I'm using chinese windows xp sp3, and want to modify the SCE to display MSS settings by using local policy tool.
When i launch the following command
LocalGPO.wsf /configSCE
in the command prompt, it retruns error. I thought it might be someting wrong in function UpdateSCEwithMSSValues
But if i reset sce first, then i can config sec to display mss settings
LocalGPO.wsf /resetSCE
LocalGPO.wsf /configSCE
Another issue is that after reseting sce, the local policy of group policys under computer settings changed to english
The following is the content of sceregvl.inf
; (c) Microsoft Corporation 1997-2000 ; ; Security Configuration Template for Security Configuration Editor ; ; Template Name: SCERegVl.INF ; Template Version: 05.00.DR.0000 ; ; Revision History ; 0000 - Original [version] signature="$CHICAGO$" DriverVer=07/01/2001,5.1.2600.5512 [Register Registry Values] ; ; Syntax: RegPath,RegType,DisplayName,DisplayType,Options ; where ; RegPath: Includes the registry keypath and value ; RegType: 1 - REG_SZ, 2 - REG_EXPAND_SZ, 3 - REG_BINARY, 4 - REG_DWORD, 7 - REG_MULTI_SZ ; Display Name: Is a localizable string defined in the [strings] section ; Display type: 0 - boolean, 1 - Number, 2 - String, 3 - Choices, 4 - Multivalued, 5 - Bitmask ; Options: If Displaytype is 3 (Choices) or 5 (Bitmask), then specify the range of values and corresponding display strings ; in value|displaystring format separated by a comma. MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects,4,%AuditBaseObjects%,0 MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail,4,%CrashOnAuditFail%,0 MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds,4,%DisableDomainCreds%,0 MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous,4,%EveryoneIncludesAnonymous%,0 MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest,4,%ForceGuest%,3,0|%Classic%,1|%GuestBased% MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing,3,%FullPrivilegeAuditing%,0 MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse,4,%LimitBlankPasswordUse%,0 MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel,4,%LmCompatibilityLevel%,3,0|%LMCLevel0%,1|%LMCLevel1%,2|%LMCLevel2%,3|%LMCLevel3%,4|%LMCLevel4%,5|%LMCLevel5% MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec,4,%NTLMMinClientSec%,5,16|%NTLMIntegrity%,32|%NTLMConfidentiality%,524288|%NTLMv2Session%,536870912|%NTLM128% MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec,4,%NTLMMinServerSec%,5,16|%NTLMIntegrity%,32|%NTLMConfidentiality%,524288|%NTLMv2Session%,536870912|%NTLM128% MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash,4,%NoLMHash%,0 MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner,4,%NoDefaultAdminOwner%,3,0|%DefaultOwner0%,1|%DefaultOwner1% MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous,4,%RestrictAnonymous%,0 MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM,4,%RestrictAnonymousSAM%,0 MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl,4,%SubmitControl%,0 MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy,4,%FIPS%,0 MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers,4,%AddPrintDrivers%,0 MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine,7,%AllowedPaths%,4 MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive,4,%ObCaseInsensitive%,0 MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown,4,%ClearPageFileAtShutdown%,0 MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode,4,%ProtectionMode%,0 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature,4,%EnableSMBSignServer%,0 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature,4,%RequireSMBSignServer%,0 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff,4,%EnableForcedLogoff%,0 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect,4,%AutoDisconnect%,1,%Unit-Minutes% MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes,7,%NullPipes%,4 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares,7,%NullShares%,4 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature,4,%EnableSMBSignRDR%,0 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature,4,%RequireSMBSignRDR%,0 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword,4,%EnablePlainTextPassword%,0 MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity,4,%LDAPClientIntegrity%,3,0|%LDAPClient0%,1|%LDAPClient1%,2|%LDAPClient2% MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange,4,%DisablePWChange%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge,4,%MaximumPWAge%,1,%Unit-Days% MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange,4,%RefusePWChange%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel,4,%SignSecureChannel%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel,4,%SealSecureChannel%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal,4,%SignOrSeal%,0 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey,4,%StrongKey%,0 MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity,4,%LDAPServerIntegrity%,3,1|%LDAPServer1%,2|%LDAPServer2% MACHINE\Software\Microsoft\Driver Signing\Policy,3,%DriverSigning%,3,0|%DriverSigning0%,1|%DriverSigning1%,2|%DriverSigning2% MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD,4,%DisableCAD%,0 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName,4,%DontDisplayLastUserName%,0 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLockedUserId,4,%DontDisplayLockedUserId%,3,1|%LockedUserID0%,2|%LockedUserID1%,3|%LockedUserID2% MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption,1,%LegalNoticeCaption%,2 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText,7,%LegalNoticeText%,4 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption,4,%ScForceOption%,0 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon,4,%ShutdownWithoutLogon%,0 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon,4,%UndockWithoutLogon%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel,4,%RCAdmin%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand,4,%RCSet%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms,1,%AllocateCDRoms%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD,1,%AllocateDASD%,3,0|%AllocateDASD0%,1|%AllocateDASD1%,2|%AllocateDASD2% MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies,1,%AllocateFloppies%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount,1,%CachedLogonsCount%,1,%Unit-Logons% MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon,4,%ForceUnlockLogon%,0 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning,4,%PasswordExpiryWarning%,1,%Unit-Days% MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption,1,%ScRemove%,3,0|%ScRemove0%,1|%ScRemove1%,2|%ScRemove2% MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction,1,%DCOMLaunchRestriction%,2 MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineAccessRestriction,1,%DCOMAccessRestriction%,2 ; delete these values from the UI - Rdr in case NT4 w SCE MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CmdConsSecurityLevel MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\AddPrintDrivers MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnableSecuritySignature MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\RequireSecuritySignature MACHINE\System\CurrentControlSet\Services\MRxSMB\Parameters\EnablePlainTextPassword MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnableSecuritySignature MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\RequireSecuritySignature MACHINE\System\CurrentControlSet\Services\Rdr\Parameters\EnablePlainTextPassword MACHINE\Software\Microsoft\Windows\CurrentVersion\NetCache\EncryptEntireCache MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\AlgorithmID MACHINE\Software\Microsoft\Non-Driver Signing\Policy [Strings] ;================================ Accounts ============================================================================ ;Specified in UI code - Accounts: Administrator account status ;Specified in UI code - Accounts: Guest account status ;Specified in UI code - Accounts: Rename administrator account ;Specified in UI code - Accounts: Rename guest account LimitBlankPasswordUse = "帐户: 使用空白密码的本地帐户只允许进行控制台登录" ;================================ Audit =============================================================================== AuditBaseObjects="审计: 对全局系统对象的访问进行审计" FullPrivilegeAuditing="审计: 对备份和还原权限的使用进行审计" CrashOnAuditFail="审计: 如果无法纪录安全审计则立即关闭系统" ;================================ Devices ============================================================================= AllocateDASD="设备: 允许格式化和弹出可移动媒体" AllocateDASD0="Administrators" AllocateDASD1="Administrators 和 Power Users" AllocateDASD2="Administrators 和 Interactive Users" AddPrintDrivers="设备: 防止用户安装打印机驱动程序" AllocateCDRoms="设备: 只有本地登录的用户才能访问 CD-ROM" AllocateFloppies="设备: 只有本地登录的用户才能访问软盘" DriverSigning="设备: 未签名驱动程序的安装操作" DriverSigning0="默认继续 " DriverSigning1="允许安装但发出警告" DriverSigning2="禁止安装" UndockWithoutLogon="设备: 允许不登录脱离" ;================================ Domain controller ==================================================================== SubmitControl="域控制器: 允许服务器操作员计划任务" RefusePWChange="域控制器: 拒绝更改机器帐户密码" LDAPServerIntegrity = "域控制器: LDAP 服务器签名要求" LDAPServer1 = "无" LDAPServer2 = "要求签名" ;================================ Domain member ======================================================================== DisablePWChange="域控制器: 禁用更改机器帐户密码" MaximumPWAge="域控制器: 最长机器帐户密码寿命" SignOrSeal="域成员: 对安全通道数据进行数字加密或签名 (总是)" SealSecureChannel="域成员: 对安全通道数据进行数字加密 (如果可能)" SignSecureChannel="域成员: 对安全通道数据进行数字签名 (如果可能)" StrongKey="域成员: 需要强 (Windows 2000 或以上版本) 会话密钥" ;================================ Interactive logon ==================================================================== DisableCAD = "交互式登录: 不需要按 CTRL+ALT+DEL" DontDisplayLastUserName = "交互式登录: 不显示上次的用户名" DontDisplayLockedUserId = "交互式登录: 会话锁定时显示用户信息" LockedUserId0 = "用户显示名称、域和用户名" LockedUserId1 = "用户只显示名称" LockedUserId2 = "不显示用户信息" LegalNoticeText = "交互式登录: 用户试图登录时消息文字" LegalNoticeCaption = "交互式登录: 用户试图登录时消息标题" CachedLogonsCount = "交互式登录: 可被缓冲保存的前次登录个数 (在域控制器不可用的情况下)" PasswordExpiryWarning = "交互式登录: 在密码到期前提示用户更改密码" ForceUnlockLogon = "交互式登录: 要求域控制器身份验证以脱离工作站" ScForceOption = "交互式登录: 要求智能卡" ScRemove = "交互式登录: 智能卡移除操作" ScRemove0 = "无操作" ScRemove1 = "锁定工作站" ScRemove2 = "强制注销" ;================================ Microsoft network client ============================================================= RequireSMBSignRdr="Microsoft 网络客户: 数字签字的通信(总是)" EnableSMBSignRdr="Microsoft 网络客户: 数字签字的通信(若服务器同意)" EnablePlainTextPassword="Microsoft 网络客户: 发送未加密的密码到第三方 SMB 服务器。" ;================================ Microsoft network server ============================================================= AutoDisconnect="Microsoft 网络服务器: 在挂起会话之前所需的空闲时间" RequireSMBSignServer="Microsoft 网络服务器: 数字签字的通信(总是)" EnableSMBSignServer="Microsoft 网络服务器: 数字签字的通信(若客户同意)" EnableForcedLogoff="Microsoft 网络服务器: 当登录时间用完时自动注销用户" ;================================ Network access ======================================================================= ;Specified in UI code - Network access: Allow anonymous SID/Name translation DisableDomainCreds = "网络访问: 不允许为网络身份验证储存凭据或 .NET Passports" RestrictAnonymousSAM = "网络访问: 不允许 SAM 帐户的匿名枚举" RestrictAnonymous = "网络访问: 不允许 SAM 帐户和共享的匿名枚举" EveryoneIncludesAnonymous = "网络访问: 让“每个人”权限应用于匿名用户" NullPipes = "网络访问: 可匿名访问的命名管道" NullShares = "网络访问: 可匿名访问的共享" AllowedPaths = "网络访问: 可远程访问的注册表路径" ForceGuest = "网络访问: 本地帐户的共享和安全模式" Classic = "经典 - 本地用户以自己的身份验证" GuestBased = "仅来宾 - 本地用户以来宾身份验证" ;================================ Network security ===================================================================== ;Specified in UI code - Network security: Enforce logon hour restrictions NoLMHash = "网络安全: 不要在下次更改密码时存储 LAN Manager 的 Hash 值" LmCompatibilityLevel = "网络安全: LAN Manager 身份验证级别" LMCLevel0 = "发送 LM & NTLM 响应" LMCLevel1 = "发送 LM & NTLM - 如果已协商,使用 NTLMv2 会话安全" LMCLevel2 = "仅发送 NTLM 响应" LMCLevel3 = "仅发送 NTLMv2 响应" LMCLevel4 = "仅发送 NTLMv2 响应\拒绝 LM" LMCLevel5 = "仅发送 NTLMv2 响应\拒绝 LM & NTLM" NTLMMinClientSec = "网络安全设置: 基于 NTLM SSP(包括安全 RPC)客户的最小会话安全" NTLMMinServerSec = "网络安全设置: 基于 NTLM SSP(包括安全 RPC)服务器的最小会话安全" NTLMIntegrity = "要求消息的完整性" NTLMConfidentiality = "要求消息的保密性" NTLMv2Session = "要求 NTLMv2 会话安全" NTLM128 = "要求 128-位 加密" LDAPClientIntegrity = "网络安全: LDAP 客户签名要求" LDAPClient0 = "无" LDAPClient1 = "协商签名" LDAPClient2 = "要求签名" ;================================ Recovery console ==================================================================== RCAdmin="故障恢复控制台: 允许自动系统管理级登录" RCSet="故障恢复控制台: 允许对所有驱动器和文件夹进行软盘复制和访问" ;================================ Shutdown ============================================================================ ShutdownWithoutLogon="关机: 允许在未登录前关机" ClearPageFileAtShutdown="关机: 清理虚拟内存页面文件" ProtectionMode = "系统对象: 增强内部系统对象的默认权限 (例如 Symbolic Links)" NoDefaultAdminOwner = "系统对象: 由 Administrators 组成员所创建的对象默认所有者" DefaultOwner0 = "Administrators group" DefaultOwner1 = "Object creator" ObCaseInsensitive = "系统对象: 对非 Windows 子系统不要求区分大小写" ;================================ System cryptography ================================================================= FIPS="系统加密: 使用 FIPS 兼容的算法来加密,散列和签名" Unit-Logons="次登录" Unit-Days="天" Unit-Minutes="分钟" ;================================ DCOM Machine Restrictions =========================================================== DCOMLaunchRestriction="DCOM: 安全描述符定义语言(SDDL)语法中的计算机启动限制" DCOMAccessRestriction="DCOM: 安全描述符定义语言(SDDL)语法中的计算机访问限制"