; (c) Microsoft Corporation 1997-2000 ; ; Security Configuration Template for Security Configuration Editor ; ; Template Name: W2k Workstation.INF ; Template Version: 05.00.DR.0000 ; ; Revision History ; 0000 - Original ; May 2001 - SNAC version 1.01a ; November 2001 - ; Changed the line "RequireLogonToChangePassword = 1" to ; "RequireLogonToChangePassword = 0" under the [System Access] ; section. This line is an artifact from Windows NT 4.0 templates and could have ; adverse effects on a user's ability to change password at first logon. If you have ; experienced this problem, please reapply this corrected inf file, or, via a ; text editor, create and apply an inf file with only the following lines: ; [Unicode] ; Unicode=yes ; [System Access] ; RequireLogonToChangePassword = 0 ; ; NOTE: This setting does NOT appear when the template file is viewed graphically in ; the MMC. ; ; July 2002 - ; In the Registry section, corrected the ; MACHINE\System\CurrentControlSet\Control\Wmi\Security to grant Administrators Full ; Control on the key and subkeys ; ; Nov. 2002 - ; In the Registry section, corrected the MACHINE\Software\Microsoft\WindowsNT\ ; CurrentVersion\Perflib to give Creator Owner Full Control on Subkeys only. [Unicode] Unicode=yes [System Access] MinimumPasswordAge = 1 MaximumPasswordAge = 90 MinimumPasswordLength = 12 PasswordComplexity = 1 PasswordHistorySize = 24 LockoutBadCount = 3 ResetLockoutCount = 15 LockoutDuration = 15 RequireLogonToChangePassword = 0 ClearTextPassword = 0 [System Log] MaximumLogSize = 4194240 AuditLogRetentionPeriod = 2 RetentionDays = 7 RestrictGuestAccess = 1 [Security Log] MaximumLogSize = 4194240 AuditLogRetentionPeriod = 2 RetentionDays = 7 RestrictGuestAccess = 1 [Application Log] MaximumLogSize = 4194240 AuditLogRetentionPeriod = 2 RetentionDays = 7 RestrictGuestAccess = 1 [Event Audit] AuditSystemEvents = 3 AuditLogonEvents = 3 AuditObjectAccess = 2 AuditPrivilegeUse = 2 AuditPolicyChange = 3 AuditAccountManage = 3 AuditProcessTracking = 0 AuditDSAccess = 0 AuditAccountLogon = 3 CrashOnAuditFull = 1 [Version] signature="$CHICAGO$" Revision=1 [Privilege Rights] seassignprimarytokenprivilege = seauditprivilege = sebackupprivilege = *S-1-5-32-544 sebatchlogonright = sechangenotifyprivilege = *S-1-5-32-545 secreatepagefileprivilege = *S-1-5-32-544 secreatepermanentprivilege = secreatetokenprivilege = sedebugprivilege = sedenybatchlogonright = sedenyinteractivelogonright = sedenynetworklogonright = sedenyservicelogonright = seenabledelegationprivilege = seincreasebasepriorityprivilege = *S-1-5-32-544 seincreasequotaprivilege = *S-1-5-32-544 seinteractivelogonright = *S-1-5-32-544,*S-1-5-32-545 seloaddriverprivilege = *S-1-5-32-544 selockmemoryprivilege = semachineaccountprivilege = senetworklogonright = *S-1-5-32-544,*S-1-5-32-545 seprofilesingleprocessprivilege = *S-1-5-32-544 seremoteshutdownprivilege = *S-1-5-32-544 serestoreprivilege = *S-1-5-32-544 sesecurityprivilege = *S-1-5-32-544 seservicelogonright = seshutdownprivilege = *S-1-5-32-544,*S-1-5-32-545 sesyncagentprivilege = sesystemenvironmentprivilege = *S-1-5-32-544 sesystemprofileprivilege = *S-1-5-32-544 sesystemtimeprivilege = *S-1-5-32-544 setakeownershipprivilege = *S-1-5-32-544 setcbprivilege = seundockprivilege = *S-1-5-32-544,*S-1-5-32-545 [Group Membership] *S-1-5-32-547__Memberof = *S-1-5-32-547__Members = [Registry Keys] "MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities",2,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)" "MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers",2,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)" "MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT",2,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)" "machine\software",2,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "machine\software\microsoft\netdde",2,"D:PAR(A;CI;KA;;;BA)(A;CI;KA;;;SY)" "machine\software\microsoft\protected storage system provider",1,"D:AR" "machine\software\microsoft\windows nt\currentversion\perflib",2,"D:P(A;CI;GR;;;IU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;KA;;;CO)" "machine\software\microsoft\windows\currentversion\group policy",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CI;KA;;;SY)" "machine\software\microsoft\windows\currentversion\installer",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "machine\software\microsoft\windows\currentversion\policies",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CI;KA;;;SY)" "machine\system",2,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "machine\system\clone",1,"D:AR" "machine\system\controlset001",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "machine\system\controlset002",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "machine\system\controlset003",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "machine\system\controlset004",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "machine\system\controlset005",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "machine\system\controlset006",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "machine\system\controlset007",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "machine\system\controlset008",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "machine\system\controlset009",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "machine\system\controlset010",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "machine\system\currentcontrolset\control\securepipeservers\winreg",2,"D:PAR(A;CI;KA;;;BA)(A;;KR;;;BO)(A;CI;KA;;;SY)" "machine\system\currentcontrolset\control\wmi\security",2,"D:P(A;CI;GR;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)" "machine\system\currentcontrolset\enum",1,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CI;KA;;;SY)" "machine\system\currentcontrolset\hardware profiles",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "users\.default",2,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "users\.default\software\microsoft\netdde",2,"D:PAR(A;CI;KA;;;BA)(A;CI;KA;;;SY)" "users\.default\software\microsoft\protected storage system provider",1,"D:AR" "CLASSES_ROOT",2,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AsrCommands",2,"D:PAR(A;CI;KA;;;BA)(A;CI;CCDCLCSWRPSDRC;;;BO)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)" [Profile Description] Description=NSA Enhanced Security Settings for Windows 2000 Professional workstation [File Security] "%SystemDrive%\Program Files\Resource Pro Kit",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemRoot%\security",2,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)" "%SystemDrive%\Documents and Settings\Default User",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemDrive%\ntldr",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemDrive%\config.sys",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemDrive%\ntdetect.com",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemDrive%\boot.ini",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemDrive%\autoexec.bat",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemRoot%\Offline Web Pages",1,"D:(A;OICI;GA;;;WD)" "%SystemDrive%\Documents and Settings\All Users\Documents\DrWatson\drwtsn32.log",2,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1301bf;;;BU)" "%SystemRoot%\$NtServicePackUninstall$",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "c:\boot.ini",2,"D:PAR(A;;FA;;;BA)(A;;FA;;;SY)" "c:\ntdetect.com",2,"D:PAR(A;;FA;;;BA)(A;;FA;;;SY)" "c:\ntldr",2,"D:PAR(A;;FA;;;BA)(A;;FA;;;SY)" "c:\ntbootdd.sys",2,"D:PAR(A;;FA;;;BA)(A;;FA;;;SY)" "c:\autoexec.bat",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "c:\config.sys",2,"D:PAR(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;BU)" "%ProgramFiles%",2,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemRoot%",2,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemRoot%\CSC",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemRoot%\debug",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemRoot%\Registration",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FR;;;BU)" "%SystemRoot%\repair",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemRoot%\Tasks",1,"D:AR" "%SystemRoot%\Temp",2,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;CI;0x100026;;;BU)" "%SystemDirectory%",2,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemDirectory%\appmgmt",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemDirectory%\DTCLog",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemDirectory%\GroupPolicy",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)" "%SystemDirectory%\NTMSData",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemDirectory%\Setup",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemDirectory%\ReinstallBackups",1,"D:P(A;OICI;GXGR;;;BU)(A;OICI;GXGR;;;PU)(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" "%SystemDirectory%\repl",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemDirectory%\repl\import",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;0x1301bf;;;RE)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemDirectory%\repl\export",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;RE)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemDirectory%\spool\printers",2,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;CI;DCLCSWWPLO;;;BU)" "%SystemDirectory%\config",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemDirectory%\dllcache",2,"D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" "%SystemDirectory%\ias",2,"D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;CO)" "%SystemDrive%\Documents and Settings",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemDrive%\My Download Files",2,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1201bf;;;BU)" "%SystemDrive%\System Volume Information",1,"D:PAR" "%SystemDrive%\Temp",2,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;CI;DCLCWP;;;BU)" "%SystemDrive%\",0,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemDrive%\IO.SYS",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemDrive%\MSDOS.SYS",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" "%SystemRoot%\regedit.exe",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemDirectory%\rcp.exe",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemDirectory%\Ntbackup.exe",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemDirectory%\rexec.exe",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemDirectory%\rsh.exe",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemDirectory%\regedt32.exe",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemDrive%\Documents and Settings\Administrator",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemDrive%\Documents and Settings\All Users\Documents\DrWatson",2,"D:PAR(A;OICI;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICIIO;DCLCWP;;;BU)(A;OICI;CCSWWPLORC;;;BU)" "%SystemDirectory%\secedit.exe",2,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)" "%SystemRoot%\Debug\UserMode",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;;CCDCWP;;;BU)(A;OIIO;DCLC;;;BU)" "%SystemDrive%\Documents and Settings\All Users",0,"D:PAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)" [Registry Values] MACHINE\System\CurrentControlSet\Control\Session Manager\EnhancedSecurityLevel=4,1 MACHINE\System\CurrentControlSet\Services\Eventlog\Security\WarningLevel=4,90 MACHINE\System\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset=4,1 MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\NoNameReleaseOnDemand=4,1 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting=4,2 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect=4,0 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect=4,0 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery=4,0 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect=4,2 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen=4,100 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetired=4,80 MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime=4,300000 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun=4,255 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon=4,0 machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1 machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1 machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4,0 machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal=4,0 machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4,0 machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature=4,0 machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature=4,1 machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword=4,0 machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature=4,0 machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature=4,1 machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff=4,1 machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect=4,30 machine\system\currentcontrolset\control\session manager\protectionmode=4,1 machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown=4,1 machine\system\currentcontrolset\control\print\providers\lanman print services\servers\addprinterdrivers=4,1 machine\system\currentcontrolset\control\lsa\restrictanonymous=4,2 machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,5 machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,1 machine\system\currentcontrolset\control\lsa\crashonauditfail=4,1 machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,1 machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon=4,0 machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4,1 machine\software\microsoft\windows\currentversion\policies\system\disablecad=4,0 machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption=1,1 machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning=4,14 machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount=1,0 machine\software\microsoft\windows nt\currentversion\winlogon\allocatefloppies=1,1 machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd=1,0 machine\software\microsoft\windows nt\currentversion\winlogon\allocatecdroms=1,1 machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\setcommand=4,0 machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel=4,0 machine\software\microsoft\non-driver signing\policy=3,1 machine\software\microsoft\driver signing\policy=3,1