Article ID: 214752
Article Last Modified on 12/1/2007
APPLIES TO
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q214752
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry
SUMMARY
The Security Configuration Manager (SCM) set of tools allows security administrators to define security templates that can be applied to individual machines or any number of machines via group policy. Security templates can contain password policies, lockout policies, Kerberos policies, audit policies, event log settings, registry values, service startup modes, service permissions, user rights, group membership restrictions, registry permissions and file system permissions.
This article describes how to extend the set of registry values supported by the security configuration manager set of tools.
MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
The security relevant registry values configurable by SCM appear under Local Policies\Security Options when using SCM tools such as the security templates snap-in, the security configuration and analysis snap-in, or the security settings extension to Group Policy. You may want to extend the default list of registry values to include additional values that are security relevant in your environment.
Customizing the list of registry values exposed by SCM is accomplished by modifying then registering the information in the Sceregvl.inf file located in the %windir%\inf folder. The Sceregvl.inf file should be modified on the machines where you use the SCM user interfaces (UI's) to create templates, define policies, perform analyses etc. The Sceregvl.inf file does not have to be modified or registered on every machine where the security template is applied since it affects only SCM UI's.
Once the Sceregvl.inf file has been modified and registered, your custom registry values are exposed in the SCM UI's on that machine. You can then create security templates or policies that define your new registry values. These templates or policies can then be applied to any machine regardless of whether Sceregvl.inf has been modified on the target machine or not.
The following example illustrates how the NoLMHash registry value is exposed as "Network security: Do not store LAN Manager hash value on next password change" on the Windows XP version of SCM:
[Register Registry Values] MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash,4,%NoLMHash%,0 [Strings] NoLMHash = "Network security: Do not store LAN Manager hash value on next password change"
The syntax for the entries in the [Register Registry Values] section is as follows:
RegistryPath,RegistryType,DisplayName,DisplayType,Options
The following table provides an explanation for each of the parameters listed above:
Parameter | Explanation |
---|---|
RegistryPath | Defines the full path of the registry key and value that you want to expose in the UI. Only values that exist in the HKEY_LOCAL_MACHINE hive can be configured and this hive is referenced by the keyword MACHINE. |
RegistryType |
Is a number that defines the type of the registry value as follows: 1 - REG_SZ 2 - REG_EXPAND_SZ 3 - REG_BINARY 4 - REG_DWORD 7 - REG_MULTI_SZ |
DisplayName | Is the string that ultimately appears in the security options section of the SCM UI's. This is usually a replaceable parameter that refers to an entry in the [strings] section of the Sceregvl.inf file thus making localization easier. |
DisplayType | Specifies the type of dialogue the SCM UI should render in order to allow the user to define the setting for the registry value. Supported DisplayTypes include:
|
Options | Qualifies different DisplayTypes as follows:
|
NOTE: After you have modified the Sceregvl.inf file to include your custom registry settings, the changes need to be registered by running the following command:
regsvr32 scecli.dll
Subsequent launches of the SCM UI's exposes your custom registry values. Security templates or polices that contain settings for your new registry values can be applied to any machine regardless of whether or not the target machine has received these UI modifications.
Important The entry is stored in the local Secedit.sdb file. If you want to remove the new entry you made, you must re-create the Secedit.sdb file. To do so:
- Rename the Secedit.sdb file to "Secedit.old".
- Run the secedit /refreshpolicy
machine_policy
/enforce command to recreate the local database from the local settings.
Additional query words: Manager SCE SCM SECEDIT SECMGR
Keywords: kbenv kbinfo KB214752