Jump to content

Unattend Secret: Integrating Security Template


Recommended Posts

One of the most common uses of unattended cd's is to integrate registry hacks. Registery hacks are useful for customizing the shell appearance, improve security, speed up the OS, remove bloat, etc.

To integrate registry hacks you face a problem: how to integrate per user (HKCU) registry hacks and global (HKLM) registry hacks. The popular way to integrate registry hacks is through cmdlines.txt or GuiRunOnce.

This way works fine, but it has a number of weeknesses. For one, anyone at the computer while the registry hacks run could restart the computer, causing the registry hacks to not process. For another, the registry hacks might not be sync'ed with the repaired registry. So if someone repair there registry, the registry hacks might be gone. It also doesn't look professional in my opinion, to run all the registry hacks through a batch file. What i am after is a truely integrated way to integrate per user and global registry tweaks.

Awhile back i started on a win2k cd, and i decided to try a new method of deploying registry hacks. The method worked, but i gave up on it for reasons ill mention later. I thought i would share my method if anyone is interested.

To deploy my per user registry hacks, i decided to use hivedef.inf. To deploy the global registry hacks, i decided to use a security template. The reason i was interested in security templates, is because you can use secpol.msc to make one. So i could use secpol.msc to make several different templates. I could use secpol.msc to make a template for win2k, a template for xp, and a template for server 2003. It sounded good to me.

To read about my win2k hivedef.inf go to here

First, look at this article. It describes how to make secpol.msc see new changes.

Below is my Sceregvl.inf for win2k (might work for other os):

; © Microsoft Corporation 1997-2000


; Security Configuration Template for Security Configuration Editor


; Template Name:        SCERegVl.INF

; Template Version:     05.00.DR.0000


; Revision History

; 0000  - Original



[Register Registry Values]


; First field: Full Path to Registry Value

; Second field: value type

;        ; REG_SZ                      ( 1 )

;        ; REG_EXPAND_SZ               ( 2 )  \\ with environment variables to expand

;        ; REG_BINARY                  ( 3 )

;        ; REG_DWORD                   ( 4 )

;        ; REG_MULTI_SZ                ( 7 )

; third field: Display Name (localizable string),

; fourth field: Display type 0 - boolean, 1 - number, 2 - string, 3 - choices

;start new


MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_DETAILS,1,%DevDetails%,3,0|%Dev0%,1|%Dev1%

MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_NONPRESENT_DEVICES,1,%DevNonPresent%,3,0|%Dev0%,1|%Dev1%







MACHINE\SOFTWARE\Microsoft\Outlook Express\Hide Messenger,4,%HideMessenger%,3,0|%Mess0%

MACHINE\SOFTWARE\Microsoft\Outlook Express\BlockExeAttachment,4,%BlockExe%,0


MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections,4,%RDP%,0

MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp,4,%RA%,0



;end new







MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers,4,%AddPrintDrivers%,0

MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown,4,%ClearPageFileAtShutdown%, 0

MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode,4,%ProtectionMode%,0













MACHINE\Software\Microsoft\Driver Signing\Policy,3,%DriverSigning%,3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2%

MACHINE\Software\Microsoft\Non-Driver Signing\Policy,3,%NDriverSigning%,3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2%






MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel,4,%RCAdmin%,0

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand,4,%RCSet%,0

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms,1,%AllocateCDRoms%,0

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD,1,%AllocateDASD%,3,0|%AllocateDASD0%,1|%AllocateDASD1%,2|%AllocateDASD2%

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies,1,%AllocateFloppies%,0

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount,1,%CachedLogonsCount%,1,%Unit-Logons%

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning,4,%PasswordExpiryWarning%,1,%Unit-Days%

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption,1,%ScRemove%,3,0|%ScRemove0%,1|%ScRemove1%,2|%ScRemove2%

; delete these values from current system - Rdr in case NT4 w SCE

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CmdConsSecurityLevel

MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\AddPrintDrivers









;start new

AUtoRestart = "New - Automatically restart when a bugcheck happens"

DevDetails = "New - Show device manager details"

DevNonPresent = "New - Show device manager non present devices"

Dev0 = "True"

Dev1 = "False"

ErrorReport = "New - Use error reporting"

ShowError = "New - Use error notification"

Shareddocs = "New - Do not show Shared Documents folder in My Computer"

Tour = "New - Show Tour after setup"

Preautorun = "New - Messenger - Do not automatically start Messenger"

Prerun = "New - Messenger - Do not allow Messenger to run"

HideMessenger = "New - Messenger - Remove Windows Messenger from Outlook Express"

Mess0 = "2"

BlockExe = "New - OE - Block Executable Attachments in Outlook Express"

WMPUpdates = "New - WMP - Disable Auto Upgrade with Windows Media Player"

RDP = "New - Disable remote desktop"

RA = "New - Enable remote assistance"

NoChoose = "New - Hide Set Program Access and Defaults in Add/Remove Programs"

NoStart = "New - Hide Set Program Access and Defaults in Start menu"

;end new

SubmitControl = Allow server operators to schedule tasks (domain controllers only)

ShutdownWithoutLogon = Allow system to be shut down without having to log on

AllocateDASD = Allowed to eject removable NTFS media

AllocateDASD0 = Administrators

AllocateDASD1 = Administrators and Power Users

AllocateDASD2 = Administrators and Interactive Users

AuditBaseObjects = Audit the access of global system objects

FullPrivilegeAuditing = Audit use of Backup and Restore privilege

EnableForcedLogoff = Automatically log off users when logon time expires (local)

AutoDisconnect = Amount of idle time required before disconnecting session

ClearPageFileAtShutdown = Clear virtual memory pagefile when system shuts down

RequireSMBSignRdr = Digitally sign client communication (always)

EnableSMBSignRdr = Digitally sign client communication (when possible)

RequireSMBSignServer = Digitally sign server communication (always)

EnableSMBSignServer = Digitally sign server communication (when possible)

DisableCAD = Disable CTRL+ALT+DEL requirement for logon

RestrictAnonymous = Additional restrictions for anonymous connections

RA0 = None. Rely on default permissions

RA1 = Do not allow enumeration of SAM accounts and shares

RA2 = No access without explicit anonymous permissions

DontDisplayLastUserName = Do not display last user name in logon screen

LmCompatibilityLevel = LAN Manager Authentication Level

LMCLevel0 = Send LM & NTLM responses

LMCLevel1 = Send LM & NTLM - use NTLMv2 session security if negotiated

LMCLevel2 = Send NTLM response only

LMCLevel3 = Send NTLMv2 response only

LMCLevel4 = Send NTLMv2 response only\refuse LM

LMCLevel5 = Send NTLMv2 response only\refuse LM & NTLM

LegalNoticeText = Message text for users attempting to log on

LegalNoticeCaption = Message title for users attempting to log on

CachedLogonsCount = Number of previous logons to cache (in case domain controller is not available)

AddPrintDrivers = Prevent users from installing printer drivers

DisablePWChange = Prevent system maintenance of computer account password

PasswordExpiryWarning = Prompt user to change password before expiration

RCAdmin = Recovery Console: Allow automatic administrative logon

RCSet = Recovery Console: Allow floppy copy and access to all drives and all folders

AllocateCDRoms = Restrict CD-ROM access to locally logged-on user only

AllocateFloppies = Restrict floppy access to locally logged-on user only

ProtectionMode = Strengthen default permissions of global system objects (e.g. Symbolic Links)

SignOrSeal = Secure channel: Digitally encrypt or sign secure channel data (always)

SealSecureChannel = Secure channel: Digitally encrypt secure channel data (when possible)

SignSecureChannel = Secure channel: Digitally sign secure channel data (when possible)

StrongKey = Secure channel: Require strong (Windows 2000 or later) session key

CrashOnAuditFail = Shut down system immediately if unable to log security audits

EnablePlainTextPassword = Send unencrypted password to connect to third-party SMB servers

ScRemove = Smart card removal behavior

ScRemove0 = No Action

ScRemove1 = Lock Workstation

ScRemove2 = Force Logoff

DriverSigning = Unsigned driver installation behavior

NDriverSigning = Unsigned non-driver installation behavior

DriverSigning0 = Silently succeed

DriverSigning1 = Warn but allow installation

DriverSigning2 = Do not allow installation

Unit-Logons = logons

Unit-Days = days

Unit-Minutes = minutes

Just put that file into your inf folder. Or delete SCERegVl.IN_ from your local source, and copy SCERegVl.INF to it. Now when you install win2k, secpol.msc will show my new settings.

Once you use secpol.msc with my SCERegVl.INF to make a new security template, the next step is to integrate this template with your local source. Through trial and error, i found a way to slipstream it.

Here's the security templates win2k and higher use:

Defltwk.inf: Windows 2000 Professional

Defltsv.inf: Windows 2000 Server/Advanced Server non-domain controller

Defltdc.inf: Windows 2000 Server/Advanced Server domain controller

Dwup.inf (for Windows 2000 Professional upgrades)

Dsup.inf (for Windows 2000 Server upgrades)

So if your gonna install win2k pro, edit defltwk.inf and add to it your custom changes. Then delete defltwk.in_ and put yours in the local source.

For example, after using secpol.msc i saved a template. I copied what was in the template and pasted the values under [Registry Values]. I added these:

MACHINE\Software\Microsoft\Driver Signing\Policy=3,0

MACHINE\SOFTWARE\Microsoft\Outlook Express\BlockExeAttachment=4,1

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,1

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,1






MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_DETAILS=1,"0"

MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_NONPRESENT_DEVICES=1,"0"


Now when i install win2k, it'll use these custom values. The only limitation to security templates is they only use HKLM and not HKCU values, which is why i modified hivedef.inf.

So you're probably thinking why i gave up on using security templates. I gave up because of these problems:

1 - Security templates are cumulative. That means a value in another security template might overwrite a value in my security template. One example i found was DisableCAD. No matter what i put in my security template, disablecad was always enabled, not disabled. I really didn't feel like looking through security templates to find where disablecad was being enabled.

2 - Every time a service pack is released, you'll have to manually edit the deflwk.inf file. This takes up time.

3 - Since most of the work is done by hand, there's a good chance of error.

So for these reasons i gave up on this method, but somene might find it useful. I'm sorry if my directions are less than clear, but security templates are very hard to use.

A security template is good for other things too. You can use a security template ti disable services, and you can use it to set permissions on registry keys. I saw someone make a batch file that disabled services, a security template would be easier.


Link to comment
Share on other sites

hi gosh

nice working!

I know this method, but i never integrated my own registry-tweaks!

Do you have an *.inf file for wxp sp1?

i think, on wxp sp1 there are new based security template tweaks as on w2k!

I took the *.inf file from the nsa and changed to my security-tweaks.

If not, i try to mix the changed nsa with your own registry-tweaks.

{your own registry-tweaks}

3 - Customize the default profile.

The way i customized profiles is to modify hifedef.inf. Download mine here . Overwrite your hivedef.inf with mine. To find what i changed, search the file for changed_win2k. I've tested it and it works perfect. It's great for beginners.

Enjoy. All .inf files are for win2k sp4. All .inf files you can get from the free sp4 download.

{/your own registry-tweaks}

Link to comment
Share on other sites

  • 5 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Create New...