home *** CD-ROM | disk | FTP | other *** search
/ PC World Komputer 2010 April / PCWorld0410.iso / WindowsServerTrial / server.iso / sources / install.wim / 6 / Windows / inf / defltdc.inf < prev    next >
Encoding:
Text (UTF-16)  |  2008-01-18  |  69.6 KB  |  486 lines
  1. ; Copyright (c) Microsoft Corporation.  All rights reserved.
  2. ;
  3. ; Security Configuration Template for Security Configuration Editor
  4. ;
  5. ; Template Name:        DefltDC.INF
  6. ; Template Version:     05.10.DD.0000
  7. ;
  8. ; Default Security for Windows NT 5.1 Domain Controllers.
  9. ; Account Policies not set - Use DCFirst if first DC, else pull from existing domain.
  10.  
  11. [version]
  12. signature="$CHICAGO$"
  13. revision=1
  14. DriverVer=06/21/2006,6.0.6001.18000
  15.  
  16.  
  17. [System Access]
  18. ;----------------------------------------------------------------
  19. ;Local Policies - Security Options
  20. ;----------------------------------------------------------------
  21. LSAAnonymousNameLookup = 0
  22.  
  23.  
  24. ;----------------------------------------------------------------
  25. ;Event Log - Log Settings
  26. ;----------------------------------------------------------------
  27. ;Audit Log Retention Period:
  28. ;0 = Overwrite Events As Needed
  29. ;1 = Overwrite Events As Specified by Retention Days Entry
  30. ;2 = Never Overwrite Events (Clear Log Manually)
  31.  
  32. [System Log]
  33. MaximumLogSize = 20480
  34. AuditLogRetentionPeriod = 0
  35. ;RetentionDays = 7
  36. RestrictGuestAccess = 1
  37.  
  38. [Security Log]
  39. MaximumLogSize = 131072
  40. AuditLogRetentionPeriod = 0
  41. ;RetentionDays = 7
  42. RestrictGuestAccess = 1
  43.  
  44. [Application Log]
  45. MaximumLogSize = 20480
  46. AuditLogRetentionPeriod = 0
  47. ;RetentionDays = 7
  48. RestrictGuestAccess = 1
  49.  
  50. ;----------------------------------------------------------------
  51. ;Registry Values
  52. ;----------------------------------------------------------------
  53. [Registry Values]
  54. ; Registry value name in full path = Type, Value
  55. ; REG_SZ                      ( 1 )
  56. ; REG_EXPAND_SZ               ( 2 )  // with environment variables to expand
  57. ; REG_BINARY                  ( 3 )
  58. ; REG_DWORD                   ( 4 )
  59. ; REG_MULTI_SZ                ( 7 )
  60.  
  61. ;Copied to Default DC GPO if first DC
  62.  
  63. ;We need to make sure Server-Side Packet Signing is on in the DC case.
  64. ;The rest of the registry values are maintained from the server.
  65. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1
  66. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,1
  67.  
  68. ;All DC's should be consistent wrt secure channel signing and LMC
  69. MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,3
  70. MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
  71. MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=4,1
  72.  
  73. ;----------------------------------------------------------------------
  74. ;   Privileges & Rights
  75. ;----------------------------------------------------------------------
  76. ;
  77. ;World                          S-1-1-0
  78. ;
  79. ;NT Authority                   S-1-5
  80. ;ENTERPRISE_CONTROLLERS         9
  81. ;AUTHENTICATED_USER             11
  82. ;LOCAL_SERVICE                  19
  83. ;NETWORK_SERVICE                20
  84. ;
  85. ;Built-In Domain SubAuthority = S-1-5-32
  86. ;ADMINISTRATORS                 544
  87. ;USERS                          545
  88. ;GUESTS                         546
  89. ;POWER_USERS  (DEPRECATED)
  90. ;ACCOUNT_OPS                    548
  91. ;SYSTEM_OPS                     549
  92. ;PRINT_OPS                      550
  93. ;BACKUP_OPS                     551
  94. ;REPLICATOR                     552
  95. ;RAS_SERVERS                    553
  96. ;PREW2KCOMPACCESS               554
  97. ;REMOTE_DESKTOP_USERS           555
  98. ;NETWORK_CONFIGURATION_OPS      556
  99. ;LOGGING_USERS                  559
  100. ;
  101. [Privilege Rights]
  102. ;Add Whatever a DC should have by default.
  103. ;Remove Power Users from every right since it no longer exists but may have been added.
  104. ;Remove Whatever *Default* Server Rights don't belong on a DC
  105. ;If Server and DC Defaults are the same, then only power users is removed
  106. ;If You remove Everyone, Remove Authenticated Users as well.
  107. ;
  108. SeAssignPrimaryTokenPrivilege = Add:, *S-1-5-19, *S-1-5-20
  109. SeAuditPrivilege = Add:, *S-1-5-19, *S-1-5-20
  110. SeBackupPrivilege = Add:, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549
  111. SeBatchLogonRight = Add:, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-559
  112. SeChangeNotifyPrivilege = Add:, *S-1-5-32-544, *S-1-5-11, *S-1-1-0, *S-1-5-32-554, *S-1-5-19, *S-1-5-20, Remove:, *S-1-5-32-551,  *S-1-5-32-545
  113. SeCreateGlobalPrivilege = Add:, *S-1-5-19, *S-1-5-20
  114. SeImpersonatePrivilege = Add:, *S-1-5-19, *S-1-5-20
  115. SeCreatePagefilePrivilege = Add:, *S-1-5-32-544
  116. ;SeCreatePermanentPrivilege = Remove:, *S-1-5-32-547
  117. SeCreateSymbolicLinkPrivilege = Add:, *S-1-5-32-544
  118. ;SeCreateTokenPrivilege = Remove:, *S-1-5-32-547
  119. SeDebugPrivilege = Add:, *S-1-5-32-544
  120. SeIncreaseBasePriorityPrivilege = Add:, *S-1-5-32-544
  121. SeIncreaseQuotaPrivilege = Add:, *S-1-5-32-544, *S-1-5-19, *S-1-5-20
  122. SeIncreaseWorkingSetPrivilege = Add:, *S-1-5-32-545
  123. SeInteractiveLogonRight = Add:, *S-1-5-32-548, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549, *S-1-5-32-550, Remove:,  *S-1-5-11, *S-1-5-32-546, &-501, *S-1-5-32-545, *S-1-1-0
  124. SeLoadDriverPrivilege = Add:, *S-1-5-32-544, *S-1-5-32-550
  125. ;SeLockMemoryPrivilege = Remove:, *S-1-5-32-547
  126. SeMachineAccountPrivilege = Add:, *S-1-5-11
  127. SeManageVolumePrivilege = Add:, *S-1-5-32-544
  128. SeNetworkLogonRight = Add:, *S-1-5-32-544, *S-1-5-11, *S-1-1-0, *S-1-5-9, *S-1-5-32-554, Remove:, *S-1-5-32-551, *S-1-5-32-546, &-501, *S-1-5-32-545
  129. SeProfileSingleProcessPrivilege = Add:, *S-1-5-32-544
  130. SeRemoteInteractiveLogonRight = Add:, *S-1-5-32-544, Remove:, *S-1-5-32-555, *S-1-5-11, *S-1-5-32-546, &-501, *S-1-5-32-545, *S-1-1-0
  131. SeRemoteShutdownPrivilege = Add:, *S-1-5-32-544, *S-1-5-32-549
  132. SeRestorePrivilege = Add:, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549
  133. SeSecurityPrivilege = Add:, *S-1-5-32-544
  134. ;SeServiceLogonRight = Remove:, *S-1-5-32-547
  135. SeShutdownPrivilege = Add:, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549, *S-1-5-32-550, Remove:, *S-1-5-11, *S-1-5-32-546, &-501, *S-1-5-32-545, *S-1-1-0
  136. SeSystemEnvironmentPrivilege = Add:, *S-1-5-32-544
  137. SeSystemProfilePrivilege = Add:, *S-1-5-32-544
  138. SeSystemTimePrivilege = Add:, *S-1-5-32-544, *S-1-5-32-549, *S-1-5-19, Remove:,  *S-1-5-20
  139. SeTakeOwnershipPrivilege = Add:, *S-1-5-32-544
  140. SeTimeZonePrivilege = Add:, *S-1-5-32-544, *S-1-5-19, *S-1-5-32-549
  141. ;SeTcbPrivilege = Remove:, *S-1-5-32-547
  142. ;
  143. ;SeDenyInteractiveLogonRight = Remove:, *S-1-5-32-547
  144. ;SeDenyBatchLogonRight = Remove:, *S-1-5-32-547
  145. ;SeDenyServiceLogonRight = Remove:, *S-1-5-32-547
  146. ;SeDenyNetworkLogonRight = Remove:, *S-1-5-32-547
  147. ;SeDenyRemoteInteractiveLogonRight = Remove:, *S-1-5-32-547
  148. ;
  149. SeUndockPrivilege = Add:, *S-1-5-32-544, Remove:,  *S-1-5-32-545
  150. ;SeSyncAgentPrivilege = Remove:, *S-1-5-32-547
  151. SeEnableDelegationPrivilege = Add:, *S-1-5-32-544
  152.  
  153. [Service General Setting]
  154. ;Note: startup type should not be configured during setup\dcpromo.
  155. ;autostarted on workstations and servers, standalone or joined
  156. Browser,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  157. ;TrkWks,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  158. ;Dnscache,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  159. ;PolicyAgent,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  160. dmserver,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  161. ;PlugPlay,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  162. ;Spooler,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  163. ;ProtectedStorage,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  164. ;RpcSs,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  165. NtmsSvc,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  166. ;seclogon,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  167. SamSs,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLO;;;IU)(A;;CCLCSWLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  168. ;lanmanserver,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  169. ;SENS,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  170. ;Schedule,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  171. Sysmonlog,,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCRPLOCR;;;LU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  172. ;LmHosts,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  173. ;LanmanWorkstation,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  174. ;RemoteRegistry,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  175.  
  176.  
  177. ClipSrv,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  178. NetDDE,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  179. NetDDEdsdm,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  180. ;EventSystem,,"D:(A;;CCLCSWRPLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  181.  
  182. ;Not autostarted if machine is standalone
  183. ;Netlogon,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  184. ;W32Time,,"D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLO;;;IU)(A;;CCLCSWRPLO;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  185.  
  186. ;Server Only Services
  187. Dfs,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  188. LicenseService,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  189.  
  190. ;IIS Specific Services - Leave them alone
  191. ;IISADMIN,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  192. ;W3SVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  193. ;MSFTPSVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  194. ;SMTPSVC,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  195.  
  196.  
  197. ;
  198. ; set default startup for the following services - do not touch permissions
  199. ;
  200. TrkSvr,4,""
  201. upnphost,4,""
  202. ssdpsrv,4,""
  203.  
  204.  
  205. [Registry Keys]
  206.  
  207. "MACHINE\SOFTWARE\Microsoft\COM3",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  208.  
  209. "MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  210. "MACHINE\SOFTWARE\Microsoft\NTDS",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  211. "MACHINE\SOFTWARE\Microsoft\Speech",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  212. "MACHINE\SOFTWARE\Microsoft\SystemCertificates",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  213. "MACHINE\SOFTWARE\Microsoft\SystemCertificates\Authroot",2,"D:AI(A;CIOI;GA;;;S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459)"
  214. "MACHINE\SOFTWARE\Microsoft\Transaction Server",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  215.  
  216. "MACHINE\SOFTWARE\Microsoft\Windows",0,"D:AR"
  217.  
  218. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  219. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  220. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  221.  
  222. ;Don't overwrite the following keys which are protected and secured by the component
  223. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy",1,"D:AR"
  224. "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies",1,"D:AR"
  225. "MACHINE\SOFTWARE\Microsoft\SMS",1,"D:AR"
  226.  
  227. "MACHINE\SOFTWARE\Microsoft\Windows NT",0,"D:AR"
  228.  
  229. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  230. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  231. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  232. "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing",2,"D:P(A;CI;GRGWSD;;;LS)(A;CI;GRGWSD;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  233.  
  234. "MACHINE\SYSTEM",0,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  235.  
  236. "MACHINE\SYSTEM\Clone",1,"D:AR"
  237.  
  238. "MACHINE\SYSTEM\ControlSet001",1,"D:AR"
  239. "MACHINE\SYSTEM\ControlSet002",1,"D:AR"
  240. "MACHINE\SYSTEM\ControlSet003",1,"D:AR"
  241. "MACHINE\SYSTEM\ControlSet004",1,"D:AR"
  242. "MACHINE\SYSTEM\ControlSet005",1,"D:AR"
  243. "MACHINE\SYSTEM\ControlSet006",1,"D:AR"
  244. "MACHINE\SYSTEM\ControlSet007",1,"D:AR"
  245. "MACHINE\SYSTEM\ControlSet008",1,"D:AR"
  246. "MACHINE\SYSTEM\ControlSet009",1,"D:AR"
  247. "MACHINE\SYSTEM\ControlSet010",1,"D:AR"
  248.  
  249. "MACHINE\SYSTEM\CurrentControlSet\Control",0,"D:P(A;CI;GR;;;AU)(A;CI;GRGWSD;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  250.  
  251.  
  252. "MACHINE\SYSTEM\CurrentControlSet\Control\Class",0,"D:AR"
  253. "MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",2,"D:(A;CI;GR;;;WD)"
  254. "MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  255. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  256. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\JD",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  257. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Skew1",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  258. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\GBG",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  259. "MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Data",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  260. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi",2,"D:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPSDRC;;;NO)(A;CI;CCDCLCSWRPWPSDRC;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;CIIO;RC;;;S-1-3-4)"
  261. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\4",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)((A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  262. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a01-9b1a-11d4-9123-0050047759bc}\4",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  263. "MACHINE\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a1C-9b1a-11d4-9123-0050047759bc}\0",2,"D:P(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;CCDCLCSWRPWPSDRC;;;LS)(A;CI;CCDCLCSWRPWPSDRC;;;NS)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CIIO;RC;;;S-1-3-4)"
  264. "MACHINE\SYSTEM\CurrentControlSet\Control\PriorityControl",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  265. "MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)"
  266.  
  267. "MACHINE\SYSTEM\CurrentControlSet\Enum",1,"D:AR"
  268. "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles",1,"D:AR"
  269. "MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server",1,"D:AR"
  270.  
  271. ;Don't whack more restrictive security subkeys during DCPromo
  272. "MACHINE\SYSTEM\CurrentControlSet\Services",0,"D:P(A;CI;GR;;;AU)(A;CI;GRGWSD;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  273. "MACHINE\SYSTEM\CurrentControlSet\Services\KDC",0,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  274. "MACHINE\SYSTEM\CurrentControlSet\Services\LicenseInfo",2,"D:AR(A;CI;CCLCSWRPRC;;;NS)(A;CIIO;CCDCLCSWRPRC;;;NS)"
  275. "MACHINE\SYSTEM\CurrentControlSet\Services\NTDS",0,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  276. "MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters",0,"D:P(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  277. "MACHINE\SYSTEM\CurrentControlSet\Services\NTFRS",0,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  278. "MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries",2,"D:(A;CI;GA;;;NS)(A;CI;CCDCLCSWSDRC;;;LU)"
  279.  
  280. "MACHINE\SYSTEM\CurrentControlSet\Services\WinTrust",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
  281.  
  282. "USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots",1,"D:AR"
  283.  
  284.  
  285. [File Security]
  286.  
  287.  
  288. ;---------------------------------------------------------------------------------------------
  289. ;ProgramFiles
  290. ;---------------------------------------------------------------------------------------------
  291. "%SceInfCommonProgramFiles%\SpeechEngines\Microsoft\TTS",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  292.  
  293. ;---------------------------------------------------------------------------------------------
  294. ;Win64 ProgramFiles Directory
  295. ;---------------------------------------------------------------------------------------------
  296.  
  297. ;---------------------------------------------------------------------------------------------
  298. ;System Root (Typically \WINDOWS)
  299. ;---------------------------------------------------------------------------------------------
  300.  
  301.  
  302. ;Different from parent
  303. "%SystemRoot%\Debug",2,"D:P(A;;GX;;;AU)(A;;GX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  304. "%SystemRoot%\Driver Cache",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  305. "%SystemRoot%\mui",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  306.  
  307. ;Directories that did not exist when security applied during clean-install Server - Creator specifies directory security.
  308. ;We explicitly ignore so as not to whack the component-specified DIRECTORY security during DCPromo.
  309. ;Previous directory security should be compatible with DC's or component should reset during DCPromo.
  310. "%Systemroot%\repair\default",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  311. "%Systemroot%\repair\ntuser.dat",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  312. "%Systemroot%\repair\sam",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  313. "%Systemroot%\repair\security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  314. "%Systemroot%\repair\software",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  315. "%Systemroot%\repair\system",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  316.  
  317. ;Profiles folder (typically %systemdrive%\Documents and Settings)
  318.  
  319. ;Profile for LocalService and NetworkService, moved from Users in Longhorn, creator specifies security
  320. "%SystemRoot%\ServiceProfiles\LocalService",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;LS)"
  321. "%SystemRoot%\ServiceProfiles\NetworkService",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;NS)"
  322.  
  323. ;---------------------------------------------------------------------------------------------
  324. ;System Directory (Typically \Windows\System32)
  325. ;---------------------------------------------------------------------------------------------
  326.  
  327. ;Differences from parent
  328. "%SystemDirectory%\config",2,"D:P(A;CI;GRGX;;;AU)(A;CI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  329. "%SystemDirectory%\LogFiles",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  330. "%SystemDirectory%\mui",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  331. "%SystemDirectory%\spool",2,"D:(A;CIOI;GA;;;PO)"
  332. "%SystemDirectory%\windows media\server",2,"D:(A;CIOI;GRGWGXSD;;;NS)"
  333. "%SystemDirectory%\wbem\mof",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  334. "%SystemDirectory%\CMOS.RAM",2,"D:P(A;;GRGX;;;AU)(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  335. "%SystemDirectory%\Midimap.cfg",2,"D:P(A;;GRGX;;;AU)(A;;GRGWGXSD;;;SO)(A;;GA;;;BA)(A;;GA;;;SY)"
  336.  
  337. ; Directories that might not exist when security is applied; but are listed here
  338. ; so that they get secured correctly on converting the file system to NTFS
  339. "%SystemDirectory%\Windows media",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  340. "%SystemDirectory%\Windows media\Server\WMSServerUpgrade.exe",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  341. "%SystemDirectory%\Windows media\Server\interop_msxml.dll",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  342. "%SystemDirectory%\Windows Media\Server\Admin\mmc\WMSHTTPAuthenPropPage.dll",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  343. "%SystemDirectory%\Windows Media\Server\Admin\mmc\WMSHttpSysCfg.exe",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  344. "%SystemDirectory%\Windows Media\Server\Admin\web\WMSASPADMIN.dll",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGX;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
  345.  
  346.  
  347. ;-----------------------------------------------------------------------------------------
  348. ; SysWOW64 directories
  349. ;-----------------------------------------------------------------------------------------
  350.  
  351.  
  352. ;---------------------------------------------------------------------------------------------
  353. ;DS Data and Log Directories.  Engine resolves via registry.
  354. ;---------------------------------------------------------------------------------------------
  355. ;Relying on fact that engine lets last one win when DSLog and DSDit are the same.
  356. "%DSDIT%",2,"D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)"
  357. "%DSLOG%",2,"D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;OICIIO;GA;;;CO)(A;CI;0x100004;;;LS)"
  358. ;---------------------------------------------------------------------------------------------
  359. ;Sysvol. Engine resolves via registry.
  360. ;---------------------------------------------------------------------------------------------
  361.  
  362. ; Notes about ACL:
  363. ; 1. BA, CO have all rights on %sysvol% folder except FILE_DELETE_CHILD (i.e. "Delete subfolders and files"). 
  364. ;    This buys us the following:
  365. ;    - Prevent deletion of \sysvol subfolder by BA, CO.
  366. "%Sysvol%",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;;GRGWGXSDWDWO;;;BA)(A;CIOIIO;GA;;;BA)(A;CIOI;GA;;;SY)(A;;GRGWGXSDWDWO;;;CO)(A;CIOIIO;GA;;;CO)"
  367.  
  368. ; Notes about ACL:
  369. ; 1. BA, CO have all rights on %Sysvol%\sysvol folder and subfolders (note: CIOI) except DELETE and FILE_DELETE_CHILD.
  370. ;    This buys us the following:
  371. ;    - Lack of DELETE right (in combination with lack of FILE_DELETE_CHILD right on parent folder %sysvol%) helps prevent deletion of 
  372. ;      folder by BA, CO. 
  373. ;    - Lack of FILE_DELETE_CHILD help prevent deletion of \<domain> subfolder by BA, CO
  374. ;    - Passing on limited rights to subfolders and files ensures that BA, CO also do not have DELETE right on \<domain> subfolder.
  375. ; 2. Successful folder deletion is audited for Everyone (WD). Also, auditing is set on subfolders and files as well. This is so that
  376. ;    \<domain> subfolder deletion is audited.
  377. "%Sysvol%\sysvol",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;CIOI;GRGWGXWDWO;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GRGWGXWDWO;;;CO)S:(AU;CIOISA;SD;;;WD)"
  378.  
  379. ; Notes about ACL:
  380. ; 1. BA, CO have all rights on %Sysvol%\domain folder (note: NOT passed on to subfolders) except DELETE and FILE_DELETE_CHILD.
  381. ;    This buys us the following:
  382. ;    - Lack of DELETE right (in combination with lack of FILE_DELETE_CHILD right on parent folder %sysvol%) helps prevent deletion of 
  383. ;      folder by BA, CO. 
  384. ;    - Lack of FILE_DELETE_CHILD help prevent deletion of \scripts, \policies subfolders by BA, CO.
  385. ; 2. Successful folder deletion is audited for Everyone (WD).
  386. "%Sysvol%\domain",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;;GRGWGXWDWO;;;BA)(A;CIOIIO;GA;;;BA)(A;CIOI;GA;;;SY)(A;;GRGWGXWDWO;;;CO)(A;CIOIIO;GA;;;CO)S:(AU;SA;SD;;;WD)"
  387.  
  388. ; Notes about ACL: ACL gives same rights for BA, CO as parent folder.
  389. "%Sysvol%\domain\scripts",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;;GRGWGXWDWO;;;BA)(A;CIOIIO;GA;;;BA)(A;CIOI;GA;;;SY)(A;;GRGWGXWDWO;;;CO)(A;CIOIIO;GA;;;CO)S:(AU;SA;SD;;;WD)"
  390. "%Sysvol%\domain\policies",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;;GRGWGXWDWO;;;BA)(A;CIOIIO;GA;;;BA)(A;CIOI;GA;;;SY)(A;;GRGWGXWDWO;;;CO)(A;CIOIIO;GA;;;CO)(A;CIOI;GRGWGX;;;PA)S:(AU;SA;SD;;;WD)"
  391.  
  392. ;---------------------------------------------------------------------------------------------
  393. ;Default Domain Policy GPO and Default Domain Controllers Policy GPO
  394. ;---------------------------------------------------------------------------------------------
  395. "%Sysvol%\domain\policies\{31b2f340-016d-11d2-945f-00c04fb984f9}",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;;GRGWGXWDWO;;;BA)(A;CIOIIO;GA;;;BA)(A;CIOI;GA;;;SY)(A;;GRGWGXWDWO;;;CO)(A;CIOIIO;GA;;;CO)S:(AU;SA;SD;;;WD)"
  396. "%Sysvol%\domain\policies\{6ac1786c-016f-11d2-945f-00c04fb984f9}",2,"D:P(A;CIOI;GRGX;;;AU)(A;CIOI;GRGX;;;SO)(A;;GRGWGXWDWO;;;BA)(A;CIOIIO;GA;;;BA)(A;CIOI;GA;;;SY)(A;;GRGWGXWDWO;;;CO)(A;CIOIIO;GA;;;CO)S:(AU;SA;SD;;;WD)"
  397. ;---------------------------------------------------------------------------------------------
  398. ;Don't allow access of console apps remotely
  399. ;---------------------------------------------------------------------------------------------
  400. "%SceInfProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\50\bin\owsadm.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  401. "%SceInfProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\50\bin\owsrmadm.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  402. "%SceInfProgramFiles%\Microsoft SQL Server\80\Tools\Binn\bcp.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  403. "%SceInfProgramFiles%\Microsoft SQL Server\80\Tools\Binn\DTSRUN.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  404. "%SceInfProgramFiles%\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  405. ;"%SceInfProgramFiles%\Microsoft SQL Server\MSSQL$UDDI\Binn\cmdwrap.exe",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  406. ;"%SceInfProgramFiles%\Microsoft SQL Server\MSSQL$UDDI\Binn\sqlmaint.exe",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  407. ;"%SceInfProgramFiles%\Microsoft SQL Server\MSSQL$UDDI\Binn\sqlservr.exe",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
  408. "%SystemRoot%\Cluster\ResrcMon.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  409. "%SystemRoot%\Microsoft.NET\Framework\v1.1.4322\gacutil.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  410. "%SystemRoot%\Microsoft.NET\Framework\v1.1.4322\MigPol.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  411. "%Systemdirectory%\appverif.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  412. "%Systemdirectory%\atmadm.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  413. "%Systemdirectory%\bootok.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  414. "%Systemdirectory%\bootvrfy.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  415. "%Systemdirectory%\Com\comrereg.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  416. "%Systemdirectory%\comclust.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  417. "%Systemdirectory%\convlog.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  418. "%Systemdirectory%\cprofile.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  419. "%Systemdirectory%\driverquery.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  420. "%Systemdirectory%\forcedos.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  421. "%Systemdirectory%\gettype.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  422. "%Systemdirectory%\gpresult.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  423. "%Systemdirectory%\inuse.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  424. "%Systemdirectory%\ipsec6.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  425. "%Systemdirectory%\ipxroute.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  426. "%Systemdirectory%\jdbgmgr.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  427. "%Systemdirectory%\jview.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  428. "%Systemdirectory%\lserver.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  429. "%Systemdirectory%\macfile.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  430. "%Systemdirectory%\ntsd.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  431. "%Systemdirectory%\nw16.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  432. "%Systemdirectory%\nwscript.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  433. "%Systemdirectory%\openfiles.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  434. "%Systemdirectory%\pentnt.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  435. "%Systemdirectory%\ping6.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  436. "%Systemdirectory%\proxycfg.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  437. "%Systemdirectory%\rcp.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  438. "%Systemdirectory%\rexec.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  439. "%Systemdirectory%\routemon.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  440. "%Systemdirectory%\rsh.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  441. "%Systemdirectory%\RsLnk.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  442. "%Systemdirectory%\Rss.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  443. "%Systemdirectory%\RsServ.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  444. "%Systemdirectory%\RsTore.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  445. "%Systemdirectory%\rsvp.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  446. "%Systemdirectory%\scardsvr.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  447. "%Systemdirectory%\schtasks.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  448. "%Systemdirectory%\sfmprint.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  449. "%Systemdirectory%\sfmpsexe.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  450. "%Systemdirectory%\sfmsvc.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  451. "%Systemdirectory%\systeminfo.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  452. "%Systemdirectory%\tracert6.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  453. "%Systemdirectory%\tsshutdn.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  454. "%Systemdirectory%\ups.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  455. "%Systemdirectory%\vwipxspx.exe",2,"D:P(A;;GRGX;;;IU)(A;;GRGX;;;SU)(A;;GRGX;;;S-1-5-3)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;CO)"
  456.  
  457.  
  458.  
  459.  
  460. [Strings]
  461.  
  462. SceInfAdministrator = "Administrator"
  463. SceInfAdmins = "Administrators"
  464. SceInfAcountOp = "Account Operators"
  465. SceInfAuthUsers = "Authenticated Users"
  466. SceInfBackupOp = "Backup Operators"
  467. SceInfDomainAdmins = "Domain Admins"
  468. SceInfDomainGuests = "Domain Guests"
  469. SceInfDomainUsers = "Domain Users"
  470. SceInfEnterpriseDCs = "ENTERPRISE DOMAIN CONTROLLERS"
  471. SceInfEveryone = "Everyone"
  472. SceInfGuests = "Guests"
  473. SceInfGuest = "Guest"
  474. SceInfPowerUsers = "Power Users"
  475. SceInfPrintOp = "Print Operators"
  476. SceInfReplicator = "Replicator"
  477. SceInfServerOp = "Server Operators"
  478. SceInfUsers = "Users"
  479. SceInfLocalService = "Local Service"
  480. SceInfNetworkService = "Network Service"
  481. SceInfProgramFiles = "%ProgramFiles%"
  482. SceInfProgramFilesx86 = "%ProgramFiles(x86)%"
  483. SceInfCommonProgramFiles = "%CommonProgramFiles%"
  484. SceInfRemoteDesktopUsers = "Remote Desktop Users"
  485. SceDefltDCProfileDescription = "Default Security Settings applied during DCPromo."
  486.