Re: Understanding security template INF structures

From: Nick Finco [MS] (nfinco@online.microsoft.com)
Date: 04/11/03

• Next message: Jennifer Lesher [MS]: "RE: SUS"
• Previous message: S. Pidgorny [MVP]: "Re: IPSEC + Terminal Services"
• In reply to: Serge Ayotte: "Re: Understanding security template INF structures"
• Next in thread: Carrie Garth: "Re: Understanding security template INF structures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Nick Finco [MS]" <nfinco@online.microsoft.com>
Date: Thu, 10 Apr 2003 18:20:35 -0700

A large part of Group Policy is driven using ADM files. Basically, they're
a handy way to deal with registry settings. They won't be enforced every 16
hours like with the security policy registry keys (unless you tweak a group
policy setting). They do propogate to the clients though when policy
changes. They have better UI extensibility and in the end they handle
registry settings a lot better. Plus, they're supported. :) I don't
believe they handle registry security though. You need to stick to the
security settings for that.

http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_SPconcepts_34.htm

N

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
"Serge Ayotte" <sayotte@hotmail.com> wrote in message
news:kkf49vkmou1nncol562q7vh39m1t8kn764@4ax.com...
> HHHaaaaaaa, I see (said the blind man <grin>).
>
> Thank you very much Nick for the info you have provided me with.
> It just seemed to me to be the "perfect solution" to providing a good
> security and "wholesale" modification to many servers by using thee
> templates and GPO, instead of having to go from machine to machine...
> Plus the additional "bonus" that if I mess something, it would be
> easier to recover by just removing the GPO assigned to an OU.
>
> With your explanation that their are two registry related entries in
> the INF, now I understand why I was not seeing anything inside the
> Template MMC under the registry for the baselinedc.inf, since this one
> contains only a VALUES section.
>
> May I ask what you mean by a custom ADM file? Maybe it is the late
> hour for me presently, but it does not ring a bell? (Although I have
> good memories of roller skating on Ring My Bell... Showing my age with
> this comment and that song title<grin>).
>
> Thank you also for the Link, that will give me a bit more reading to
> make on top of the Microsoft papers on Security and a few others I
> have found!
>
> Thank you very much for your help and information!
>
> Serge Ayotte
>
>
> On Fri, 4 Apr 2003 13:46:46 -0800, "Nick Finco [MS]"
> <nfinco@online.microsoft.com> wrote:
>
> >You should look into using custom ADM files instead of manually editing
the
> >security templates.  Manually editing security templates is unsupported,
> >they might not always work as you think, and their format may change in
> >future releases.  (Just keeping the disclaimer with the post.)
> >
> >You should be able to reverse engineer the syntax of security templates
> >using the UI and secedit.  Creating a template to delete a key using
> >supported tools is a bit tricky though.  It will look like this in a
> >template.  The key's type is set to -1.  The value doesn't matter.
> >MACHINE\Software\Test\value=-1,0
> >
> >There are 2 registry sections.  [Registry Values] is for setting actual
reg
> >values.  [Registry Keys] is for setting security.  You're probably
looking
> >the corresponding UI section for [Registry Keys] (UI: Registry node) but
> >thinking your looking at the [Registry Values] section (which is actually
> >most of the Security Options).
> >
> >No official publications exist for this.  Some independent researchers
have
> >summarized some of it though.
>
>http://www.ists.dartmouth.edu/IRIA/knowledge_base/sectemplates/sectemplates
.htm
> >
> >N
>

---

• Next message: Jennifer Lesher [MS]: "RE: SUS"
• Previous message: S. Pidgorny [MVP]: "Re: IPSEC + Terminal Services"
• In reply to: Serge Ayotte: "Re: Understanding security template INF structures"
• Next in thread: Carrie Garth: "Re: Understanding security template INF structures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Doug Knox Please read the following ... windows stores these settings ... it messed up my security options page and resulted in not ... ameters/TcpMaxDataRetransmissions) in the registry under ... (microsoft.public.windowsxp.general) Re: Found HWS.EXE & INSTALL.DAT Pls Advise ... Reg fixes plus learning of a way of to get into the Registry when all the ... MUI file in it's bliue border, prior to booting into Windows. ... works through the hang then my Personal Settings loaded. ... tight security settings on both your Anti-Virus and your Browser security ... (microsoft.public.windowsxp.general) RE: Failed to create a trust relationship between NT4 and 2003 AD ... I have no idea how to set the NT4 registries on below. ... the exact words in my NT4 server's registry. ... security policy in Administrative tools, go to local policies / security ... For Windows 2000 and 2003 these settings may be applied/configured via ... (microsoft.public.windows.server.migration) Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema? ... existing settings against the template you want to use. ... > INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema? ... > Implementation Directive for Security Settings for Windows 2000 Domain ... (microsoft.public.windows.server.security) Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema? ... existing settings against the template you want to use. ... > INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema? ... > Implementation Directive for Security Settings for Windows 2000 Domain ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)