There is more to the customization of security templates than modifying configurations in the standard templates that come with the operating system. You can also create new settings to control authentication and other security-related areas of the computer. You can’t customize every section of a security template, but you can add hundreds of new settings. To get these new custom settings into your security templates, you must first make some modifications to the Sceregvl.inf file.
The Sceregvl.inf file is responsible for creating the Security Options policy settings within the security template. These policy settings can be found under the Local PoliciesSecurity Options node in the security template. The Sceregvl.inf file creates the interface and associated control points in the computer’s registry that control security. The default settings in the Sceregvl.inf file create the following categories of security settings within the security template:
Accounts
Audit
Devices
Domain controller
Domain member
Interactive logon
Microsoft network client
Microsoft network server
Network access
Network security
Recovery console
Shutdown
System cryptography
System objects
System settings
Figure 15-10 shows these categories listed in the Security Options node.
The Sceregvl.inf file is a simple text file, located in the %windir%/inf folder, that you can edit if necessary. You can alter the existing settings with new descriptions or you can append entries to the file by adding your own custom entries. All of the custom entries you add to the Sceregvl.inf file will update the registry on the computer targeted by the GPO, which was configured using the custom entries.
The default Sceregvl.inf file does more than add registry entries that can be configured. The file is also designed to delete settings from a select group of registry keys and values in cases where the Windows NT 4.0 Security Configuration Editor (SCE) had been used previously and had updated these registry keys and values.
Although the syntax might not seem easy to follow, the file structure is simple, as shown in Figure 15-11. The structure of the file helps you figure out how to input the new custom entries.
Each entry in the Sceregvl.inf file has the same format, with five fields. Not all entries need to contain all five fields, but the first four fields are required for each entry. An entry has the following structure:
RegistryPath,RegistryType,DisplayName,DisplayType,OptionsHere is a description of what each field represents:
RegistryPath. Defines the full path of the registry key and value that you want to expose in the interface. Only values that exist in the HKEY_LOCAL_MACHINE hive can be configured, and this hive is referenced by the keyword MACHINE.
RegistryType. A number that defines the type of the registry value, as follows:
1 - REG_SZ
2 - REG_EXPAND_SZ
3 - REG_BINARY
4 - REG_DWORD
5 - REG_MULTI_SZ
DisplayName. The string that ultimately appears when you access and configure the security setting. This is usually a replaceable parameter that refers to an entry in the [strings] section of the Sceregvl.inf file, thus making localization easier.
DisplayType. Specifies the type of dialog box the security options interface should render to allow the user to define the setting for the registry value. Supported display types include:
0 – Boolean. Causes the interface to render Enable and Disable options for the registry value. If Enabled is selected, the registry value is set to 1. If Disabled is selected, the registry value is set to 0.
Here is an example of an entry that uses the Boolean DisplayType:
MACHINESystemCurrentControlSetControlLsaCrashOnAuditFail,4, %CrashOnAuditFail%,0
Note
The %variablename% entries are variables taken care of in the [Strings] section, similar to the ADM templates we discussed earlier.
This entry generates a simple entry form in the security template policy, which can be seen in Figure 15-12.
1 – Numeric. Causes the interface to render a numeric spin control that allows the user to type or select a numeric value in the range 0 through 99999. Numeric display types can specify "unit" strings such as minutes and seconds that appear next to the spin control in the interface. These unit strings are defined in the Options field described below. The registry value is set to the number entered by the administrator.
Here is an example of an entry that uses the numeric DisplayType:
MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon CachedLogonsCount,1,%CachedLogonsCount%,1,%Unit-Logons%
This entry generates a spinner for a numeric input in the security template policy, which can be seen in Figure 15-13.
2 – String. Causes the interface to render a text box. The registry value is set to the string entered by the administrator.
Here is an example of an entry that uses the string DisplayType:
MACHINESoftwareMicrosoftWindowsCurrentVersionPolicies SystemLegalNoticeCaption,1,%LegalNoticeCaption%,2
This entry generates a text entry form in the security template policy, which can be seen in Figure 15-14.
3 – List. Causes the interface to render a list box from which the administrator can select one of several options. The registry value is set to the numeric value associated with the option chosen by the administrator. The options presented to the administrator are defined in the Options field described below.
Here is an example of an entry that uses the list DisplayType:
MACHINESoftwareMicrosoftDriver SigningPolicy,3,%DriverSigning%,3,0| %DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2%
This entry generates a drop-down list entry form in the security template policy, which can be seen in Figure 15-15.
4 – Multivalued (available on Windows XP only). Causes the interface to render a multi-line edit control that allows the administrator to enter multiple lines of text. This display type should be used to define values for MULTI_SZ types. The registry value is set to the strings entered by the user where each line is separated by a NULL byte.
Here is an example of an entry that uses the multivalued DisplayType:
MACHINESystemCurrentControlSetServicesLanManServerParameters NullSessionShares,7,%NullShares%,4
This entry generates a multiple text entry form in the security template policy, which can be seen in Figure 15-16.
5 – Bitmask (available on Windows XP only). Causes the interface to render a series of check boxes where each check box corresponds to a numeric value defined in the Options field described below. The registry value is set to the bitwise OR of the selected values.
Here is an example of an entry that uses the bitmask DisplayType:
MACHINESystemCurrentControlSetControlLsaMSV1_0NTLMMinClientSec,4, %NTLMMinClientSec%,5,16|%NTLMIntegrity%,32|$NTLMConfidentiality%,524288| %NTLMv2Session%,536870912|%NTLM128%
This entry generates a multiple check box entry form in the security template policy, which can be seen in Figure 15-17.
Options. Qualifies the different display types within the same entry.
If DisplayType=1 (Numeric). The entry can contain a string that defines the units for the numeric value. The unit string is displayed next to the spin control in the interface. The unit string has no effect on the value set in the registry.
If DisplayType=3 (List). The entry defines the list of options that are available to the user. Each option consists of a numeric value separated by the pipe character (|) followed by the text for the choice. The registry value is set to the numeric value associated with the choice made by the administrator.
If DisplayType=5 (Bitmask). The entry defines the list of choices available to the user. Each choice consists of a numeric value separated by the pipe character (|) followed by the text for the choice. The registry value is set to the bitwise OR of the choices selected by the administrator.
You can include almost any registry value you want in the Sceregvl.inf file, but you should focus only on the security-related settings because other registry settings can be configured using the .adm files as discussed in Chapter 14. Once you pick out your registry value, you use the structure we just discussed to update the existing Sceregvl.inf file.
Warning
Unlike .adm files, where you create new .adm files for custom entries, the security templates require that you update the existing Sceregvl.inf file to make custom entries.
Here is an example of a custom entry to the Sceregvl.inf file:
MACHINESystemCurrentControlSetServicesTcpipParametersSynAttackProtect,4, "Syn Attack Protection against DoS",3,0|"No additional protection",1|"Time out sooner if Syn Attack is detected"
This security entry updates the SynAttackProtect registry value with an entry of 0 or 1, depending on whether you want to keep the default setting (don’t protect against a Syn attack) or 1 (have connections time out sooner if a Syn attack is detected).
This entry uses the List DisplayType, which as noted has a value of 3. This custom entry shows up in the security template as shown in Figure 15-18.
After you update the Sceregvl.inf file with your custom entry, the new policy will not show up automatically. This is good behavior—if an attacker could modify the Sceregvl.inf file and have the new input take immediate affect, he could change registry values without your knowledge.
You are required to register the new Sceregvl.inf file with the computer that is performing the administration of the security template. To get the changes to show up in the security template interface, you must register the DLL that controls the Sceregvl.inf file. This DLL is named Scecli.dll. To register it, follow these steps on the computer performing the administration of the security templates:
Each time you modify a security template or a GPO on this computer, the new security policy setting will be available.