Unattend Secret: Integrating Security Template

**gosh** · October 10, 2003

One of the most common uses of unattended cd's is to integrate registry hacks. Registery hacks are useful for customizing the shell appearance, improve security, speed up the OS, remove bloat, etc.

To integrate registry hacks you face a problem: how to integrate per user (HKCU) registry hacks and global (HKLM) registry hacks. The popular way to integrate registry hacks is through cmdlines.txt or GuiRunOnce.

This way works fine, but it has a number of weeknesses. For one, anyone at the computer while the registry hacks run could restart the computer, causing the registry hacks to not process. For another, the registry hacks might not be sync'ed with the repaired registry. So if someone repair there registry, the registry hacks might be gone. It also doesn't look professional in my opinion, to run all the registry hacks through a batch file. What i am after is a truely integrated way to integrate per user and global registry tweaks.

Awhile back i started on a win2k cd, and i decided to try a new method of deploying registry hacks. The method worked, but i gave up on it for reasons ill mention later. I thought i would share my method if anyone is interested.

To deploy my per user registry hacks, i decided to use hivedef.inf. To deploy the global registry hacks, i decided to use a security template. The reason i was interested in security templates, is because you can use secpol.msc to make one. So i could use secpol.msc to make several different templates. I could use secpol.msc to make a template for win2k, a template for xp, and a template for server 2003. It sounded good to me.

To read about my win2k hivedef.inf go to here

First, look at this article. It describes how to make secpol.msc see new changes.

Below is my Sceregvl.inf for win2k (might work for other os):

; © Microsoft Corporation 1997-2000
;
; Security Configuration Template for Security Configuration Editor
;
; Template Name: SCERegVl.INF
; Template Version:    05.00.DR.0000
;
; Revision History
; 0000 - Original
[version]signature="$CHICAGO$"
DriverVer=06/19/2003,5.00.2195.6717
[Register Registry Values]
;
; First field: Full Path to Registry Value
; Second field: value type
; ; REG_SZ ( 1 )
; ; REG_EXPAND_SZ    ( 2 ) \\ with environment variables to expand
; ; REG_BINARY ( 3 )
; ; REG_DWORD    ( 4 )
; ; REG_MULTI_SZ ( 7 )
; third field: Display Name (localizable string),
; fourth field: Display type 0 - boolean, 1 - number, 2 - string, 3 - choices
;start new
MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot,4,%AutoRestart%,0
MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_DETAILS,1,%DevDetails%,3,0|%Dev0%,1|%Dev1%
MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_NONPRESENT_DEVICES,1,%DevNonPresent%,3,0|%Dev0%,1|%Dev1%
MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DoReport,4,%ErrorReport%,0
MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ShowUI,4,%ShowError%,0
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoSharedDocuments,4,%Shareddocs%,0
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Tour\RunCount,4,%Tour%,0
MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventAutoRun,4,%Preautorun%,0
MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventRun,4,%Prerun%,0
MACHINE\SOFTWARE\Microsoft\Outlook Express\Hide Messenger,4,%HideMessenger%,3,0|%Mess0%
MACHINE\SOFTWARE\Microsoft\Outlook Express\BlockExeAttachment,4,%BlockExe%,0
MACHINE\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer\DisableAutoUpdate,4,%WMPUpdates%,0
MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections,4,%RDP%,0
MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp,4,%RA%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoChooseProgramsPage,4,%NoChoose%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NoSMConfigurePrograms,4,%NoStart%,0
;end new
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects,4,%AuditBaseObjects%,0
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail,4,%CrashOnAuditFail%,0
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing,3,%FullPrivilegeAuditing%,0
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel,4,%LmCompatibilityLevel%,3,0|%LMCLevel0%,1|%LMCLevel1%,2|%LMCLevel2%,3|%LMCLevel3%,4|%LMCLevel4%,5|%LMCLevel5%
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous,4,%RestrictAnonymous%,3,0|%RA0%,1|%RA1%,2|%RA2%
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl,4,%SubmitControl%,0
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers,4,%AddPrintDrivers%,0
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown,4,%ClearPageFileAtShutdown%, 0
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode,4,%ProtectionMode%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature,4,%EnableSMBSignServer%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature,4,%RequireSMBSignServer%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff,4,%EnableForcedLogoff%,0
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect,4,%AutoDisconnect%,1,%Unit-Minutes%
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature,4,%EnableSMBSignRDR%,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature,4,%RequireSMBSignRDR%,0
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword,4,%EnablePlainTextPassword%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange,4,%DisablePWChange%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel,4,%SignSecureChannel%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel,4,%SealSecureChannel%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal,4,%SignOrSeal%,0
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey,4,%StrongKey%,0
MACHINE\Software\Microsoft\Driver Signing\Policy,3,%DriverSigning%,3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2%
MACHINE\Software\Microsoft\Non-Driver Signing\Policy,3,%NDriverSigning%,3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2%
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD,4,%DisableCAD%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName,4,%DontDisplayLastUserName%,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption,1,%LegalNoticeCaption%,2
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText,1,%LegalNoticeText%,2
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon,4,%ShutdownWithoutLogon%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel,4,%RCAdmin%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand,4,%RCSet%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms,1,%AllocateCDRoms%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD,1,%AllocateDASD%,3,0|%AllocateDASD0%,1|%AllocateDASD1%,2|%AllocateDASD2%
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies,1,%AllocateFloppies%,0
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount,1,%CachedLogonsCount%,1,%Unit-Logons%
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning,4,%PasswordExpiryWarning%,1,%Unit-Days%
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption,1,%ScRemove%,3,0|%ScRemove0%,1|%ScRemove1%,2|%ScRemove2%
; delete these values from current system - Rdr in case NT4 w SCE
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CmdConsSecurityLevel
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\AddPrintDrivers
MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnablePlainTextPassword
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnablePlainTextPassword
MACHINE\Software\Microsoft\Windows\CurrentVersion\NetCache\EncryptEntireCache
[strings]
;start new
AUtoRestart = "New - Automatically restart when a bugcheck happens"
DevDetails = "New - Show device manager details"
DevNonPresent = "New - Show device manager non present devices"
Dev0 = "True"
Dev1 = "False"
ErrorReport = "New - Use error reporting"
ShowError = "New - Use error notification"
Shareddocs = "New - Do not show Shared Documents folder in My Computer"
Tour = "New - Show Tour after setup"
Preautorun = "New - Messenger - Do not automatically start Messenger"
Prerun = "New - Messenger - Do not allow Messenger to run"
HideMessenger = "New - Messenger - Remove Windows Messenger from Outlook Express"
Mess0 = "2"
BlockExe = "New - OE - Block Executable Attachments in Outlook Express"
WMPUpdates = "New - WMP - Disable Auto Upgrade with Windows Media Player"
RDP = "New - Disable remote desktop"
RA = "New - Enable remote assistance"
NoChoose = "New - Hide Set Program Access and Defaults in Add/Remove Programs"
NoStart = "New - Hide Set Program Access and Defaults in Start menu"
;end new
SubmitControl = Allow server operators to schedule tasks (domain controllers only)
ShutdownWithoutLogon = Allow system to be shut down without having to log on
AllocateDASD = Allowed to eject removable NTFS media
AllocateDASD0 = Administrators
AllocateDASD1 = Administrators and Power Users
AllocateDASD2 = Administrators and Interactive Users
AuditBaseObjects = Audit the access of global system objects
FullPrivilegeAuditing = Audit use of Backup and Restore privilege
EnableForcedLogoff = Automatically log off users when logon time expires (local)
AutoDisconnect = Amount of idle time required before disconnecting session
ClearPageFileAtShutdown = Clear virtual memory pagefile when system shuts down
RequireSMBSignRdr = Digitally sign client communication (always)
EnableSMBSignRdr = Digitally sign client communication (when possible)
RequireSMBSignServer = Digitally sign server communication (always)
EnableSMBSignServer = Digitally sign server communication (when possible)
DisableCAD = Disable CTRL+ALT+DEL requirement for logon
RestrictAnonymous = Additional restrictions for anonymous connections
RA0 = None. Rely on default permissions
RA1 = Do not allow enumeration of SAM accounts and shares
RA2 = No access without explicit anonymous permissions
DontDisplayLastUserName = Do not display last user name in logon screen
LmCompatibilityLevel = LAN Manager Authentication Level
LMCLevel0 = Send LM & NTLM responses
LMCLevel1 = Send LM & NTLM - use NTLMv2 session security if negotiated
LMCLevel2 = Send NTLM response only
LMCLevel3 = Send NTLMv2 response only
LMCLevel4 = Send NTLMv2 response only\refuse LM
LMCLevel5 = Send NTLMv2 response only\refuse LM & NTLM
LegalNoticeText = Message text for users attempting to log on
LegalNoticeCaption = Message title for users attempting to log on
CachedLogonsCount = Number of previous logons to cache (in case domain controller is not available)
AddPrintDrivers = Prevent users from installing printer drivers
DisablePWChange = Prevent system maintenance of computer account password
PasswordExpiryWarning = Prompt user to change password before expiration
RCAdmin = Recovery Console: Allow automatic administrative logon
RCSet = Recovery Console: Allow floppy copy and access to all drives and all folders
AllocateCDRoms = Restrict CD-ROM access to locally logged-on user only
AllocateFloppies = Restrict floppy access to locally logged-on user only
ProtectionMode = Strengthen default permissions of global system objects (e.g. Symbolic Links)
SignOrSeal = Secure channel: Digitally encrypt or sign secure channel data (always)
SealSecureChannel = Secure channel: Digitally encrypt secure channel data (when possible)
SignSecureChannel = Secure channel: Digitally sign secure channel data (when possible)
StrongKey = Secure channel: Require strong (Windows 2000 or later) session key
CrashOnAuditFail = Shut down system immediately if unable to log security audits
EnablePlainTextPassword = Send unencrypted password to connect to third-party SMB servers
ScRemove = Smart card removal behavior
ScRemove0 = No Action
ScRemove1 = Lock Workstation
ScRemove2 = Force Logoff
DriverSigning = Unsigned driver installation behavior
NDriverSigning = Unsigned non-driver installation behavior
DriverSigning0 = Silently succeed
DriverSigning1 = Warn but allow installation
DriverSigning2 = Do not allow installation
Unit-Logons = logons
Unit-Days = days
Unit-Minutes = minutes

Just put that file into your inf folder. Or delete SCERegVl.IN_ from your local source, and copy SCERegVl.INF to it. Now when you install win2k, secpol.msc will show my new settings.

Once you use secpol.msc with my SCERegVl.INF to make a new security template, the next step is to integrate this template with your local source. Through trial and error, i found a way to slipstream it.

Here's the security templates win2k and higher use:

Defltwk.inf: Windows 2000 Professional

Defltsv.inf: Windows 2000 Server/Advanced Server non-domain controller

Defltdc.inf: Windows 2000 Server/Advanced Server domain controller

Dwup.inf (for Windows 2000 Professional upgrades)

Dsup.inf (for Windows 2000 Server upgrades)

So if your gonna install win2k pro, edit defltwk.inf and add to it your custom changes. Then delete defltwk.in_ and put yours in the local source.

For example, after using secpol.msc i saved a template. I copied what was in the template and pasted the values under [Registry Values]. I added these:

MACHINE\Software\Microsoft\Driver Signing\Policy=3,0
MACHINE\SOFTWARE\Microsoft\Outlook Express\BlockExeAttachment=4,1
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,1
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,1
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\Tour\RunCount=4,0
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NoSMConfigurePrograms=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,1
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoChooseProgramsPage=4,1
MACHINE\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer\DisableAutoUpdate=4,1
MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_DETAILS=1,"0"
MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\DEVMGR_SHOW_NONPRESENT_DEVICES=1,"0"
MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot=4,1

Now when i install win2k, it'll use these custom values. The only limitation to security templates is they only use HKLM and not HKCU values, which is why i modified hivedef.inf.

So you're probably thinking why i gave up on using security templates. I gave up because of these problems:

1 - Security templates are cumulative. That means a value in another security template might overwrite a value in my security template. One example i found was DisableCAD. No matter what i put in my security template, disablecad was always enabled, not disabled. I really didn't feel like looking through security templates to find where disablecad was being enabled.

2 - Every time a service pack is released, you'll have to manually edit the deflwk.inf file. This takes up time.

3 - Since most of the work is done by hand, there's a good chance of error.

So for these reasons i gave up on this method, but somene might find it useful. I'm sorry if my directions are less than clear, but security templates are very hard to use.

A security template is good for other things too. You can use a security template ti disable services, and you can use it to set permissions on registry keys. I saw someone make a batch file that disabled services, a security template would be easier.

-gosh

**jonnywi** · October 10, 2003

hi gosh

nice working!

I know this method, but i never integrated my own registry-tweaks!

Do you have an *.inf file for wxp sp1?

i think, on wxp sp1 there are new based security template tweaks as on w2k!

I took the *.inf file from the nsa and changed to my security-tweaks.

If not, i try to mix the changed nsa with your own registry-tweaks.

{your own registry-tweaks}

3 - Customize the default profile.

The way i customized profiles is to modify hifedef.inf. Download mine here . Overwrite your hivedef.inf with mine. To find what i changed, search the file for changed_win2k. I've tested it and it works perfect. It's great for beginners.

Enjoy. All .inf files are for win2k sp4. All .inf files you can get from the free sp4 download.

{/your own registry-tweaks}

**Lingvo** · November 9, 2003

gosh

Nice posts!!!!

Thanks.

Sign In

Unattend Secret: Integrating Security Template

Recommended Posts

gosh

jonnywi

Lingvo

Please sign in to comment

Recently Browsing 0 members

Activity

Browse