Creating Custom Security Templates
You might want to add more security settings to security templates to meet your organization s security requirements. Windows 2000 and Windows XP enable you to add settings to a security template by directly editing the security template file, or in the case of system services, configuring the security template on a computer that has the desired services installed.
Adding Registry Entries to Security Options
You might want to add a security-related registry configuration to a security template that you will be deploying on many computers in your organization. By using security templates, the registry value will be dynamically applied and enforced by Group Policy each time the security settings are refreshed, by default every 16 hours.
You can customize the list of registry values exposed in the Security Options section of security templates by modifying and then registering the information in the Sceregvl.inf file located in the %windir%\inf folder. Although you must register the Sceregvl.inf file on the computers on which you will view and modify security templates, you do not have to register it on every computer to which the security template will be applied. Once the Sceregvl.inf file has been modified and registered, your custom registry values are exposed in the security templates on that computer. You can then create security templates or policies that define your new registry values and apply them to local computers or through Group Policy.
To add a registry value to a security template, follow these steps:
Open the Sceregv1.inf file from %windir%\inf by using Notepad.exe or another text editor.
Add the registry value and security template settings to the [Register Registry Values] section using the information shown on the below, in Table 11-5.
Add a display value for the value in the security template in the [Strings] section.
Save the Sceregvl.inf file. Then right-click the file in Windows Explorer and select Install The File.
Reregister the Scecli.dll file by typing regsvr32 scecli.dll at the command prompt.
For example, you might want to add policy that prevents CDs from playing automatically. The registry value for this setting is named Autorun and is written to the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom. To add this setting to security templates, you need to add the following section to the Sceregvl.inf file:
[Register Registry Values] MACHINE\System\CurrentControlSet\Services\CDRom\Autorun,4,%Autorun%,0 [Strings] Autorun = Prevents CD-ROMs from auto-playing CDs
This is the syntax for the registry value section:
RegistryPath,RegistryType,DisplayName,DisplayType,Options
Table 11-5 describes each of the fields.
Field | Description |
RegistryPath | Defines the full path of the registry key and value that you want to add to the security templates. Only values that exist in the HKEY_LOCAL_MACHINE hive can be configured, and this hive is referenced by the keyword MACHINE. |
RegistryType | This is a number that defines the type of the registry value, as follows:
|
DisplayName | Defines the variable for the string that is displayed in the security templates. |
DisplayType | Specifies the type of dialog box the security template will render to allow the user to define the setting for the registry value. Supported DisplayTypes include the following:
|
Options | Qualifies different DisplayTypes, as follows:
|
Adding Services, Registry Values, and Files to Security Templates
You can manage the security of services, registry values, and files by using security templates. By default, all the services, registry values, and files that are in the base installation of Windows 2000 or Windows XP are manageable in security templates. You can manage the startup behavior and the permissions on the service by using security templates. For registry values and files, you can manage the DACL and SACL. If you have a service, registry value, or file that is not in the default installation, such as a service that is added by an application, you can edit the security template on a Windows 2000 or Windows XP computer that does have the service, registry value, or file that you want to manage. When you save this template, it will automatically update the newly added resource.