; (c) Microsoft Corporation 1997-2000;; Security Configuration Template for

1. ; (c) Microsoft Corporation 1997-2000
2.  
3. ;
4.  
5. ; Security Configuration Template for Security Configuration Editor
6.  
7. ;
8.  
9. ; Template Name: HiSecDC.INF
10.  
11. ; Template Version: 05.10.HD.0000
12.  
13.  
14.  
15.  
16.  
17.  
18.  
19. [version]
20.  
21. signature="$CHICAGO$"
22.  
23. Revision=1
24.  
25.  
26.  
27. [System Access]
28.  
29. MinimumPasswordAge = 1
30.  
31. MaximumPasswordAge = 90
32.  
33. MinimumPasswordLength = 12
34.  
35. PasswordComplexity = 1
36.  
37. PasswordHistorySize = 24
38.  
39. LockoutBadCount = 5
40.  
41. ResetLockoutCount = 15
42.  
43. LockoutDuration = 15
44.  
45. ForceLogoffWhenHourExpire = 1
46.  
47. ClearTextPassword = 0
48.  
49. LSAAnonymousNameLookup = 0
50.  
51. EnableGuestAccount = 0
52.  
53.  
54.  
55. ;NewAdministatorName =
56.  
57. ;NewGuestName =
58.  
59. ;SecureSystemPartition
60.  
61.  
62.  
63. ;----------------------------------------------------------------
64.  
65. ;Event Log - Log Settings
66.  
67. ;----------------------------------------------------------------
68.  
69. ;Audit Log Retention Period:
70.  
71. ;0 = Overwrite Events As Needed
72.  
73. ;1 = Overwrite Events As Specified by Retention Days Entry
74.  
75. ;2 = Never Overwrite Events (Clear Log Manually)
76.  
77.  
78.  
79. [System Log]
80.  
81. RestrictGuestAccess = 1
82.  
83.  
84.  
85. [Security Log]
86.  
87. MaximumLogSize = 10240
88.  
89. AuditLogRetentionPeriod = 0
90.  
91. RestrictGuestAccess = 1
92.  
93.  
94.  
95. [Application Log]
96.  
97. RestrictGuestAccess = 1
98.  
99.  
100.  
101. ;----------------------------------------------------------------------
102.  
103. ; Local Policies\Audit Policy
104.  
105. ;----------------------------------------------------------------------
106.  
107. [Event Audit]
108.  
109. AuditSystemEvents = 3
110.  
111. AuditLogonEvents = 3
112.  
113. AuditObjectAccess = 3
114.  
115. AuditPrivilegeUse = 3
116.  
117. AuditPolicyChange = 3
118.  
119. AuditAccountManage = 3
120.  
121. AuditProcessTracking = 0
122.  
123. AuditDSAccess = 3
124.  
125. AuditAccountLogon = 3
126.  
127.  
128.  
129. ;----------------------------------------------------------------------
130.  
131. ; Local Policies\SecurityOptions
132.  
133. ;----------------------------------------------------------------------
134.  
135.  
136.  
137.  
138.  
139.  
140.  
141.  
142.  
143.  
144.  
145.  
146.  
147.  
148.  
149.  
150.  
151.  
152.  
153.  
154.  
155.  
156.  
157.  
158.  
159.  
160.  
161.  
162.  
163.  
164.  
165.  
166.  
167.  
168.  
169.  
170.  
171.  
172.  
173.  
174.  
175.  
176.  
177.  
178.  
179.  
180.  
181.  
182.  
183.  
184.  
185.  
186.  
187.  
188.  
189.  
190.  
191.  
192.  
193.  
194.  
195.  
196.  
197.  
198.  
199.  
200.  
201.  
202.  
203. [Strings]
204.  
205.  
206.  
207. SceInfAdministrator = "Administrator"
208.  
209. SceInfAdmins = "Administrators"
210.  
211. SceInfAcountOp = "Account Operators"
212.  
213. SceInfAuthUsers = "Authenticated Users"
214.  
215. SceInfBackupOp = "Backup Operators"
216.  
217. SceInfDomainAdmins = "Domain Admins"
218.  
219. SceInfDomainGuests = "Domain Guests"
220.  
221. SceInfDomainUsers = "Domain Users"
222.  
223. SceInfEveryone = "Everyone"
224.  
225. SceInfGuests = "Guests"
226.  
227. SceInfGuest = "Guest"
228.  
229. SceInfPowerUsers = "Power Users"
230.  
231. SceInfPrintOp = "Print Operators"
232.  
233. SceInfReplicator = "Replicator"
234.  
235. SceInfServerOp = "Server Operators"
236.  
237. SceInfUsers = "Users"
238.  
239. SceInfProgramFiles = "Program Files"
240.  
241. SceHiSecDCProfileDescription = "A superset of securedc. Provides further restrictions on LanManager authentication and further requirements for the encryption and signing of secure channel and SMB data. In order to apply hisecdc to a DC, all of the DC's in all trusted or trusting domains must be running Windows 2000 or later. See online help for further info."
242.  
243. [Kerberos Policy]
244.  
245. MaxTicketAge = 10
246.  
247. MaxRenewAge = 10080
248.  
249. MaxServiceAge = 10
250.  
251. MaxClockSkew = 5
252.  
253. TicketValidateClient = 1
254.  
255. [Registry Values]
256.  
257. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"2"
258.  
259. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14
260.  
261. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,1
262.  
263. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"0"
264.  
265. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies=1,"1"
266.  
267. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,"0"
268.  
269. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms=1,"1"
270.  
271. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
272.  
273. MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
274.  
275. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,0
276.  
277. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0
278.  
279. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,
280.  
281. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
282.  
283. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1
284.  
285. MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
286.  
287. MACHINE\Software\Microsoft\Driver Signing\Policy=3,2
288.  
289. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1
290.  
291. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
292.  
293. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
294.  
295. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
296.  
297. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange=4,0
298.  
299. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
300.  
301. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
302.  
303. MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=4,2
304.  
305. MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
306.  
307. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
308.  
309. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
310.  
311. MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
312.  
313. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
314.  
315. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
316.  
317. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,1
318.  
319. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1
320.  
321. MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
322.  
323. MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,1
324.  
325. MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
326.  
327. MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1
328.  
329. MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl=4,0
330.  
331. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
332.  
333. MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,1
334.  
335. MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
336.  
337. MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,0
338.  
339. MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,0
340.  
341. MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,5
342.  
343. MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
344.  
345. MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
346.  
347. MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,1
348.  
349. MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
350.  
351. MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
352.  
353. [Profile Description]
354.  
355. Description=A superset of securedc. Provides further restrictions on LanManager authentication and further requirements for the encryption and signing of secure channel and SMB data. In order to apply hisecdc to a DC, all of the DC's in all trusted or trusting domains must be running Windows 2000 or later. See online help for further info.