; (c) Microsoft Corporation 1997-2000 ; ; Security Configuration Template for Security Configuration Editor ; ; Template Name: SCERegVl.INF ; Template Version: 05.00.DR.0000 ; ; Revision History ; 0000 - Original ; April 2001 - SNAC version 1.01 [version] signature="$CHICAGO$" DriverVer=11/14/1999,5.00.2183.1 [Register Registry Values] ; ; First field: Full Path to Registry Value ; Second field: value type ; ; REG_SZ ( 1 ) ; ; REG_EXPAND_SZ ( 2 ) \\ with environment variables to expand ; ; REG_BINARY ( 3 ) ; ; REG_DWORD ( 4 ) ; ; REG_MULTI_SZ ( 7 ) ; third field: Display Name (localizable string), ; fourth field: Display type 0 - boolean, 1 - number, 2 - string, 3 - choices MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects,4,%AuditBaseObjects%,0 MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail,4,%CrashOnAuditFail%,0 MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing,3,%FullPrivilegeAuditing%,0 MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel,4,%LmCompatibilityLevel%,3,0|%LMCLevel0%,1|%LMCLevel1%,2|%LMCLevel2%,3|%LMCLevel3%,4|%LMCLevel4%,5|%LMCLevel5% MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous,4,%RestrictAnonymous%,3,0|%RA0%,1|%RA1%,2|%RA2% MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl,4,%SubmitControl%,0 MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers,4,%AddPrintDrivers%,0 MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown,4,%ClearPageFileAtShutdown%, 0 MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode,4,%ProtectionMode%,0 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature,4,%EnableSMBSignServer%,0 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature,4,%RequireSMBSignServer%,0 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff,4,%EnableForcedLogoff%,0 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect,4,%AutoDisconnect%,1,%Unit-Minutes% MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature,4,%EnableSMBSignRDR%,0 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature,4,%RequireSMBSignRDR%,0 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword,4,%EnablePlainTextPassword%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange,4,%DisablePWChange%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel,4,%SignSecureChannel%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel,4,%SealSecureChannel%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal,4,%SignOrSeal%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey,4,%StrongKey%,0 MACHINE\Software\Microsoft\Driver Signing\Policy,3,%DriverSigning%,3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2% MACHINE\Software\Microsoft\Non-Driver Signing\Policy,3,%NDriverSigning%,3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2% MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD,4,%DisableCAD%,0 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName,4,%DontDisplayLastUserName%,0 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption,1,%LegalNoticeCaption%,2 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText,1,%LegalNoticeText%,2 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon,4,%ShutdownWithoutLogon%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel,4,%RCAdmin%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand,4,%RCSet%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms,1,%AllocateCDRoms%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD,1,%AllocateDASD%,3,0|%AllocateDASD0%,1|%AllocateDASD1%,2|%AllocateDASD2% MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies,1,%AllocateFloppies%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount,1,%CachedLogonsCount%,1,%Unit-Logons% MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning,4,%PasswordExpiryWarning%,1,%Unit-Days% MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption,1,%ScRemove%,3,0|%ScRemove0%,1|%ScRemove1%,2|%ScRemove2% ; Added for NSA security templates MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon,4,%AutoAdmin%,0 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun,4,%DisableAutoplay%,3,149|%DACD%,255|%DAALL% MACHINE\System\CurrentControlSet\Control\Session Manager\EnhancedSecurityLevel,4,%EnhancedSecLevel%,0 MACHINE\System\CurrentControlSet\Services\Eventlog\Security\WarningLevel,4,%GenAudit%,1 MACHINE\System\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset,4,%RefuseReset%,0 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting,4,%DisableIPSource%,3,0|%IPSource0%,1|%IPSource1%,2|%IPSource2% MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect,4,%EnableDeadGWDetect%,0 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect,4,%EnableICMPRedirect%,0 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery,4,%EnablePMTUDiscovery%,0 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime,4,%KeepAliveTime%,3,180000|%KeepAlive1%,300000|%KeepAlive2%,900000|%KeepAlive3%,3600000|%KeepAlive4%,7200000|%KeepAlive5% MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery,4,%PerformRouterDiscovery%,0 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect,4,%SynAttackProtect%,3,0|%Syn0%,1|%Syn1%,2|%Syn2% MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen,4,%TcpMaxHalfOpen%,1 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetired,4,%TcpMaxHalfOpenRetired%,1 MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\NoNameReleaseOnDemand,4,%NoNameRelease%,0 ; delete these values from current system - Rdr in case NT4 w SCE MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CmdConsSecurityLevel MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\AddPrintDrivers MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnableSecuritySignature MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\RequireSecuritySignature MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnablePlainTextPassword MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnableSecuritySignature MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\RequireSecuritySignature MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnablePlainTextPassword MACHINE\Software\Microsoft\Windows\CurrentVersion\NetCache\EncryptEntireCache [Strings] SubmitControl = Allow server operators to schedule tasks (domain controllers only) ShutdownWithoutLogon = Allow system to be shut down without having to log on AllocateDASD = Allowed to eject removable NTFS media AllocateDASD0 = Administrators AllocateDASD1 = Administrators and Power Users AllocateDASD2 = Administrators and Interactive Users AuditBaseObjects = Audit the access of global system objects FullPrivilegeAuditing = Audit use of Backup and Restore privilege EnableForcedLogoff = Automatically log off users when logon time expires (local) AutoDisconnect = Amount of idle time required before disconnecting session ClearPageFileAtShutdown = Clear virtual memory pagefile when system shuts down RequireSMBSignRdr = Digitally sign client communication (always) EnableSMBSignRdr = Digitally sign client communication (when possible) RequireSMBSignServer = Digitally sign server communication (always) EnableSMBSignServer = Digitally sign server communication (when possible) DisableCAD = Disable CTRL+ALT+DEL requirement for logon RestrictAnonymous = Additional restrictions for anonymous connections RA0 = None. Rely on default permissions RA1 = Do not allow enumeration of SAM accounts and shares RA2 = No access without explicit anonymous permissions DontDisplayLastUserName = Do not display last user name in logon screen LmCompatibilityLevel = LAN Manager Authentication Level LMCLevel0 = Send LM & NTLM responses LMCLevel1 = Send LM & NTLM - use NTLMv2 session security if negotiated LMCLevel2 = Send NTLM response only LMCLevel3 = Send NTLMv2 response only LMCLevel4 = Send NTLMv2 response only\refuse LM LMCLevel5 = Send NTLMv2 response only\refuse LM & NTLM LegalNoticeText = Message text for users attempting to log on LegalNoticeCaption = Message title for users attempting to log on CachedLogonsCount = Number of previous logons to cache (in case domain controller is not available) AddPrintDrivers = Prevent users from installing printer drivers DisablePWChange = Prevent system maintenance of computer account password PasswordExpiryWarning = Prompt user to change password before expiration RCAdmin = Recovery Console: Allow automatic administrative logon RCSet = Recovery Console: Allow floppy copy and access to all drives and all folders AllocateCDRoms = Restrict CD-ROM access to locally logged-on user only AllocateFloppies = Restrict floppy access to locally logged-on user only ProtectionMode = Strengthen default permissions of global system objects (e.g. Symbolic Links) SignOrSeal = Secure channel: Digitally encrypt or sign secure channel data (always) SealSecureChannel = Secure channel: Digitally encrypt secure channel data (when possible) SignSecureChannel = Secure channel: Digitally sign secure channel data (when possible) StrongKey = Secure channel: Require strong (Windows 2000 or later) session key CrashOnAuditFail = Shut down system immediately if unable to log security audits EnablePlainTextPassword = Send unencrypted password to connect to third-party SMB servers ScRemove = Smart card removal behavior ScRemove0 = No Action ScRemove1 = Lock Workstation ScRemove2 = Force Logoff DriverSigning = Unsigned driver installation behavior NDriverSigning = Unsigned non-driver installation behavior DriverSigning0 = Silently succeed DriverSigning1 = Warn but allow installation DriverSigning2 = Do not allow installation Unit-Logons = logons Unit-Days = days Unit-Minutes = minutes ; Added for NSA security templates AutoAdmin = Allow Automatic Administrator Logon DisableAutoplay = Disable Media Autoplay DACD = CD-ROM Drives DAALL = All Drives EnhancedSecLevel = Protect kernel object attributes GenAudit = Generate audit event when the audit log reaches a percent full threshold RefuseReset = Network Security: Protect against Computer Browser Spoofing Attacks DisableIPSource = Network Security: Disable IP source routing IPSource0 = Enable source routing IPSource1 = Disable source routing when IP forwarding is also enabled IPSource2 = Disable source routing completely EnableDeadGWDetect = Network Security: Allow dead gateway detection EnableICMPRedirect = Network Security: Enable ICMP redirect EnablePMTUDiscovery = Network Security: Enable packet MTU discovery KeepAliveTime = Network Security: Keep alive time for TCP connection KeepAlive1 = 3 minutes KeepAlive2 = 5 minutes KeepAlive3 = 15 minutes KeepAlive4 = 60 minutes KeepAlive5 = 120 minutes PerformRouterDiscovery = Network Security: Enable router discovery SynAttackProtect = Network Security: Protect against SYN attacks Syn0 = Typical protection (default) Syn1 = Better protection Syn2 = Best protection TcpMaxHalfOpen = Network Security: Maximum number of half-open TCP sockets to maintain TcpMaxHalfOpenRetired = Network Security: Maximum number of half-open retired TCP sockets to maintain NoNameRelease = Network Security: Protect against name-release attacks