; (c) Microsoft Corporation 1997-2000 ; ; Security Configuration Template for Security Configuration Editor ; ; Template Name: HiSecDC.INF ; Template Version: 05.10.HD.0000 [Profile Description] %SCEHiSecDCProfileDescription% [version] signature="$CHICAGO$" revision=1 DriverVer=07/01/2001,5.1.2600.0 [System Access] ;---------------------------------------------------------------- ;Account Policies - Password Policy ;---------------------------------------------------------------- MinimumPasswordAge = 2 MaximumPasswordAge = 42 MinimumPasswordLength = 8 PasswordComplexity = 1 PasswordHistorySize = 24 ClearTextPassword = 0 LSAAnonymousNameLookup = 0 EnableGuestAccount = 0 ;---------------------------------------------------------------- ;Account Policies - Lockout Policy ;---------------------------------------------------------------- LockoutBadCount = 5 ResetLockoutCount = 30 LockoutDuration = -1 ;---------------------------------------------------------------- ;Local Policies - Security Options ;---------------------------------------------------------------- ;DC Only ForceLogoffWhenHourExpire = 1 ;NewAdministatorName = ;NewGuestName = ;SecureSystemPartition ;---------------------------------------------------------------- ;Event Log - Log Settings ;---------------------------------------------------------------- ;Audit Log Retention Period: ;0 = Overwrite Events As Needed ;1 = Overwrite Events As Specified by Retention Days Entry ;2 = Never Overwrite Events (Clear Log Manually) [System Log] RestrictGuestAccess = 1 [Security Log] MaximumLogSize = 10240 AuditLogRetentionPeriod = 0 RestrictGuestAccess = 1 [Application Log] RestrictGuestAccess = 1 ;---------------------------------------------------------------------- ; Local Policies\Audit Policy ;---------------------------------------------------------------------- [Event Audit] AuditSystemEvents = 3 AuditObjectAccess = 3 AuditPrivilegeUse = 3 AuditPolicyChange = 3 AuditAccountManage = 3 AuditProcessTracking = 0 AuditDSAccess=3 AuditLogonEvents = 3 AuditAccountLogon=3 ;---------------------------------------------------------------------- ; Local Policies\SecurityOptions ;---------------------------------------------------------------------- [Registry Values] ; Registry value name in full path = Type, Value ; REG_SZ ( 1 ) ; REG_EXPAND_SZ ( 2 ) // with environment variables to expand ; REG_BINARY ( 3 ) ; REG_DWORD ( 4 ) ; REG_MULTI_SZ ( 7 ) MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0 MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0 MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,1 MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0 ;ForceGuest is not acknowledged on DC's: ;MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0 MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0 MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,5 MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0 MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0 MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1 MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1 MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1 MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl=4,0 MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1 MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1 MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,1 MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,1 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0 MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1 MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=4,2 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange=4,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1 MACHINE\Software\Microsoft\Driver Signing\Policy=3,2 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,"" MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,"" MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms=1,1 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies=1,1 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,1 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,2 [Strings] SceInfAdministrator = "Administrator" SceInfAdmins = "Administrators" SceInfAcountOp = "Account Operators" SceInfAuthUsers = "Authenticated Users" SceInfBackupOp = "Backup Operators" SceInfDomainAdmins = "Domain Admins" SceInfDomainGuests = "Domain Guests" SceInfDomainUsers = "Domain Users" SceInfEveryone = "Everyone" SceInfGuests = "Guests" SceInfGuest = "Guest" SceInfPowerUsers = "Power Users" SceInfPrintOp = "Print Operators" SceInfReplicator = "Replicator" SceInfServerOp = "Server Operators" SceInfUsers = "Users" SceInfProgramFiles = "Program Files" SceHiSecDCProfileDescription = "A superset of securedc. Provides further restrictions on LanManager authentication and further requirements for the encryption and signing of secure channel and SMB data. In order to apply hisecdc to a DC, all of the DC's in all trusted or trusting domains must be running Windows 2000 or later. See online help for further info."