locked
UAG 2010 Hardening Template - what actions does it take? RRS feed

  • Question

  • I can see from popping open the Security Configuration Wizard UAG Hardening template (http://go.microsoft.com/fwlink/?LinkId=178534) that service start up is set for many services, and two keys are added/changed in the registry.  There is also a reference to the template OrcaTemplate.inf, but I cannot find any background on that file.

    The inf file is not included with the xml file from the Microsoft Download Center, so I cannot see what it should be doing.  Since the file is not included, I assume it's not doing anything, and I want to make sure that I'm getting the fully Microsoft-recommended hardening with the SCW template.

    Thanks!

    Wednesday, May 18, 2011 10:45 PM

Answers

All replies

  • The inf file settings are included in the XML:

    [Unicode]
    Unicode=yes
    [Version]
    signature="$CHICAGO$"
    Revision=1
    [Registry Keys]
    "MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
    "MACHINE\Software\Microsoft\Speech",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
    "MACHINE\SOFTWARE\Microsoft\Tracing",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GR;;;S-1-5-13)"
    "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
    "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
    "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
    "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
    "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
    "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
    "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)(A;CI;GRGWSD;;;S-1-5-13)"
    "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy",1,"D:AR"
    "MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies",1,"D:AR"
    "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
    "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
    "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PerHwIdStorage",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
    "MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
    "MACHINE\System",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
    "MACHINE\SYSTEM\Clone",1,"D:AR"
    "MACHINE\SYSTEM\ControlSet001",1,"D:AR"
    "MACHINE\SYSTEM\ControlSet002",1,"D:AR"
    "MACHINE\SYSTEM\ControlSet003",1,"D:AR"
    "MACHINE\SYSTEM\ControlSet004",1,"D:AR"
    "MACHINE\SYSTEM\ControlSet005",1,"D:AR"
    "MACHINE\SYSTEM\ControlSet006",1,"D:AR"
    "MACHINE\SYSTEM\ControlSet007",1,"D:AR"
    "MACHINE\SYSTEM\ControlSet008",1,"D:AR"
    "MACHINE\SYSTEM\ControlSet009",1,"D:AR"
    "MACHINE\SYSTEM\ControlSet010",1,"D:AR"
    "MACHINE\SYSTEM\CurrentControlSet\Services",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
    "MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
    "MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
    "MACHINE\SYSTEM\CurrentControlSet\Enum",1,"D:AR"
    "MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles",1,"D:AR"
    "USERS\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots",1,"D:AR"
    
    
    [File Security]
    "%ProgramFiles%\Common Files\SpeechEngines\Microsoft\TTS20",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
    "%ProgramFiles(x86)%\Common Files\SpeechEngines\Microsoft\TTS20",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
    "%SystemRoot%\ServiceProfiles\LocalService",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;LS)"
    "%SystemRoot%\ServiceProfiles\NetworkService",1,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;NS)"
    "%SystemDirectory%\wbem\mof",2,"D:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
    "%SystemDrive%\inetpub\logs\wmsvc",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GRGWGXSD;;;NS)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
    "%SystemRoot%\SysWOW64\inetsrv\Config\Export",2,"D:P(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;CO)"
    "%SystemDirectory%\config\RegBack\default",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
    "%SystemDirectory%\config\systemprofile\ntuser.dat",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
    "%SystemDirectory%\config\RegBack\sam",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
    "%SystemDirectory%\config\RegBack\security",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
    "%SystemDirectory%\config\RegBack\software",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
    "%SystemDirectory%\config\RegBack\system",2,"D:P(A;;GA;;;BA)(A;;GA;;;SY)"
    
    
     ]]> 
    

    Also see: http://technet.microsoft.com/en-us/library/ee861146.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, May 19, 2011 12:35 AM
  • Thanks for taking the time to respond.  I did open the template and saw that it locks down services, etc.  I'm really just interested in the OrcaTemplate.inf - what would be in it, whether it's being applied, and whether the template is complete if it's not actually being applied.
    Monday, June 13, 2011 10:45 PM
  • The XML provided above IS the OrcaTemplate.inf - this configures ACLs on registry keys and files; these are not normally included with SCW.
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, June 15, 2011 1:20 AM