Creating Custom Security Templates

Previous page
Table of content
Next page

Creating Custom Security Templates

You might want to add more security settings to security templates to meet your organization s security requirements. Windows 2000 and Windows XP enable you to add settings to a security template by directly editing the security template file, or in the case of system services, configuring the security template on a computer that has the desired services installed.

Adding Registry Entries to Security Options

You might want to add a security-related registry configuration to a security template that you will be deploying on many computers in your organization. By using security templates, the registry value will be dynamically applied and enforced by Group Policy each time the security settings are refreshed, by default every 16 hours.

You can customize the list of registry values exposed in the Security Options section of security templates by modifying and then registering the information in the Sceregvl.inf file located in the %windir%\inf folder. Although you must register the Sceregvl.inf file on the computers on which you will view and modify security templates, you do not have to register it on every computer to which the security template will be applied. Once the Sceregvl.inf file has been modified and registered, your custom registry values are exposed in the security templates on that computer. You can then create security templates or policies that define your new registry values and apply them to local computers or through Group Policy.

To add a registry value to a security template, follow these steps:

  1. Open the Sceregv1.inf file from %windir%\inf by using Notepad.exe or another text editor.

  2. Add the registry value and security template settings to the [Register Registry Values] section using the information shown on the below, in Table 11-5.

  3. Add a display value for the value in the security template in the [Strings] section.

  4. Save the Sceregvl.inf file. Then right-click the file in Windows Explorer and select Install The File.

  5. Reregister the Scecli.dll file by typing regsvr32 scecli.dll at the command prompt.

For example, you might want to add policy that prevents CDs from playing automatically. The registry value for this setting is named Autorun and is written to the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom. To add this setting to security templates, you need to add the following section to the Sceregvl.inf file:

[Register Registry Values] MACHINE\System\CurrentControlSet\Services\CDRom\Autorun,4,%Autorun%,0 [Strings] Autorun = Prevents CD-ROMs from auto-playing CDs

This is the syntax for the registry value section:

RegistryPath,RegistryType,DisplayName,DisplayType,Options

Table 11-5 describes each of the fields.

Table 11-5. Syntax for the Registry Values in Sceregvl.inf

Field

Description

RegistryPath

Defines the full path of the registry key and value that you want to add to the security templates. Only values that exist in the HKEY_LOCAL_MACHINE hive can be configured, and this hive is referenced by the keyword MACHINE.

RegistryType

This is a number that defines the type of the registry value, as follows:

  • 1

    REG_SZ

  • 2

    REG_EXPAND_SZ

  • 3

    REG_BINARY

  • 4

    REG_DWORD

  • 7

    REG_MULTI_SZ

DisplayName

Defines the variable for the string that is displayed in the security templates.

DisplayType

Specifies the type of dialog box the security template will render to allow the user to define the setting for the registry value. Supported DisplayTypes include the following:

  • 0; Boolean

    Enables you to enable or disable the registry value. If Enabled is selected, the registry value is set to 1. If Disabled is selected, the registry value is set to 0.

  • 1; numeric

    Enables you to set the value to a numeric value from 0 to 99,999. Numeric display types can specify unit strings such as minutes and seconds in the Options field.

  • 2; string

    Causes the UI to render a text box. The registry value is set to the string entered by the user.

  • 3; list

    Enables you to select one of several options from a list box. The registry value is set to the numeric value associated with the option. The options presented in the Security template are defined in the Options field.

  • 4; multivalued (available on Windows XP only)

    Enables you to enter multiple lines of text. This display type should be used to define values for MULTI_SZ types. The registry value is set to the strings entered by the user, where each line is separated by a null byte.

  • 5; bitmask (available on Windows XP only)

    Enables you to select from a series of check boxes, where each check box corresponds to a numeric value defined in the Options field.

Options

Qualifies different DisplayTypes, as follows:

  • If DisplayType=1 (numeric), the Options field might contain a string that defines the units for the numeric value. The unit string has no impact on the value set in the registry.

  • If DisplayType=3 (list), the Options field defines the list options. Each option consists of a numeric value separated by the pipe character ( ), followed by the text for the choice. The registry value is set to the numeric value associated with the choice made by the user. See the LMCompatibilityLevel entry in Sceregvl.inf for an example of a registry value that allows the user to select from one of five possible values.

  • If DisplayType=5 (bitmask), the Options field defines the choices that are available. Each choice consists of a numeric value separated by the pipe character ( ), followed by the text for the choice. The registry value is set to the bitwise OR of the choices selected by the user. See the NTLMMinClientSec entry in Sceregvl.inf for an example of a registry value of this type.

Adding Services, Registry Values, and Files to Security Templates

You can manage the security of services, registry values, and files by using security templates. By default, all the services, registry values, and files that are in the base installation of Windows 2000 or Windows XP are manageable in security templates. You can manage the startup behavior and the permissions on the service by using security templates. For registry values and files, you can manage the DACL and SACL. If you have a service, registry value, or file that is not in the default installation, such as a service that is added by an application, you can edit the security template on a Windows 2000 or Windows XP computer that does have the service, registry value, or file that you want to manage. When you save this template, it will automatically update the newly added resource.


Previous page
Table of content
Next page
Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189
Authors: Ben Smith, Brian Komar
BUY ON AMAZON
Strategies for Information Technology Governance
The Java Tutorial: A Short Course on the Basics, 4th Edition
Programming Microsoft ASP.NET 3.5
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy