accounts ============================================================================ ;Specified in UI code - Accounts: Administrator account status ;Specified in UI code - Accounts: Guest account status ;Specified in UI code - Accounts: Rename administrator account ;Specified in UI code - Accounts: Rename guest account LimitBlankPasswordUse = "Accounts: Limit local account use of blank passwords to console logon only" ;================================ Audit =============================================================================== AuditBaseObjects="Audit: Audit the access of global system objects" FullPrivilegeAuditing="Audit: Audit the use of Backup and Restore privilege" CrashOnAuditFail="Audit: Shut down system immediately if unable to log security audits" ;================================ Devices ============================================================================= AllocateDASD="Devices: Allowed to format and eject removable media" AllocateDASD0="Administrators" AllocateDASD1="Administrators and Power Users" AllocateDASD2="Administrators and Interactive Users" AddPrintDrivers="Devices: Prevent users from installing printer drivers" AllocateCDRoms="Devices: Restrict CD-ROM access to locally logged-on user only" AllocateFloppies="Devices: Restrict floppy access to locally logged-on user only" DriverSigning="Devices: Unsigned driver installation behavior" DriverSigning0="Silently succeed " DriverSigning1="Warn but allow installation" DriverSigning2="Do not allow installation" UndockWithoutLogon="Devices: Allow undock without having to log on" ;================================ Domain controller ==================================================================== SubmitControl="Domain controller: Allow server operators to schedule tasks" RefusePWChange="Domain controller: Refuse machine account password changes" LDAPServerIntegrity = "Domain controller: LDAP server signing requirements" LDAPServer1 = "None" LDAPServer2 = "Require signing" ;================================ Domain member ======================================================================== DisablePWChange="Domain member: Disable machine account password changes" MaximumPWAge="Domain member: Maximum machine account password age" SignOrSeal="Domain member: Digitally encrypt or sign secure channel data (always)" SealSecureChannel="Domain member: Digitally encrypt secure channel data (when possible)" SignSecureChannel="Domain member: Digitally sign secure channel data (when possible)" StrongKey="Domain member: Require strong (Windows 2000 or later) session key" ;================================ Interactive logon ==================================================================== DisableCAD = "Interactive logon: Do not require CTRL+ALT+DEL" DontDisplayLastUserName = "Interactive logon: Do not display last user name" LegalNoticeText = "Interactive logon: Message text for users attempting to log on" LegalNoticeCaption = "Interactive logon: Message title for users attempting to log on" CachedLogonsCount = "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" PasswordExpiryWarning = "Interactive logon: Prompt user to change password before expiration" ForceUnlockLogon = "Interactive logon: Require Domain Controller authentication to unlock workstation" ScRemove = "Interactive logon: Smart card removal behavior" ScRemove0 = "No Action" ScRemove1 = "Lock Workstation" ScRemove2 = "Force Logoff" ;***** ADDED for NSA security templates AutoAdmin = "Interactive Logon: Allow Automatic Administrator Logon" ;***** ADDED for NSA security templates ;================================ Microsoft network client ============================================================= RequireSMBSignRdr="Microsoft network client: Digitally sign communications (always)" EnableSMBSignRdr="Microsoft network client: Digitally sign communications (if server agrees)" EnablePlainTextPassword="Microsoft network client: Send unencrypted password to third-party SMB servers" ;================================ Microsoft network server ============================================================= AutoDisconnect="Microsoft network server: Amount of idle time required before suspending session" RequireSMBSignServer="Microsoft network server: Digitally sign communications (always)" EnableSMBSignServer="Microsoft network server: Digitally sign communications (if client agrees)" EnableForcedLogoff="Microsoft network server: Disconnect clients when logon hours expire" ;================================ Network access ======================================================================= ;Specified in UI code - Network access: Allow anonymous SID/Name translation DisableDomainCreds = "Network access: Do not allow storage of credentials or .NET Passports for network authentication" RestrictAnonymousSAM = "Network access: Do not allow anonymous enumeration of SAM accounts" RestrictAnonymous = "Network access: Do not allow anonymous enumeration of SAM accounts and shares" EveryoneIncludesAnonymous = "Network access: Let Everyone permissions apply to anonymous users" NullPipes = "Network access: Named Pipes that can be accessed anonymously" NullShares = "Network access: Shares that can be accessed anonymously" AllowedPaths = "Network access: Remotely accessible registry paths" ForceGuest = "Network access: Sharing and security model for local accounts" Classic = "Classic - local users authenticate as themselves" GuestBased = "Guest only - local users authenticate as Guest" ;================================ Network security ===================================================================== ;Specified in UI code - Network security: Enforce logon hour restrictions NoLMHash = "Network security: Do not store LAN Manager hash value on next password change" LmCompatibilityLevel = "Network security: LAN Manager authentication level" LMCLevel0 = "Send LM & NTLM responses" LMCLevel1 = "Send LM & NTLM - use NTLMv2 session security if negotiated" LMCLevel2 = "Send NTLM response only" LMCLevel3 = "Send NTLMv2 response only" LMCLevel4 = "Send NTLMv2 response only\refuse LM" LMCLevel5 = "Send NTLMv2 response only\refuse LM & NTLM" NTLMMinClientSec = "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" NTLMMinServerSec = "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" NTLMIntegrity = "Require message integrity" NTLMConfidentiality = "Require message confidentiality" NTLMv2Session = "Require NTLMv2 session security" NTLM128 = "Require 128-bit encryption" LDAPClientIntegrity = "Network security: LDAP client signing requirements" LDAPClient0 = "None" LDAPClient1 = "Negotiate signing" LDAPClient2 = "Require signing" ;================================ Recovery console ==================================================================== RCAdmin="Recovery console: Allow automatic administrative logon" RCSet="Recovery console: Allow floppy copy and access to all drives and all folders" ;================================ Shutdown ============================================================================ ShutdownWithoutLogon="Shutdown: Allow system to be shut down without having to log on" ClearPageFileAtShutdown="Shutdown: Clear virtual memory pagefile" ;================================ System Objects ============================================================================ ProtectionMode = "System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" NoDefaultAdminOwner = "System objects: Default owner for objects created by members of the Administrators group" DefaultOwner0 = "Administrators group" DefaultOwner1 = "Object creator" ObCaseInsensitive = "System objects: Require case insensitivity for non-Windows subsystems" ;***** ADDED for NSA security templates SafeDll = "System objects: Set safe search path for DLLs" ;***** ADDED for NSA security templates ;================================ System cryptography ================================================================= FIPS="System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" Unit-Logons="logons" Unit-Days="days" Unit-Minutes="minutes"