Microsoft KB Archive/214752

From BetaArchive Wiki
Knowledge Base


How to add custom registry settings to Security Configuration Editor

Article ID: 214752

Article Last Modified on 12/1/2007


APPLIES TO

  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Datacenter Server


This article was previously published under Q214752

Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry


SUMMARY

The Security Configuration Manager (SCM) set of tools allows security administrators to define security templates that can be applied to individual machines or any number of machines via group policy. Security templates can contain password policies, lockout policies, Kerberos policies, audit policies, event log settings, registry values, service startup modes, service permissions, user rights, group membership restrictions, registry permissions and file system permissions.

This article describes how to extend the set of registry values supported by the security configuration manager set of tools.

MORE INFORMATION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

The security relevant registry values configurable by SCM appear under Local Policies\Security Options when using SCM tools such as the security templates snap-in, the security configuration and analysis snap-in, or the security settings extension to Group Policy. You may want to extend the default list of registry values to include additional values that are security relevant in your environment.

Customizing the list of registry values exposed by SCM is accomplished by modifying then registering the information in the Sceregvl.inf file located in the %windir%\inf folder. The Sceregvl.inf file should be modified on the machines where you use the SCM user interfaces (UI's) to create templates, define policies, perform analyses etc. The Sceregvl.inf file does not have to be modified or registered on every machine where the security template is applied since it affects only SCM UI's.

Once the Sceregvl.inf file has been modified and registered, your custom registry values are exposed in the SCM UI's on that machine. You can then create security templates or policies that define your new registry values. These templates or policies can then be applied to any machine regardless of whether Sceregvl.inf has been modified on the target machine or not.

The following example illustrates how the NoLMHash registry value is exposed as "Network security: Do not store LAN Manager hash value on next password change" on the Windows XP version of SCM: 

[Register Registry Values]
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash,4,%NoLMHash%,0

[Strings]
NoLMHash = "Network security: Do not store LAN Manager hash value on next password change"

The syntax for the entries in the [Register Registry Values] section is as follows: 

RegistryPath,RegistryType,DisplayName,DisplayType,Options

The following table provides an explanation for each of the parameters listed above:

Parameter Explanation
RegistryPath Defines the full path of the registry key and value that you want to expose in the UI. Only values that exist in the HKEY_LOCAL_MACHINE hive can be configured and this hive is referenced by the keyword MACHINE.
RegistryType

Is a number that defines the type of the registry value as follows: 

1 - REG_SZ
2 - REG_EXPAND_SZ
3 - REG_BINARY
4 - REG_DWORD
7 - REG_MULTI_SZ
DisplayName Is the string that ultimately appears in the security options section of the SCM UI's. This is usually a replaceable parameter that refers to an entry in the [strings] section of the Sceregvl.inf file thus making localization easier.
DisplayType Specifies the type of dialogue the SCM UI should render in order to allow the user to define the setting for the registry value. Supported DisplayTypes include:


0 - Boolean: Causes the UI to render two radio buttons to "Enable" or "Disable" the registry value. If "Enabled" is selected, the registry value is set to 1. If "Disabled" is selected, the registry value is set to 0.1 - Numeric: Causes the UI to render a numeric spin control that allows the user to type in or select a numeric value in the range 0 to 99999. Numeric display types can specify "unit" strings such as "minutes", "seconds" etc. that appear next to the spin control in the UI. These "unit" strings are defined in the Options field described below. The registry value is set to the number entered by the user.2 - String: Causes the UI to render a text box. The registry value is set to the string entered by the user.3 - List: Causes the UI to render a list box from which the user can select one of several options. The registry value is set to the numeric value associated with the option chosen by the user. The options presented to the user are defined in the Options field described below.4 - Multivalued (available on Windows XP only): Causes the UI to render a Multi-line edit control that allows the user to enter multiple lines of text. This display type should be used to define values for MULTI_SZ types. The registry value is set to the strings entered by the user where each line is separated by a NULL byte.5 - Bitmask (available on Windows XP only): Causes the UI to render a series of checkboxes where each checkbox corresponds to a numeric value defined in the Options field described below. The registry value is set to the bitwise OR of the selected values.

Options Qualifies different DisplayTypes as follows:


If DisplayType=1 (Numeric), the options field may contain a string that defines the units for the numeric value. The unit string is displayed next to the spin control in the UI. The unit string has no impact on the value set in the registry. If DisplayType=3 (List), the options field defines the list options that are available to the user. Each option consists of a numeric value separated by the "pipe" character '|' followed by the text for the choice. The registry value is set to the numeric value associated with the choice made by the user. See the LMCompatibilityLevel entry in Sceregvl.inf for an example of a registry value that allows the user to select from one of five possible values. If DisplayType=5 (Bitmask), the options field defines the choices that are available to the user. Each choice consists of a numeric value separated by the "pipe" character '|' followed by the text for the choice. The registry value is set to the bitwise OR of the choices selected by the user. See the NTLMMinClientSec entry in Sceregvl.inf for an example of a registry value that allows the user to combine several choices into one numeric registry setting.



NOTE: After you have modified the Sceregvl.inf file to include your custom registry settings, the changes need to be registered by running the following command:

regsvr32 scecli.dll


Subsequent launches of the SCM UI's exposes your custom registry values. Security templates or polices that contain settings for your new registry values can be applied to any machine regardless of whether or not the target machine has received these UI modifications.

Important The entry is stored in the local Secedit.sdb file. If you want to remove the new entry you made, you must re-create the Secedit.sdb file. To do so:

  1. Rename the Secedit.sdb file to "Secedit.old".
  2. Run the secedit /refreshpolicy machine_policy /enforce command to recreate the local database from the local settings.



Additional query words: Manager SCE SCM SECEDIT SECMGR

Keywords: kbenv kbinfo KB214752



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/214752&oldid=369080
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki