Re: Understanding security template INF structures
From: Serge Ayotte (sayotte@hotmail.com)
Date: 04/08/03
- Previous message: Rick: "WinZip needing internet access?"
- In reply to: Nick Finco [MS]: "Re: Understanding security template INF structures"
- Next in thread: Nick Finco [MS]: "Re: Understanding security template INF structures"
- Reply: Nick Finco [MS]: "Re: Understanding security template INF structures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Serge Ayotte <sayotte@hotmail.com> Date: Mon, 07 Apr 2003 23:25:35 -0400
HHHaaaaaaa, I see (said the blind man <grin>).
Thank you very much Nick for the info you have provided me with.
It just seemed to me to be the "perfect solution" to providing a good
security and "wholesale" modification to many servers by using thee
templates and GPO, instead of having to go from machine to machine...
Plus the additional "bonus" that if I mess something, it would be
easier to recover by just removing the GPO assigned to an OU.
With your explanation that their are two registry related entries in
the INF, now I understand why I was not seeing anything inside the
Template MMC under the registry for the baselinedc.inf, since this one
contains only a VALUES section.
May I ask what you mean by a custom ADM file? Maybe it is the late
hour for me presently, but it does not ring a bell? (Although I have
good memories of roller skating on Ring My Bell... Showing my age with
this comment and that song title<grin>).
Thank you also for the Link, that will give me a bit more reading to
make on top of the Microsoft papers on Security and a few others I
have found!
Thank you very much for your help and information!
Serge Ayotte
On Fri, 4 Apr 2003 13:46:46 -0800, "Nick Finco [MS]"
<nfinco@online.microsoft.com> wrote:
>You should look into using custom ADM files instead of manually editing the
>security templates. Manually editing security templates is unsupported,
>they might not always work as you think, and their format may change in
>future releases. (Just keeping the disclaimer with the post.)
>
>You should be able to reverse engineer the syntax of security templates
>using the UI and secedit. Creating a template to delete a key using
>supported tools is a bit tricky though. It will look like this in a
>template. The key's type is set to -1. The value doesn't matter.
>MACHINE\Software\Test\value=-1,0
>
>There are 2 registry sections. [Registry Values] is for setting actual reg
>values. [Registry Keys] is for setting security. You're probably looking
>the corresponding UI section for [Registry Keys] (UI: Registry node) but
>thinking your looking at the [Registry Values] section (which is actually
>most of the Security Options).
>
>No official publications exist for this. Some independent researchers have
>summarized some of it though.
>http://www.ists.dartmouth.edu/IRIA/knowledge_base/sectemplates/sectemplates.htm
>
>N
- Previous message: Rick: "WinZip needing internet access?"
- In reply to: Nick Finco [MS]: "Re: Understanding security template INF structures"
- Next in thread: Nick Finco [MS]: "Re: Understanding security template INF structures"
- Reply: Nick Finco [MS]: "Re: Understanding security template INF structures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
