; Copyright (c) Microsoft Corporation.  All rights reserved.
;
; Security Configuration Template for Security Configuration Editor
;
; Template Name:        SCERegVl.INF
; Template Version:     05.00.DR.0000
;
; Revision History
; 0000  -       Original

[version]
signature="$CHICAGO$"
DriverVer=10/01/2002,5.2.3790.1830

[Register Registry Values]
;
; Syntax: RegPath,RegType,DisplayName,DisplayType,Options
; where
;         RegPath:      Includes the registry keypath and value
;         RegType:      1 - REG_SZ, 2 - REG_EXPAND_SZ, 3 - REG_BINARY, 4 - REG_DWORD, 7 - REG_MULTI_SZ
;         Display Name: Is a localizable string defined in the [strings] section
;         Display type: 0 - boolean, 1 - Number, 2 - String, 3 - Choices, 4 - Multivalued, 5 - Bitmask
;         Options:      If Displaytype is 3 (Choices) or 5 (Bitmask), then specify the range of values and corresponding display strings
;                       in value|displaystring format separated by a comma.


MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects,4,%AuditBaseObjects%,0
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail,4,%CrashOnAuditFail%,0
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds,4,%DisableDomainCreds%,0
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous,4,%EveryoneIncludesAnonymous%,0
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest,4,%ForceGuest%,3,0|%Classic%,1|%GuestBased%
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing,3,%FullPrivilegeAuditing%,0
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse,4,%LimitBlankPasswordUse%,0
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel,4,%LmCompatibilityLevel%,3,0|%LMCLevel0%,1|%LMCLevel1%,2|%LMCLevel2%,3|%LMCLevel3%,4|%LMCLevel4%,5|%LMCLevel5%
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec,4,%NTLMMinClientSec%,5,16|%NTLMIntegrity%,32|%NTLMConfidentiality%,524288|%NTLMv2Session%,536870912|%NTLM128%
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec,4,%NTLMMinServerSec%,5,16|%NTLMIntegrity%,32|%NTLMConfidentiality%,524288|%NTLMv2Session%,536870912|%NTLM128%
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash,4,%NoLMHash%,0
MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner,4,%NoDefaultAdminOwner%,3,0|%DefaultOwner0%,1|%DefaultOwner1%
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous,4,%RestrictAnonymous%,0
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM,4,%RestrictAnonymousSAM%,0
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl,4,%SubmitControl%,0
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy,4,%FIPS%,0

MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers,4,%AddPrintDrivers%,0

MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine,7,%AllowedPaths%,4
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine,7,%AllowedExactPaths%,4

MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive,4,%ObCaseInsensitive%,0
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown,4,%ClearPageFileAtShutdown%,0
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode,4,%ProtectionMode%,0
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional,7,%OptionalSubSystems%,4

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature,4,%EnableSMBSignServer%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature,4,%RequireSMBSignServer%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff,4,%EnableForcedLogoff%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect,4,%AutoDisconnect%,1,%Unit-Minutes%
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess,4,%RestrictNullSessAccess%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes,7,%NullPipes%,4
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares,7,%NullShares%,4

MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature,4,%EnableSMBSignRDR%,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature,4,%RequireSMBSignRDR%,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword,4,%EnablePlainTextPassword%,0

MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity,4,%LDAPClientIntegrity%,3,0|%LDAPClient0%,1|%LDAPClient1%,2|%LDAPClient2%

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange,4,%DisablePWChange%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge,4,%MaximumPWAge%,1,%Unit-Days%
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange,4,%RefusePWChange%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel,4,%SignSecureChannel%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel,4,%SealSecureChannel%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal,4,%SignOrSeal%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey,4,%StrongKey%,0

MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity,4,%LDAPServerIntegrity%,3,1|%LDAPServer1%,2|%LDAPServer2%

MACHINE\Software\Microsoft\Driver Signing\Policy,3,%DriverSigning%,3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2%

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD,4,%DisableCAD%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName,4,%DontDisplayLastUserName%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLockedUserId,4,%DontDisplayLockedUserId%,3,1|%LockedUserID0%,2|%LockedUserID1%,3|%LockedUserID2%
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption,1,%LegalNoticeCaption%,2
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText,7,%LegalNoticeText%,4
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption,4,%ScForceOption%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon,4,%ShutdownWithoutLogon%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon,4,%UndockWithoutLogon%,0


MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel,4,%RCAdmin%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand,4,%RCSet%,0

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms,1,%AllocateCDRoms%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD,1,%AllocateDASD%,3,0|%AllocateDASD0%,1|%AllocateDASD1%,2|%AllocateDASD2%
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies,1,%AllocateFloppies%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount,1,%CachedLogonsCount%,1,%Unit-Logons%
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon,4,%ForceUnlockLogon%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning,4,%PasswordExpiryWarning%,1,%Unit-Days%
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption,1,%ScRemove%,3,0|%ScRemove0%,1|%ScRemove1%,2|%ScRemove2%,3|%ScRemove3%

MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection,4,%ForceHighProtection%,3,0|%CryptAllowNoUI%,1|%CryptAllowNoPass%,2|%CryptUsePass%
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled,4,%AuthenticodeEnabled%,0

MACHINE\Software\Policies\Microsoft\Windows NT\DCOM\MachineLaunchRestriction,1,%DCOMLaunchRestriction%,2
MACHINE\Software\Policies\Microsoft\Windows NT\DCOM\MachineAccessRestriction,1,%DCOMAccessRestriction%,2

; delete these values from the UI - Rdr in case NT4 w SCE
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CmdConsSecurityLevel
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\AddPrintDrivers
MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnablePlainTextPassword
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnablePlainTextPassword
MACHINE\Software\Microsoft\Windows\CurrentVersion\NetCache\EncryptEntireCache
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\AlgorithmID
MACHINE\Software\Microsoft\Non-Driver Signing\Policy
MACHINE\Software\Policies\Microsoft\Cryptography\ForceHighProtection

































[Strings]

;================================ Accounts ============================================================================
;Specified in UI code - Accounts: Administrator account status
;Specified in UI code - Accounts: Guest account status
;Specified in UI code - Accounts: Rename administrator account
;Specified in UI code - Accounts: Rename guest account
LimitBlankPasswordUse = "Accounts: Limit local account use of blank passwords to console logon only"


;================================ Audit ===============================================================================
AuditBaseObjects="Audit: Audit the access of global system objects"
FullPrivilegeAuditing="Audit: Audit the use of Backup and Restore privilege"
CrashOnAuditFail="Audit: Shut down system immediately if unable to log security audits"

;================================ Devices =============================================================================
AllocateDASD="Devices: Allowed to format and eject removable media"
AllocateDASD0="Administrators"
AllocateDASD1="Administrators and Power Users"
AllocateDASD2="Administrators and Interactive Users"
AddPrintDrivers="Devices: Prevent users from installing printer drivers"
AllocateCDRoms="Devices: Restrict CD-ROM access to locally logged-on user only"
AllocateFloppies="Devices: Restrict floppy access to locally logged-on user only"
DriverSigning="Devices: Unsigned driver installation behavior"
DriverSigning0="Silently succeed "
DriverSigning1="Warn but allow installation"
DriverSigning2="Do not allow installation"
UndockWithoutLogon="Devices: Allow undock without having to log on"

;================================ Domain controller ====================================================================
SubmitControl="Domain controller: Allow server operators to schedule tasks"
RefusePWChange="Domain controller: Refuse machine account password changes"
LDAPServerIntegrity = "Domain controller: LDAP server signing requirements"
LDAPServer1 = "None"
LDAPServer2 = "Require signing"

;================================ Domain member ========================================================================
DisablePWChange="Domain member: Disable machine account password changes"
MaximumPWAge="Domain member: Maximum machine account password age"
SignOrSeal="Domain member: Digitally encrypt or sign secure channel data (always)"
SealSecureChannel="Domain member: Digitally encrypt secure channel data (when possible)"
SignSecureChannel="Domain member: Digitally sign secure channel data (when possible)"
StrongKey="Domain member: Require strong (Windows 2000 or later) session key"

;================================ Interactive logon ====================================================================
DisableCAD = "Interactive logon: Do not require CTRL+ALT+DEL"
DontDisplayLastUserName = "Interactive logon: Do not display last user name"
DontDisplayLockedUserId = "Interactive logon: Display user information when the session is locked"
LockedUserId0 = "User display name, domain and user names"
LockedUserId1 = "User display name only"
LockedUserId2 = "Do not display user information"
LegalNoticeText = "Interactive logon: Message text for users attempting to log on"
LegalNoticeCaption = "Interactive logon: Message title for users attempting to log on"
CachedLogonsCount = "Interactive logon: Number of previous logons to cache (in case domain controller is not available)"
PasswordExpiryWarning = "Interactive logon: Prompt user to change password before expiration"
ForceUnlockLogon = "Interactive logon: Require Domain Controller authentication to unlock workstation"
ScForceOption = "Interactive logon: Require smart card"
ScRemove = "Interactive logon: Smart card removal behavior"
ScRemove0 = "No Action"
ScRemove1 = "Lock Workstation"
ScRemove2 = "Force Logoff"
ScRemove3 = "Disconnect if a remote Terminal Services session"

;================================ Microsoft network client =============================================================
RequireSMBSignRdr="Microsoft network client: Digitally sign communications (always)"
EnableSMBSignRdr="Microsoft network client: Digitally sign communications (if server agrees)"
EnablePlainTextPassword="Microsoft network client: Send unencrypted password to third-party SMB servers"

;================================ Microsoft network server =============================================================
AutoDisconnect="Microsoft network server: Amount of idle time required before suspending session"
RequireSMBSignServer="Microsoft network server: Digitally sign communications (always)"
EnableSMBSignServer="Microsoft network server: Digitally sign communications (if client agrees)"
EnableForcedLogoff="Microsoft network server: Disconnect clients when logon hours expire"

;================================ Network access =======================================================================
;Specified in UI code - Network access: Allow anonymous SID/Name translation
DisableDomainCreds = "Network access: Do not allow storage of credentials or .NET Passports for network authentication"
RestrictAnonymousSAM = "Network access: Do not allow anonymous enumeration of SAM accounts"
RestrictAnonymous = "Network access: Do not allow anonymous enumeration of SAM accounts and shares"
EveryoneIncludesAnonymous = "Network access: Let Everyone permissions apply to anonymous users"
RestrictNullSessAccess = "Network access: Restrict anonymous access to Named Pipes and Shares"
NullPipes = "Network access: Named Pipes that can be accessed anonymously"
NullShares = "Network access: Shares that can be accessed anonymously"
AllowedPaths = "Network access: Remotely accessible registry paths and sub-paths"
AllowedExactPaths = "Network access: Remotely accessible registry paths"
ForceGuest = "Network access: Sharing and security model for local accounts"
Classic = "Classic - local users authenticate as themselves"
GuestBased = "Guest only - local users authenticate as Guest"

;================================ Network security =====================================================================
;Specified in UI code - Network security: Enforce logon hour restrictions
NoLMHash = "Network security: Do not store LAN Manager hash value on next password change"
LmCompatibilityLevel = "Network security: LAN Manager authentication level"
LMCLevel0 = "Send LM & NTLM responses"
LMCLevel1 = "Send LM & NTLM - use NTLMv2 session security if negotiated"
LMCLevel2 = "Send NTLM response only"
LMCLevel3 = "Send NTLMv2 response only"
LMCLevel4 = "Send NTLMv2 response only\refuse LM"
LMCLevel5 = "Send NTLMv2 response only\refuse LM & NTLM"
NTLMMinClientSec = "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients"
NTLMMinServerSec = "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers"
NTLMIntegrity = "Require message integrity"
NTLMConfidentiality = "Require message confidentiality"
NTLMv2Session = "Require NTLMv2 session security"
NTLM128 = "Require 128-bit encryption"
LDAPClientIntegrity = "Network security: LDAP client signing requirements"
LDAPClient0 = "None"
LDAPClient1 = "Negotiate signing"
LDAPClient2 = "Require signing"

;================================ Recovery console ====================================================================
RCAdmin="Recovery console: Allow automatic administrative logon"
RCSet="Recovery console: Allow floppy copy and access to all drives and all folders"

;================================ Shutdown ============================================================================
ShutdownWithoutLogon="Shutdown: Allow system to be shut down without having to log on"
ClearPageFileAtShutdown="Shutdown: Clear virtual memory pagefile"

ProtectionMode = "System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)"
NoDefaultAdminOwner = "System objects: Default owner for objects created by members of the Administrators group"
DefaultOwner0 = "Administrators group"
DefaultOwner1 = "Object creator"
ObCaseInsensitive = "System objects: Require case insensitivity for non-Windows subsystems"

;================================ System cryptography =================================================================
FIPS="System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"

ForceHighProtection="System cryptography: Force strong key protection for user keys stored on the computer"

CryptAllowNoUI="User input is not required when new keys are stored and used"
CryptAllowNoPass="User is prompted when the key is first used"
CryptUsePass="User must enter a password each time they use a key"


;================================ System Settings =====================================================================
AuthenticodeEnabled = "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies"
OptionalSubSystems = "System settings: Optional subsystems"


Unit-Logons="logons"
Unit-Days="days"
Unit-Minutes="minutes"
Unit-Seconds="seconds"

;================================ DCOM Machine Restrictions ===========================================================
DCOMLaunchRestriction="DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax"
DCOMAccessRestriction="DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax"
