You are on page 1of 4

;Supplies defaults recommendations for SCM UI

;Specify default system settings where possible


;If there are SKU differences present the more secure setting
[Version]
signature="$CHICAGO$"
DriverVer=06/21/2006,6.1.7600.16385
[Service General Setting]
PlaceHolder,4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDR
CWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
[Registry Keys]
"PlaceHolder",2,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)
"
[File Security]
"PlaceHolder",2,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;
0x1200a9;;;BU)"
[System Access]
;---------------------------------------------------------------;Account Policies - Password Policy
;---------------------------------------------------------------MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
EnableGuestAccount = 0
;---------------------------------------------------------------;Account Policies - Lockout Policy
;---------------------------------------------------------------LockoutBadCount = 0
;ResetLockoutCount = 30
;LockoutDuration = 30
;---------------------------------------------------------------;Local Policies - Security Options
;---------------------------------------------------------------;DC Only
;ForceLogoffWhenHourExpire = 0
;NewAdministatorName =
;NewGuestName =
;SecureSystemPartition
;---------------------------------------------------------------;Event Log - Log Settings
;---------------------------------------------------------------;Audit Log Retention Period:
;0 = Overwrite Events As Needed
;1 = Overwrite Events As Specified by Retention Days Entry
;2 = Never Overwrite Events (Clear Log Manually)
[System Log]
MaximumLogSize = 16384
AuditLogRetentionPeriod = 0
RetentionDays = 7

RestrictGuestAccess = 1
[Security Log]
MaximumLogSize = 16384
AuditLogRetentionPeriod = 0
RetentionDays = 7
RestrictGuestAccess = 1
[Application Log]
MaximumLogSize = 16384
AuditLogRetentionPeriod = 0
RetentionDays = 7
RestrictGuestAccess = 1
;---------------------------------------------------------------------;
Local Policies\Audit Policy
;---------------------------------------------------------------------[Event Audit]
AuditSystemEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
;AuditDSAccess = 0
AuditAccountLogon = 1
AuditLogonEvents = 1
;---------------------------------------------------------------;Registry Values
;---------------------------------------------------------------[Registry Values]
; Registry value name in full path = Type, Value
; REG_SZ
( 1 )
; REG_EXPAND_SZ
( 2 ) // with environment variables to expand
; REG_BINARY
( 3 )
; REG_DWORD
( 4 )
; REG_MULTI_SZ
( 7 )
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,3
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\M
achine=7,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\W
indows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\Print\Printers
,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Syste
m\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Termin

al Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\Cur
rentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microso
ft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPa
ths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentCont
rolSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl=4,0
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\S
ervers\AddPrinterDrivers=4,0
MACHINE\System\CurrentControlSet\Control\Session
e=4,1
MACHINE\System\CurrentControlSet\Control\Session
PageFileAtShutdown=4,0
MACHINE\System\CurrentControlSet\Control\Session
MACHINE\System\CurrentControlSet\Control\Session
osix

Manager\Kernel\ObCaseInsensitiv
Manager\Memory Management\Clear
Manager\ProtectionMode=4,1
Manager\SubSystems\optional=7,P

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecurity
Signature=4,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecurit
ySignature=4,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLo
gOff=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect
=4,15
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSe
ssAccess=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPip
es=7,COMNAP,COMNODE,SQL\QUERY,LLSRPC,BROWSER,netlogon,samr
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionSha
res=7,COMCFG
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSec
uritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSe
curitySignature=4,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePla
inTextPassword=4,0
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordCha
nge=4,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge
=4,30
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChan
ge=4,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=
4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=
4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=
4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4
,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptB

ehavior=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstalle
rDetection=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtuali
zation=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLas
tUserName=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLoc
kedUserId=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCap
tion=1,""
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeTex
t=7,""
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=
4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithou
tLogon=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutL
ogon=4,1
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\Secur
ityLevel=4,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCo
mmand=4,0
MACHINE\Software\Microsoft\Windows
1,10
MACHINE\Software\Microsoft\Windows
,0
MACHINE\Software\Microsoft\Windows
ing=4,14
MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\CachedLogonsCount=
NT\CurrentVersion\Winlogon\ForceUnlockLogon=4
NT\CurrentVersion\Winlogon\PasswordExpiryWarn
NT\CurrentVersion\Winlogon\ScRemoveOption=1,0

MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection=4,0
MACHINE\Software\Policies\Microsoft\Cryptography\PasswordCacheTimeout=4,300
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEn
abled=4,0

[Strings]
SCEProfileDescription = "Default recommendations provided by Security Templates
snap-in."

You might also like