Okay.. BIGGER Test

TEST TEST #3

49K File size
Convert time: 03 Seconds 996 milliseconds
Commands: 281
Functions: 161
Macros: 16


; Original date script downloaded: 05/10/2001
; Registry Security Script (Kix32)
; Allows an administrator to set 46 security-related Registry edits for NT defined in 3
; increasingly-secure (and modifiable) levels. Includes the ability to prompt the user for
; each edit or wholly automate the entire process. Also includes debug functions
;
;
; ************************************************************************************
;
;                                  REGSEC.KIX
;                           Registry Security Script
;                               rpuckett@snl.com
;                                Version 1.0.3
;                              February 3, 2000
;
; ************************************************************************************
;
; This script is designed to provide Administrators with a mechanism for importing
; (currently) 46 individual Security-related Registry edits to systems on a network.
; The script employs 3 levels of security (DEFCON 1-3) that define a tailorable
; set of edits based on the level.  I have segmented the edits as I would use them,
; but they can be moved into different DEFCON settings (and these can be expanded)
; to suit your needs by changing the $LEVEL value for each defined edit.  You may
; also wish to provide a prompt to the User, providing them with a messagebox that
; defines the edit type which they can then accept or decline.  This is set using the
; $QUERYUSR variable.  If set to "1", a messagebox is displayed for each edit.  This
; can also be expanded upon as the value can be placed in (and reset for) specific
; edits, while others can remain automated (with a setting of "0").  All of these
; variables can also be mixed and matched based on the use of the INGROUP function,
; allowing you to tailor the installation method(s) even further.
;
; Ex. IF INGROUP ("SYSTEMS") = 1
;          $QUERYUSR = "1"
;          $DEFCON = 2    
;          blah, blah, blah...    
;      ENDIF
;
; Finally, you can simply output the types of edits associated with each DEFCON level
; by setting the $DEGBUG variable to "1" ("0" actually runs the edits for each level).
;
; As this script employs looping through each edit, it is easily updated as new
; security edits become available.  Simply add a new label (:SECREGxx - with the 'xx'
; representing the next available number after 46) and replace the $NEXT variable of
; the preceding label with the name of the new label.   Finally, be sure to add a
; $NEXT variable to the last new :SECREGxx label with a value of "END".  Make sure to
; set the $LEVEL value of each edit to identify it's DEFCON level.
;
; NOTE: The $SPECIAL variable, when set to "1", defines an additional action for the
; edit it is assigned to in the GOSUB 'ADDFUNT'.  This can be used to run functions
; or options to preclude an edit.  If you employ the $SPECIAL value in future edits,
; be sure to add the additional functions to the ADDFUNCT GOSUB routine by referencing
; the $REGVALUE as an added CASE value.  All files referenced in special functions are
; copied from the $GETFILES value (currently @LSERVER\NETLOGON), but this can be
; changed to whatever location you desire.
;
; WARNING (and DISCLAIMER):
; Nothing replaces common sense, especially when it comes to the Registry and
; Security.  The documentation added to each edit (along with the associated MSKB
; Article/Whitepaper Information) should help you to understand the basic function of
; the edit as well as to provide you with another location for more information.  
; Avoid potentially serious consequences by reading everything available on a
; particular edit if it is unfamiliar to you.  Do not use edits that are untested
; in your environment as they may have unforseeable (and undesireable) outcomes.
;
; ************************************************************************************

; SCRIPT VARIABLES

; OPTIONAL SETTINGS - 0 or 1
;    0 - Automatic Addition of Values
;    1 - Display Messagebox Query for each Setting
$QUERYUSR = "1"

; OPTIONAL SETTINGS - 0 or 1
;    0 - Run DEFCON Level Defined Registry Changes
;    1 - Display DEFCON Level Registry Information Only (No Changes Made)
$DEBUG = "1"

; OPTIONAL SETTINGS - 1, 2, 3
;    1 - DEFCON 1 / Basic Security (Good for most environments)
;    2 - DEFCON 2 / Enhanced Security (Disables connectivity to LM/9x Clients)
;    3 - DEFCON 3 / Advanced Security (Near C2 Settings)
$DEFCON = "3"

; LOG LOCATION & NAME (Root of C:\ *not* recommended)
$LOGNAME = "C:\@WKSTA.TXT"

; SERVER TO BE NOTIFIED OF ERRORS
$NOTIFYSVR = "NOTIFY_SERVER_HERE"

; SPECIAL VARIABLE SETTING FOR REGISTRY CHANGES  
; REQUIRING ADDITIONAL OPERATIONS
$SPECIAL = "0"

; LOCATION FROM WHICH $SPECIAL FUNCTION FILES ARE COPIED (like PASSFILT.DLL, etc.)
$GETFILES = "@LSERVER\NETLOGON"

; OPERATING SYSTEM TYPES
; IF THE SYSTEM IS NOT NT WORKSTATION 4.0, THEN EXIT THE SCRIPT...
SELECT
   ; WINDOWS 95
   CASE((@INWIN = 2) AND (@DOS = 4.0))
       EXIT
   ; WINDOWS 98
   CASE((@INWIN = 2) AND (@DOS >= 4.10))
       EXIT
   ; WINDOWS 2000
   CASE((@INWIN = 1) AND (@DOS = 5.0))  
       EXIT
   ; WINDOWS NT 4.0
   CASE((@INWIN = 1) AND (@DOS = 4.0))
       
       ; CHECK THE NT INSTALLATION TYPE...
       $NTREG = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions"
       $NTTYPE = READVALUE($NTREG, "ProductType")
       
       IF @ERROR = 0
           SELECT
               CASE $NTTYPE = "WinNT"
                   $OS = "Windows NT Workstation 4.0"
                   GOTO START
               CASE $NTTYPE = "ServerNT"
                   $OS = "Windows NT Server 4.0 (Stand-Alone)"
                   GOTO START    
               CASE $NTTYPE = "LanmanNT"
                   $OS = "Windows NT Server 4.0 (Domain Controller)"
                   GOTO START
               CASE 1
                   $ERRCODE = SENDMESSAGE($NOTIFYSVR,
                   "An unknown wersion of Windows NT [" + $NTTYPE + "] was detected on @WKSTA at @TIME on @DATE")
                   EXIT
           ENDSELECT    
       ENDIF
       
       IF @ERROR <> 0    
           $ERRCODE = SENDMESSAGE($NOTIFYSVR,
           "Unable to read the 'ProductType' value from the Registry on @WKSTA at @TIME on @DATE")
           EXIT            
       ENDIF
   
   CASE 1
       $ERRCODE = SENDMESSAGE($NOTIFYSVR,
       "Unable to determine the OS type installed on @WKSTA at @TIME on @DATE")
       EXIT

ENDSELECT

:START    
; **OPTIONAL FUNCTION - PRIVILEGE CHECKING
; REMOVE IF UNNEEDED IN YOUR ENVIRONMENT
;$ACCESS = @PRIV
;SELECT
;    CASE $ACCESS = "GUEST"
;        ? "GUEST"
;        ? "You must possess Administrative privileges to perform these security updates"
;        SLEEP 4
;        EXIT
;    CASE $ACCESS = "USER"
;        ? "USER"
;        ? "You must possess Administrative privileges to perform these security updates"
;        SLEEP 4
;        EXIT
;    CASE $ACCESS = "ADMIN"
;        ? "ADMIN"
;        ? "The required Administrative privileges are held, continuing..."
;        ? " "
;    CASE 1
;        ? "OTHER"
;        ? "You must possess Administrative privileges to perform these security updates"
;        SLEEP 4
;        EXIT
;ENDSELECT

; CHECK THE INSTALLED SERVICE PACK VERSION...
$SPREG = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
$SPVER = READVALUE($SPREG, "CSDVersion")
   
IF @ERROR = 0    
   ? "This system is running - " + $OS
   ? "Service Pack Version - " + $SPVER    
ENDIF

IF @ERROR <> 0
   $ERRCODE = SENDMESSAGE($NOTIFYSVR,
   "Unable to read the 'CSDVersion' value from the Registry on @WKSTA at @TIME on @DATE")
ENDIF

; DISPLAY SELECTED DEFCON LEVEL
? "DEFCON Level " + $DEFCON + " Selected"

; SETUP SECURITY LOG
IF OPEN(1, $LOGNAME, 5) = 0
   $X = WRITELINE (1, Chr(13) + Chr(10) + "Security Log for @WKSTA" + Chr(13) + Chr(10) + "Time - @TIME / Date - @DATE"  
                   + Chr(13) + Chr(10)  + "System is running - " + $OS + Chr(13) + Chr(10) + "Service Pack Version - "
                   + $SPVER+ Chr(13) + Chr(10) + "Selected Security Level is DEFCON - " + $DEFCON
                   + Chr(13) + Chr(10) + Chr(13) + Chr(10))
ELSE
   $ERRCODE = SENDMESSAGE($NOTIFYSVR,
   "Unable to write to the Security Log on @WKSTA at @TIME on @DATE")            
ENDIF
IF CLOSE(1) = 0 ENDIF

; DEBUG MODE - Display DEBUG Header
IF $DEBUG = "1"
   ? "In Debug Mode, No changes will be made..."
   ? "DEFCON LEVEL " + $DEFCON + " REGISTRY CHANGES:"
   ? " "
ENDIF
GOTO SECREG1

; SECURITY REGISTRY EDITS

; These values are recursed through by passing into the CHECKSEC
; function the values of each desired change and using the $NEXT
; variable to send the function to the next desired change.
; NOTE: Registry edits that possess the $SPECIAL variable utilize
; the ADDFUNC GOSUB routine to perform additional required
; operations.

:SECREG1
$DSCRIPTN = "Enable Auditing of Base Objects"
; Enable auditing of objects not in the File System or Registry.
; Useful in debugging or high-level security environments.  The
; Audit Policy option "File and Object Access" must be enabled.
; WARNING - leads to high volume of event records recorded in the
; event log.
$LEVEL = "3"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
$REGVALUE = "AuditBaseObjects"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG2
GOTO CHECKSEC

:SECREG2
$DSCRIPTN = "Shutdown System with Full Event Log"
; Shut the system when the Security Event Log is full.  Ensure that
; the Event Log is configured large enough to allow for long periods
; between shutdowns.
; See MSKB Article Q140058 for an explanation of the function
; See MSKB Articles Q232564, Q149393 & Q178208 for additional configuration
; issues and potential problems with this edit's use.
$LEVEL = "3"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
$REGVALUE = "CrashOnAuditFail"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG3
GOTO CHECKSEC

:SECREG3
$DSCRIPTN = "Restrict Anonymous Users from Enumerating Shared Resources"
; Restrict non-authenticated accounts (anonymous or NULL connections
; from enumerating Local/Domain User names or network shares (as well as obtaining
; the local system's password policy).  This should be used in conjunction with the  
; securing of the NullSessionShares & NullSessionPipes under HKLM\SYSTEM; CurrentControlSet\Services\LanmanServer\Parameters.  Also, see SECREG37/ "Restrict
; All Null Session Access".  See MSKB Article Q143474 for further details
$LEVEL = "1"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
$REGVALUE = "RestrictAnonymous"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG4
GOTO CHECKSEC

:SECREG4
$DSCRIPTN = "Enable Full Privilege Auditing"
; This enables the auditing of those privileges that are not normally
; in the NT audit schema, they are:
; 1. Bypass Traverse Checking(SeChangeNotifyPrivilege)
; 2. Debug Programs (SeDebugPrivilege)
; 3. Create a Token Object (SeCreateTokenPrivilege)
; 4. Replace a Process-Level Token (SeAssignPrimaryTokenPrivilege)
; 5. Generate Security Audits (SeAuditPrivilege)
; 6. Backup Files & Directories (SeBackupPrivilege)
; 7. Restore Files & Directories (SeRestorePrivilege)
; NOTE: Enabling this edit will lead to huge Security event logs (and slow
; server performance) as every backup and restore operation will be FULLY logged.
; See the Microsoft Security Whitepaper located on their \Security website for
; further information
$LEVEL = "2"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
$REGVALUE = "FullPrivilegeAuditing"
$REGTYPE = "REG_BINARY"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG5
GOTO CHECKSEC

:SECREG5
; Restricts the installation of Printer Drivers to the members of the local
; Administrators group only.  See the Microsoft Security Whitepaper located
; on their \Security website for further information
$DSCRIPTN = "Restrict Print Driver Installation"
$LEVEL = "1"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers"
$REGVALUE = "AddPrintDrivers"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "1"
$NEXT = SECREG6
GOTO CHECKSEC

:SECREG6
$DSCRIPTN = "Disable CD-ROM Auto-Run"
; This disables the automatic playing of CD-ROMs when they are inserted into
; the CD-ROM drive.  Really a nuisance more than a security risk but there exists
; the potential for *someone* to create a CD that automatically runs (via
; AUTORUN.INF) a segment or series of code that can insert a trojan, destroy data,
; etc. From the TWEAKUI settings.
$LEVEL = "2"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom"
$REGVALUE = "Autorun"
$REGTYPE = "REG_DWORD"
$GOOD = "0"
$BAD = "1"
$SPECIAL = "0"
$NEXT = SECREG7
GOTO CHECKSEC

:SECREG7
$DSCRIPTN = "Disable Caching of Logon Credentials"
; This edit disables the caching of credentials used to establish connections to
; remote systems.  These credentials allow for seemless reconnection to resources
; during an active logon session should that session be broken for any reason.  
; The danger is when a user stays logged onto a system and then walks away, leaving
; the cached credentials available to the next user if they had failed to logoff.  
; See MSKB Article Q172931 for further details.
$LEVEL = "2"
$REGKEY = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$REGVALUE = "CachedLogonsCount"
$REGTYPE = "REG_DWORD"
$GOOD = "0"
$BAD = "1"
$SPECIAL = "0"
$NEXT = SECREG8
GOTO CHECKSEC

:SECREG8
$DSCRIPTN = "Restrict Allocation of CD-ROMs"
; This, alone with SECREG9, restict the access to the CD and Floppy drives by remote
; users so that they can only be used by an interactively logged-on user.
; See MSKB Article Q172520
$LEVEL = "1"
$REGKEY = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$REGVALUE = "AllocateCDRoms"
$REGTYPE = "REG_SZ"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG9
GOTO CHECKSEC

:SECREG9
$DSCRIPTN = "Restrict Allocation of Floppy Drives"
; This, alone with SECREG8, restict the access to the CD and Floppy drives by remote
; users so that they can only be used by an interactively logged-on user.
; See MSKB Article Q172520
$LEVEL = "1"
$REGKEY = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$REGVALUE = "AllocateFloppies"
$REGTYPE = "REG_SZ"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG10
GOTO CHECKSEC

:SECREG10
$DSCRIPTN = "Disable Shutdown Button at Logon"
; This edit removes the Shutdown button from NT's logon screen.  This denies an
; unauthenticated user the ability to shut a system down (though the power switch, reset
; button and power cable will also need to be secured to make this option effective).  
; See MSKB Article Q114817 & 143164 for further details
$LEVEL = "2"
$REGKEY = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$REGVALUE = "ShutdownWithoutLogon"
$REGTYPE = "REG_SZ"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG11
GOTO CHECKSEC

:SECREG11
$DSCRIPTN = "Disable Display of the Last Logged-on User"
; Security through obscurity.  This edit ensures that the last logged-on username does
; not appear in the logon dialog box so that it might be used to attempt to gain
; unauthorized access to a system.  See MSKB Article Q114463 for further details
$LEVEL = "2"
$REGKEY = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$REGVALUE = "DontDisplayLastUserName"
$REGTYPE = "REG_SZ"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG12
GOTO CHECKSEC

:SECREG12
$DSCRIPTN = "Disable Caching of Roaming Profiles"
; This edit deletes a cached Roaming Profile once the user logs off of the system.  This  
; can be useful if you have an administrative profile that may contain sensitive data in
; the NTUSER.DAT file and you wish to secure it from prying eyes.  The downside is that the
; profile will have to be reloaded from the server each time you logon, making it a long
; logon process if the profile is rather large.  See MSKB Article Q173870 for further details
$LEVEL = "1"
$REGKEY = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
$REGVALUE = "DeleteRoamingCache"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG13
GOTO CHECKSEC

:SECREG13
$DSCRIPTN = "Disable Administrative Shares"
; This edit removes the default Administrative shares (C$, D$) on a workstation running
; the Server service.  It can be replaced by a more stringent security policy and obscure
; hidden share names (appended with the $ at the end of the share name).  See MSKB Articles
; Q156365 & Q185590 for further details.
$LEVEL = "2"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
$REGVALUE = "AutoShareWks"
$REGTYPE = "REG_DWORD"
$GOOD = "0"
$BAD = "1"
$SPECIAL = "0"
$NEXT = SECREG14
GOTO CHECKSEC

:SECREG14
$DSCRIPTN = "Secure Base System Objects"
; This enables a greater degree of protection on such objects as known System DLLs.  It
; is recommended if you have interactive users who are *not* local Administrators who may
; be attempting to gain greater access to a system (such as with kiosk machines).  See MSKB
; Article Q218473 for further details.
$LEVEL = "3"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager"
$REGVALUE = "ProtectionMode"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG15
GOTO CHECKSEC

:SECREG15
$DSCRIPTN = "Clear the Pagefile at Shutdown"
; This edit clears the System Pagefile(s) at shutdown to ensure that potentially sensitive data
; is not written to it at shutdown (as some third-party products may do).  See MSKB Article Q182086
; for more information.
$LEVEL = "3"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management"
$REGVALUE = "ClearPageFileAtShutdown"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG16
GOTO CHECKSEC

:SECREG16
$DSCRIPTN = "Restrict Guest Access to the Application Event Log"
; This edit, along with SECREG17 & 18, remove the ability for members of Guests to view
; or manipulate the Event Log settings on the local station.
$LEVEL = "1"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application"
$REGVALUE = "RestrictGuestAccess"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG17
GOTO CHECKSEC

:SECREG17
$DSCRIPTN = "Restrict Guest Access to the Security Event Log"
; This edit, along with SECREG16 & 18, remove the ability for members of Guests to view
; or manipulate the Event Log settings on the local station.
$LEVEL = "1"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security"
$REGVALUE = "RestrictGuestAccess"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG18
GOTO CHECKSEC

:SECREG18
$DSCRIPTN = "Restrict Guest Access to the System Event Log"
; This edit, along with SECREG16 & 17, remove the ability for members of Guests to view
; or manipulate the Event Log settings on the local station.
$LEVEL = "1"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System"
$REGVALUE = "RestrictGuestAccess"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG19
GOTO CHECKSEC

:SECREG19
$DSCRIPTN = "Disable Source Routing of IP Packets"
; This key, while available since SP3, was apparently not doing it's job.  The new hotfix
; IPSRFIXI.EXE resolves the vulnerability regarding the undesired routing of IP Source packets
; or for using non-routing systems to "bounce" packets off of (in order to make the traffic
; appear to be coming from that system).  See MSKB Articles Q240382 & Q217336 for further details.
$LEVEL = "1"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
$REGVALUE = "DisableIPSourceRouting"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG20
GOTO CHECKSEC

:SECREG20
$DSCRIPTN = "Sign Secure Session Channel Traffic"
; This edit enables the signing of SSC traffic between members of a Domain to ensure that
; the sender/receiver of session authentication traffic (such as the $MACHINE.ACC & password) is
; verified.  See MSKB Article Q183859 for further details.
$LEVEL = "3"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"
$REGVALUE = "SignSecureChannel"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG21
GOTO CHECKSEC

:SECREG21
$DSCRIPTN = "Seal Secure Session Channel Traffic"
; This edit enables the encryption of SSC traffic, so that the machine name is encrypted and the
; password is doubly-encrypted, as well as all additional SSC-related traffic.  See MSKB Article
; Q183859 for further details.
$LEVEL = "3"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"
$REGVALUE = "SealSecureChannel"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG22
GOTO CHECKSEC

:SECREG22
$DSCRIPTN = "Require Sign/Seal of Secure Session Channel Traffic"
; this setting ensures that all SSC traffic is either signed or sealed.  If enabled, all DCs
; MUST also have this value set.  See MSKB Article Q183859 for further details.
$LEVEL = "3"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"
$REGVALUE = "RequireSignOrSeal"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG23
GOTO CHECKSEC

:SECREG23
$DSCRIPTN = "Enable Forced Logoffs"
; By default, this value is set to 1 but is normally not visible under this subkey unless
; someone has run NET CONFIG SERVER /HIDDEN:YES|NO, in which case all of the values
; normally controlled dynamically by the operating system are written as static entries
; under this key.  This key ensures that the server can force connections off of
; the system.
$LEVEL = "2"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
$REGVALUE = "EnableForcedLogOff"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG24
GOTO CHECKSEC

:SECREG24
$DSCRIPTN = "Disable Clear Text Passwords"
; See SP3 Documentation on this Registry edit.  Some environments that support UNIX
; interoperability may require that authentication be allowed to be sent in the clear.  
; This change ensures that if a system (such as a mobile/laptop NT user) has been in
; an environment such as this, the setting is checked (and disabled).
$LEVEL = "1"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters"
$REGVALUE = "EnablePlainTextPassword"
$REGTYPE = "REG_DWORD"
$GOOD = "0"
$BAD = "1"
$SPECIAL = "0"
$NEXT = SECREG25
GOTO CHECKSEC

:SECREG25
$DSCRIPTN = "Disable 8.3 Name Generation for Win16/DOS"
; Not only a security issue but a performance enhancer as well, this edit disables
; the creation of short filenames/paths for use with DOS/Win16 applications.  
; See MSKB Articles Q121007 & Q210638 for further details.
$LEVEL = "3"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem"
$REGVALUE = "NtfsDisable8dot3NameCreation"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG26
GOTO CHECKSEC

:SECREG26
$DSCRIPTN = "Disable Caching of Encrypted Web Pages to Disk"
; Configurable through the Properties/ Advanced page of Internet Explorer, the value is
; actually listed as 'Do not save encrypted pages to disk'.  This can be set under
; HKEY_USERS\.DEFAULT\.. to ensure that the value is added for all new users as well.
$LEVEL = "1"
$REGKEY = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
$REGVALUE = "DisableCachingOfSSLPages"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG27
GOTO CHECKSEC

:SECREG27
$DSCRIPTN = "Enable SMB Packet Signing on NT Workstations"
; This edit enables the signing of all CIFS/SMB traffic from the workstation verifying
; the originating address.  This edit can produce significant overhead (greater than the
; 10-15% specified in the MSKB Article).  See MSKB Article Q161372 for further details.
$LEVEL = "3"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters"
$REGVALUE = "EnableSecuritySignature"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG28
GOTO CHECKSEC

:SECREG28
$DSCRIPTN = "Require SMB Packet Signing on NT Workstations"
; This edit enables the requirement of all CIFS/SMB traffic from the workstation to be signed.  
; This edit can produce significant overhead (greater than the 10-15% specified in the
; MSKB Article).  See MSKB Article Q161372 for further details.
$LEVEL = "3"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters"
$REGVALUE = "RequireSecuritySignature"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG29
GOTO CHECKSEC

:SECREG29
; If you are absolutely certain that you have clients that are NOT using DCOM,
; use this edit.  Read the COM Security whitepaper or MSKB Article Q158508 for
; further details.
$DSCRIPTN = "Disable DCOM"
$LEVEL = "3"
$REGKEY = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole"
$REGVALUE = "EnableDCOM"
$REGTYPE = "REG_SZ"
$GOOD = "N"
$BAD = "Y"
$SPECIAL = "0"
$NEXT = SECREG30
GOTO CHECKSEC

:SECREG30
$DSCRIPTN = "Restrict All Null Session Access"
; This edit purportedly removes a Null session's ability to perform operations normally
; available to Null Sessions, it may cause problems with applications running as services that
; attempt to access UNC paths or some COM apps.  See MSKB Article Q158508 for further details.
; NOTE: The edit is incorrectly referenced in the article as "RestrictNullSessionAccess".
$LEVEL = "2"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
$REGVALUE = "RestrictNullSessAccess"
$REGTYPE = "REG_DWORD"
$GOOD = "1"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG31
GOTO CHECKSEC

:SECREG31
$DSCRIPTN = "Enable PASSFILT/Complex Passwords"
; This edit sets up complex password requirements for the local station.  
; 1. Passwords must be at least 6 characters long.
; 2. Passwords must contain characters from at least 3 of the following 4 classes:
;
;        Class                         Examples
;        -----                         --------
;        English Upper Case Letters    A, B, C, ... Z
;        English Lower Case Letters    a, b, c, ... z
;        Westernized Arabic Numerals   0, 1, 2, ... 9
;        Non-alphanumeric characters   .,;:*&%!
;    
; 3. Passwords may not contain your user name or any part of your full name.
; This edit contains a GOSUB routine ($SPECIAL = "1") that runs the copy of
; PASSFILT.DLL from the NETLOGON directory of the authenticating server to
; the %SystemRoot%\System32 subdirectory of the local station.  This edit should
; be used in conjunction with the NT Resource Kit tool PASSPROP.EXE on all NT Servers.
; See the SP3 documentation for more information on PASSFILT.DLL
$LEVEL = "2"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
$REGVALUE = "Notification Packages"
$REGTYPE = "REG_MULTI_SZ"
; For those users of Netware, otherwise Nuke FPNWCLNT.
;$GOOD = "FPNWCLNT|PASSFILT|"
$GOOD = "PASSFILT|"
$BAD = "FPNWCLNT"
$SPECIAL = "1"
$NEXT = SECREG32
GOTO CHECKSEC

:SECREG32
$DSCRIPTN = "Disable LM Authentication"
; This edit has several options that you can configure for your environment as you see
; fit.  For the full functionality of this edit to be used, several conditions must be met.
; You must have SP4 or greater installed and for settings above 3, these values must
; exist on all DCs as well.  As there are many configuration options involved here, you
; must be very careful when applying this value.  The default established here is 2, disabling
; all LM activity (95 clients).  
;
;   Value: LMCompatibilityLevel  
;   Valid Range: 0-5   Default: 0
;   Description: This parameter specifies the type of authentication to be used.
;   Level 0 - Send LM response and NTLM response; never use NTLMv2 session
;             security   Level 1 - Use NTLMv2 session security if negotiated
;   Level 2 - Send NTLM authenication only
;   Level 3 - Send NTLMv2 authentication only
;   Level 4 - DC refuses LM authentication
;   Level 5 - DC refuses LM and NTLM authenication (accepts only NTLMv2)
;
; WARNING: Read *ALL* of MSKB Article Q147706 before using this edit!
$LEVEL = "3"
$REGKEY = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
$REGVALUE = "LMCompatibilityLevel"
$REGTYPE = "REG_MULTI_SZ"
$GOOD = "2"
$BAD = "0"
$SPECIAL = "0"
$NEXT = SECREG33
GOTO CHECKSEC

:SECREG33
$DSCRIPTN = "Disable the OS/2 & Posix Subsystems"
; This edit removes both the OS/2 & Posix subsystem entries as well as the individual values
; for each (as denoted by the GOSUB $SPECIAL = "1" value) and the files OS2SS.EXE and PSXSS.EXE.  
; These two subsystems leave a potentially exploitable hole in a Workstations security.