Using Notepad To Add Registry Key/Value Pairs To Security Template .inf Files

Using Notepad To Add Registry Key/Value Pairs To Security Template .inf Files

Post by Bill Tomlinso » Sun, 22 Jun 2003 06:15:15



I am interested in adding some Registry Key/Value pairs to a security
template .inf file.  I see that the baseline.inf file has added several
registry Key/Value pairs, and I would like to know the details concerning
the syntax for these registry entries.

Are there any documents that detail the syntax for adding lines for registry
Key/Value pairs to a Security Template .inf file?

 
 
 

Using Notepad To Add Registry Key/Value Pairs To Security Template .inf Files

Post by Seave » Sun, 22 Jun 2003 08:45:09


Dear Bill,

Thank you for your posting.

According to your post, you want to know the syntax of adding registry
values to security template.

If I have misunderstood your concern please don't hesitate to let me know.

Please refer to the following article for complete steps:

214752 How to Add Custom Registry Settings to Security Configuration Editor
http://support.microsoft.com/?id=214752

Sincerely,

Seaver Ren

Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

 
 
 

Using Notepad To Add Registry Key/Value Pairs To Security Template .inf Files

Post by Bill Tomlinso » Thu, 26 Jun 2003 07:56:33


Seaver,

This article addresses some of what I am trying to figure out.  The article
actually describes a process for modifying the SCM UI, which will be
helpful.

What I still need some help with is determining the syntax that is being
used in "pre-existing" templates that come in Microsoft's Security Kit.
Specifically the baseline.inf file has several dozen lines written in it
that do not show up in the UI, and they appear to use some of the syntax
from the article you referred me to.

Here are the registry lines included the baseline.inf file; note these
entries either create non-existing values, or modify existing values.  In
either case if you apply this template these entries do not show up in the
UI.  My question is does the syntax from article 214752 apply here?

For example in line 1 below:  does this mean the ScRemoveOption value will
be created/modifies and set to a RegistryType=1(REG_SZ), with a actual value
of 1 ??

Would you suggest that these be created as visible UI entries in the
Security Options section of the SCM, as the 2147532 article implies?

I seems as though this is a short-hand way of including these settings
without modifying the Sceregvl.inf (the long hand way, perhaps long term
more manageable), can you confirm?

Thanks

BT

[Registry Values]
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ScRemoveOption=1,1
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\CachedLogonsCount=1,0
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateFloppies=1,1
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateDASD=1,0
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateCDRoms=1,1
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNotic
eText=1,
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNotic
eCaption=1,
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDispla
yLastUserName=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD
=4,0
MACHINE\Software\Microsoft\Non-Driver Signing\Policy=3,1
MACHINE\Software\Microsoft\Driver Signing\Policy=3,2
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongK
ey=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrS
eal=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChan
nel=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChan
nel=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswor
dChange=4,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Enabl
ePlainTextPassword=4,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Requi
reSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Enabl
eSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDiscon
nect=4,15
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForc
edLogOff=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSec
uritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecu
ritySignature=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory
Management\ClearPageFileAtShutdown=4,1
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print
Services\Servers\AddPrinterDrivers=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,2
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,5
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl=4,0
MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDe
mand=4,1
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirec
t=4,0
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFil
ters=4,1
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect=
4,2
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetec
t=4,0
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscove
ry=4,0
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime=4,3
00000
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRo
uting=4,2
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResp
onseRetransmissions=4,2
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetrans
missions=4,3
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDisc
overy=4,0
MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxPortsExhaus
ted=4,5
MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrowt
hDelta=4,10
MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBacklo
g=4,1
MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBackl
og=4,20
MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBackl
og=4,20000
MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCrea
tion=4,1
MACHINE\System\CurrentControlSet\Control\LSA\MSV1_0\NtlmMinServerSec=4,53687
0912
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveT
ypeAutoRun=4,255
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWi
thoutLogon=4,0


Quote:

> Dear Bill,

> Thank you for your posting.

> According to your post, you want to know the syntax of adding registry
> values to security template.

> If I have misunderstood your concern please don't hesitate to let me know.

> Please refer to the following article for complete steps:

> 214752 How to Add Custom Registry Settings to Security Configuration
Editor
> http://support.microsoft.com/?id=214752

> Sincerely,

> Seaver Ren

> Product Support Services
> Microsoft Corporation

> Get Secure! - www.microsoft.com/security

 
 
 

1. When new registry keys are created what is used as the template for security

A customer recently installed a program of mine on several PC's running Win
2000. The program in order to verify its environment reads information from
HKEY_LOCAL_MACHINE\ODBC. The information was put there by the system
administrator using the ODBC administration tool to establish a new system
dsn.

For all PC's program works fine when an admin is user. For all but one PC
program works fine when user is logged on. After much head scratching we
discovered that on that one PC only, the relevant keys within ODBC did not
have user read permission.

1. Where does the system get its template for establishing the security of
new keys?

2. Is this an ODBC peculiar issue or is it a broader problem that we need to
examine?

3. Is there a convenient API that the program could have used under an admin
user to ensure that it could read its keys in user mode?

Regards,
Al Christoph

2. Connecitng two DSU/CSU

3. Using admin templates to create new registry keys

4. A2386sx bridgeboard forsale

5. How to create a registry key using admin templates??

6. query suggestion pls. the windowing thing.

7. Adding Registry String Values thru Local Policy | Security Options in SecPol.msc

8. Better PIM than Desktop Contacts

9. Registry based policies/preferences; Security Templates vs. Administrative Templates

10. Security Templates - hisecdc.inf

11. How do you remove a Registry Value using command-line or a batch file?

12. HiSecWeb.inf Security templates

13. Inf Security Templates