; Copyright (c) Microsoft Corporation. All rights reserved.
;
; Security Configuration Template for Security Configuration Editor
;
; Template Name: DefltWK.INF
; Template Version: 05.10.DW.0000
;
; Default Security for Vista
[Profile Description]
%SCEDefltWKProfileDescription%
[version]
signature="$CHICAGO$"
revision=1
DriverVer=06/21/2006,6.1.7600.16385
[System Access]
;----------------------------------------------------------------
;Account Policies - Password Policy
;----------------------------------------------------------------
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
EnableGuestAccount = 0
EnableAdminAccount = 0
;----------------------------------------------------------------
;Account Policies - Lockout Policy
;----------------------------------------------------------------
LockoutBadCount = 0
;ResetLockoutCount = 30
;LockoutDuration = 30
;----------------------------------------------------------------
;Local Policies - Security Options
;----------------------------------------------------------------
;DC Only
;ForceLogoffWhenHourExpire = 0
;NewAdministatorName =
;NewGuestName =
;----------------------------------------------------------------
;Event Log - Log Settings
;----------------------------------------------------------------
;Audit Log Retention Period:
;0 = Overwrite Events As Needed
;1 = Overwrite Events As Specified by Retention Days Entry
;2 = Never Overwrite Events (Clear Log Manually)
[System Log]
MaximumLogSize = 20480
AuditLogRetentionPeriod = 0
;RetentionDays = 7
RestrictGuestAccess = 1
[Security Log]
MaximumLogSize = 20480
AuditLogRetentionPeriod = 0
;RetentionDays = 7
RestrictGuestAccess = 1
[Application Log]
MaximumLogSize = 20480
AuditLogRetentionPeriod = 0
;RetentionDays = 7
RestrictGuestAccess = 1
;----------------------------------------------------------------
;Registry Values
;----------------------------------------------------------------
[Registry Values]
; Registry value name in full path = Type, Value
; REG_SZ ( 1 )
; REG_EXPAND_SZ ( 2 ) // with environment variables to expand
; REG_BINARY ( 3 )
; REG_DWORD ( 4 )
; REG_MULTI_SZ ( 7 )
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
;Domain Controllers Only
;MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl=4,0
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,0
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
;Potential to take on different values during and after setup
;MACHINE\Software\Microsoft\Driver Signing\Policy=3,1
;MACHINE\Software\Microsoft\Non-Driver Signing\Policy=3,0
;MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,""
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,0
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0
; remove lsarpc, samr and netlogon from anonymously accessible pipes
MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes=8,Remove:,lsarpc,samr,netlogon
;----------------------------------------------------------------------
; Privileges & Rights
;----------------------------------------------------------------------
;
;World S-1-1-0
;
;NT Authority S-1-5
;LOCAL_SERVICE 19
;NETWORK_SERVICE 20
;
;Built-In Domain SubAuthority = S-1-5-32
;ADMINISTRATORS 544
;USERS 545
;GUESTS 546
;POWER_USERS (DEPRECATED)
;ACCOUNT_OPS 548
;SYSTEM_OPS 549
;PRINT_OPS 550
;BACKUP_OPS 551
;REPLICATOR 552
;RAS_SERVERS 553
;PREW2KCOMPACCESS 554
;REMOTE_DESKTOP_USERS 555
;NETWORK_CONFIGURATION_OPS 556
;LOGGING_USERS 559
;
;WdiServiceHost S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
;ALL SERVICES S-1-5-80-0
[Privilege Rights]
SeAssignPrimaryTokenPrivilege = *S-1-5-19, *S-1-5-20
SeAuditPrivilege = *S-1-5-19, *S-1-5-20
SeBatchLogonRight = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-559
SeBackupPrivilege = *S-1-5-32-544, *S-1-5-32-551
SeChangeNotifyPrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-545, *S-1-1-0, *S-1-5-19, *S-1-5-20
SeCreateGlobalPrivilege = *S-1-5-6, *S-1-5-32-544, *S-1-5-19, *S-1-5-20
SeCreatePagefilePrivilege = *S-1-5-32-544
SeCreatePermanentPrivilege =
SeCreateSymbolicLinkPrivilege = *S-1-5-32-544
SeCreateTokenPrivilege =
SeDebugPrivilege = *S-1-5-32-544
SeImpersonatePrivilege = *S-1-5-6, *S-1-5-32-544, *S-1-5-19, *S-1-5-20
SeIncreaseBasePriorityPrivilege = *S-1-5-32-544
SeIncreaseQuotaPrivilege = *S-1-5-32-544, *S-1-5-19, *S-1-5-20
SeIncreaseWorkingSetPrivilege = *S-1-5-32-545
SeInteractiveLogonRight = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-545, &-501
SeLoadDriverPrivilege = *S-1-5-32-544
SeLockMemoryPrivilege =
SeMachineAccountPrivilege =
SeManageVolumePrivilege = *S-1-5-32-544
SeNetworkLogonRight = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-545, *S-1-1-0
SeProfileSingleProcessPrivilege = *S-1-5-32-544
SeRemoteInteractiveLogonRight = *S-1-5-32-544, *S-1-5-32-555
SeRemoteShutdownPrivilege = *S-1-5-32-544
SeRestorePrivilege = *S-1-5-32-544, *S-1-5-32-551
SeSecurityPrivilege = *S-1-5-32-544
SeServiceLogonRight = *S-1-5-80-0
SeShutdownPrivilege = *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-545
SeSystemEnvironmentPrivilege = *S-1-5-32-544
SeSystemProfilePrivilege = *S-1-5-32-544, *S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
SeSystemTimePrivilege = *S-1-5-32-544, *S-1-5-19
SeTakeOwnershipPrivilege = *S-1-5-32-544
SeTcbPrivilege =
SeTimeZonePrivilege = *S-1-5-32-544, *S-1-5-19, *S-1-5-32-545
;
SeDenyInteractiveLogonRight = &-501
SeDenyBatchLogonRight =
SeDenyServiceLogonRight =
SeDenyNetworkLogonRight = &-501
SeDenyRemoteInteractiveLogonRight =
;
SeUndockPrivilege = *S-1-5-32-544, *S-1-5-32-545
SeSyncAgentPrivilege =
SeEnableDelegationPrivilege =
[Group Membership]
*S-1-5-32-545__Memberof =
*S-1-5-32-545__Members = *S-1-5-11,*S-1-5-4
[Service General Setting]
;Note: startup type should not be configured during setup\dcpromo.
Browser,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;TrkWks,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;Dnscache,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;PolicyAgent,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
dmserver,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;PlugPlay,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;Spooler,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;ProtectedStorage,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;RpcSs,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
NtmsSvc,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;seclogon,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
SamSs,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLO;;;IU)(A;;CCLCSWLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;lanmanserver,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;SENS,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;Schedule,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Sysmonlog,,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCRPLOCR;;;LU)S:AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;LmHosts,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;LanmanWorkstation,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;RemoteRegistry,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
ClipSrv,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
NetDDE,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
NetDDEdsdm,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;EventSystem,,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;Not autostarted if machine is standalone
;Netlogon,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;W32Time,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;Server Only Services
;Dfs,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;LicenseService,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;IIS Specific Services - Leave them alone
;IISADMIN,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;W3SVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;MSFTPSVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
;SMTPSVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
[Registry Keys]
"MACHINE\Software",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"MACHINE\SOFTWARE\Classes",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"MACHINE\SOFTWARE\Classes\.hlp",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"MACHINE\SOFTWARE\MICROSOFT\DRM",0,"D:P(D;CIOI;GA;;;BG)(D;CIOI;GA;;;LG)(A;;0x1e01ff;;;WD)(A;OICIIO;GA;;;WD)(A;;GA;;;SY)S:(ML;;0x1;;;LW)"
;The following keys do not exist when we run
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy",1,"D:AR"
"MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies",1,"D:AR"
"MACHINE\System",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"MACHINE\SYSTEM\Clone",1,"D:AR"
"MACHINE\SYSTEM\ControlSet001",1,"D:AR"
"MACHINE\SYSTEM\ControlSet002",1,"D:AR"
"MACHINE\SYSTEM\ControlSet003",1,"D:AR"
"MACHINE\SYSTEM\ControlSet004",1,"D:AR"
"MACHINE\SYSTEM\ControlSet005",1,"D:AR"
"MACHINE\SYSTEM\ControlSet006",1,"D:AR"
"MACHINE\SYSTEM\ControlSet007",1,"D:AR"
"MACHINE\SYSTEM\ControlSet008",1,"D:AR"
"MACHINE\SYSTEM\ControlSet009",1,"D:AR"
"MACHINE\SYSTEM\ControlSet010",1,"D:AR"
"MACHINE\SYSTEM\CurrentControlSet\Control\Class",0,"D:AR"
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",2,"D:(A;CI;GR;;;WD)"
"MACHINE\SYSTEM\CurrentControlSet\Control\LSA\JD",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Skew1",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"MACHINE\SYSTEM\CurrentControlSet\Control\LSA\GBG",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Data",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Nsi",2,"D:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CIIO;RC;;;S-1-3-4)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\4",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a01-9b1a-11d4-9123-0050047759bc}\4",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a1C-9b1a-11d4-9123-0050047759bc}\0",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
"MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security",2,"D:P(A;CI;GR;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CIOI;GA;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)"
;Set security subkey permissions for those services created via default hives
"MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
"MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
;Set security subkey permissions for those services created in GUI-mode setup before SCE runs
"MACHINE\SYSTEM\CurrentControlSet\Services\STISvc\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
"MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries",2,"D:(A;CI;GA;;;NS)(A;CI;CCDCLCSWSDRC;;;LU)"
"MACHINE\SYSTEM\CurrentControlSet\Enum",1,"D:AR"
"MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles",1,"D:AR"
"USERS\.DEFAULT",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots",1,"D:AR"
[File Security]
;---------------------------------------------------------------------------------------------
;ProgramFiles
;---------------------------------------------------------------------------------------------
;Need to use the SceInfProgramFiles environment var to handle the Win9x upgrade case which is treated like clean-install
;"%SystemDrive%\%SCEInfProgramFiles%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
"%SceInfCommonProgramFiles%\SpeechEngines\Microsoft\TTS",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
;---------------------------------------------------------------------------------------------
;Win64 ProgramFiles Directory
;---------------------------------------------------------------------------------------------
;@6:"%SceInfProgramFilesx86%",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
;---------------------------------------------------------------------------------------------
; ProgramData Folder (Typically \ProgramData)
;---------------------------------------------------------------------------------------------
"%PROGRAMDATA%\Microsoft\Windows\DRM",0,"D:P(D;CIOI;GA;;;BG)(D;CIOI;GA;;;LG)(A;;0x1e01ff;;;WD)(A;OICIIO;GA;;;WD)(A;;GA;;;SY)S:(ML;;0x1;;;LW)"
"%PROGRAMDATA%\Microsoft\Windows\DRM\Cache",0,"D:P(D;CIOI;GA;;;BG)(D;CIOI;GA;;;LG)(A;;0x1e01ff;;;WD)(A;OICIIO;GA;;;WD)(A;;GA;;;SY)S:(ML;;0x1;;;LW)"
;---------------------------------------------------------------------------------------------
;System Root (Typically \WINDOWS)
;---------------------------------------------------------------------------------------------
;"%SystemRoot%",0,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
;---------------------------------------------------------------------------------------------
;System Directory (Typically \Windows\System32)
;---------------------------------------------------------------------------------------------
;"%SystemDirectory%",0,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
;"%SystemDirectory%\config\systemprofile",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)"
;Directories with no legacy to preserve. Different from parent.
;Directories that do not exist when security applied during clean-install - Creator specifies directory security.
;We explicitly ignore so as not to whack the component-specified DIRECTORY security on upgrade or reapplication of defaults.
"%SystemDirectory%\appmgmt",1,"D:AR"
; Directories that might not exist when security is applied; but are listed here
; so that they get secured correctly on converting the file system to NTFS
"%SystemDirectory%\Windows media",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
;-----------------------------------------------------------------------------------------
; SysWOW64 directories
;-----------------------------------------------------------------------------------------
"%Systemroot%\SysWOW64\Export",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
"%Systemroot%\SysWOW64\ias",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
;-----------------------------------------------------------------------------------------
;Individual File Settings.
;-----------------------------------------------------------------------------------------
"%Systemroot%\repair\default",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
"%Systemroot%\repair\ntuser.dat",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
"%Systemroot%\repair\sam",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
"%Systemroot%\repair\security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
"%Systemroot%\repair\software",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
"%Systemroot%\repair\system",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
[Strings]
SceInfAdministrator = "Administrator"
SceInfAcountOp = "Account Operators"
SceInfAuthUsers = "Authenticated Users"
SceInfInteractive = "INTERACTIVE"
SceInfDomainAdmins = "Domain Admins"
SceInfDomainGuests = "Domain Guests"
SceInfDomainUsers = "Domain Users"
SceInfEveryone = "Everyone"
SceInfGuests = "Guests"
SceInfGuest = "Guest"
SceInfUsers = "Users"
SceInfLocalService = "Local Service"
SceInfNetworkService = "Network Service"
SceInfRemoteDesktopUsers = "Remote Desktop Users"
SceInfProgramFiles = "%ProgramFiles%"
SceInfProgramFilesx86 = "%ProgramFiles(x86)%"
SceInfCommonProgramFiles = "%CommonProgramFiles%"
SCEInfSysdir1 = "edit.com"
SCEInfSysdir2 = "edit.hlp"
SCEInfHelp1 = "signin.hlp"