How to add custom registry settings to Security Configuration Editor (214752)
The information in this article applies to:
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows XP Professional
- Microsoft Windows XP 64-Bit Edition
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q214752 Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base: 256986 Description of the Microsoft Windows registry SUMMARY The Security Configuration Manager (SCM) set of tools
allows security administrators to define security templates that can be applied
to individual machines or any number of machines via group policy. Security
templates can contain password policies, lockout policies, Kerberos policies,
audit policies, event log settings, registry values, service startup modes,
service permissions, user rights, group membership restrictions, registry
permissions and file system permissions.
This article describes how
to extend the set of registry values supported by the security configuration
manager set of tools. MORE INFORMATIONWarning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. The security relevant registry values
configurable by SCM appear under Local Policies\Security Options when using SCM
tools such as the security templates snap-in, the security configuration and
analysis snap-in, or the security settings extension to Group Policy. You may
want to extend the default list of registry values to include additional values
that are security relevant in your environment. Customizing the list
of registry values exposed by SCM is accomplished by modifying then registering
the information in the Sceregvl.inf file located in the %windir%\inf folder.
The Sceregvl.inf file should be modified on the machines where you use the SCM
user interfaces (UI's) to create templates, define policies, perform analyses
etc. The Sceregvl.inf file does not have to be modified or registered on every
machine where the security template is applied since it affects only SCM UI's.
Once the Sceregvl.inf file has been modified and registered, your
custom registry values are exposed in the SCM UI's on that machine. You can
then create security templates or policies that define your new registry
values. These templates or policies can then be applied to any machine
regardless of whether Sceregvl.inf has been modified on the target machine or
not. The following example illustrates how the NoLMHash registry
value is exposed as "Network security: Do not store LAN Manager hash value on
next password change" on the Windows XP version of SCM:
[Register Registry Values]
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash,4,%NoLMHash%,0
[Strings]
NoLMHash = "Network security: Do not store LAN Manager hash value on next password change"
The syntax for the entries in the [Register Registry
Values] section is as follows:
RegistryPath,RegistryType,DisplayName,DisplayType,Options
The following table provides an explanation for each
of the parameters listed above: |
RegistryPath | Defines the full path of the registry
key and value that you want to expose in the UI. Only values that exist in the
HKEY_LOCAL_MACHINE hive can be configured and this hive is referenced by the
keyword MACHINE. | RegistryType | Is a number that defines the type of the
registry value as follows:
1 - REG_SZ
2 - REG_EXPAND_SZ
3 - REG_BINARY
4 - REG_DWORD
7 - REG_MULTI_SZ
| DisplayName | Is the string that ultimately appears in
the security options section of the SCM UI's. This is usually a replaceable
parameter that refers to an entry in the [strings] section of the Sceregvl.inf
file thus making localization easier. | DisplayType | Specifies the type of dialogue the SCM UI
should render in order to allow the user to define the setting for the registry
value. Supported DisplayTypes include:
0 - Boolean: Causes the UI to
render two radio buttons to "Enable" or "Disable" the registry value. If
"Enabled" is selected, the registry value is set to 1. If "Disabled" is
selected, the registry value is set to 0.1 - Numeric: Causes the UI to render a
numeric spin control that allows the user to type in or select a numeric value
in the range 0 to 99999. Numeric display types can specify "unit" strings such
as "minutes", "seconds" etc. that appear next to the spin control in the UI.
These "unit" strings are defined in the Options field described below. The
registry value is set to the number entered by the user.2 - String: Causes the
UI to render a text box. The registry value is set to the string entered by the
user.3 - List: Causes the UI to render a list box from which the user can
select one of several options. The registry value is set to the numeric value
associated with the option chosen by the user. The options presented to the
user are defined in the Options field described below.4 - Multivalued
(available on Windows XP only): Causes the UI to render a Multi-line edit
control that allows the user to enter multiple lines of text. This display type
should be used to define values for MULTI_SZ types. The registry value is set
to the strings entered by the user where each line is separated by a NULL
byte.5 - Bitmask (available on Windows XP only): Causes the UI to render a
series of checkboxes where each checkbox corresponds to a numeric value defined
in the Options field described below. The registry value is set to the bitwise
OR of the selected values. | Options | Qualifies different DisplayTypes as
follows:
If DisplayType=1 (Numeric), the options field may contain a
string that defines the units for the numeric value. The unit string is
displayed next to the spin control in the UI. The unit string has no impact on
the value set in the registry. If DisplayType=3 (List), the options field
defines the list options that are available to the user. Each option consists
of a numeric value separated by the "pipe" character '|' followed by the text
for the choice. The registry value is set to the numeric value associated with
the choice made by the user. See the LMCompatibilityLevel entry in Sceregvl.inf
for an example of a registry value that allows the user to select from one of
five possible values. If DisplayType=5 (Bitmask), the options field defines the
choices that are available to the user. Each choice consists of a numeric value
separated by the "pipe" character '|' followed by the text for the choice. The
registry value is set to the bitwise OR of the choices selected by the user.
See the NTLMMinClientSec entry in Sceregvl.inf for an example of a registry
value that allows the user to combine several choices into one numeric registry
setting. | NOTE: After you have modified the Sceregvl.inf file to include your
custom registry settings, the changes need to be registered by running the
following command: Subsequent launches of the SCM UI's exposes your
custom registry values. Security templates or polices that contain settings for
your new registry values can be applied to any machine regardless of whether or
not the target machine has received these UI modifications. Important The entry is stored in the local Secedit.sdb file. If you want to
remove the new entry you made, you must re-create the Secedit.sdb file. To do
so:
- Rename the Secedit.sdb file to "Secedit.old".
- Run the secedit /refreshpolicy
machine_policy /enforce command
to recreate the local database from the local settings.
Modification Type: | Minor | Last Reviewed: | 1/23/2006 |
---|
Keywords: | kbenv kbinfo KB214752 |
---|
|