The SCM (Security Configuration Manager) tool set allows you to define security templates that can be applied computers via group policy.
The security relevant registry values configurable by SCM are under Local Policies / Security Options when using the snap-in. To extend the list of registry entries, you can edit the %SystemRoot%\inf\Sceregvl.inf on the computer that you run the SCM UI on.
NOTE: Only the computer you run the UI on needs to have the Sceregvl.inf file modified.
Here is an example of how you can expose the NoLMHash registry value as Network security: Do not store LAN Manager hash value on next password change on the Windows XP version of SCM:
NoLMHash = "Network security: Do not store LAN Manager hash value on next password change"
The syntax of an entry in the <b>\[Register Registry Values\]</b> section is:
RegistryType is a number that defines the type of the registry value:
2 - REG_EXPAND_SZ
3 - REG_BINARY
4 - REG_DWORD
7 - REG_MULTI_SZ
DisplayType specifies the type of dialogue the SCM UI should render in order to allow the user to define the setting for the registry value. Supported DisplayTypes include:
0 - Boolean: Causes the UI to render two radio buttons to "Enable" or "Disable" the registry value. If "Enabled" is selected, the registry value is set to 1. If "Disabled" is selected, the registry value is set to 0.
1 - Numeric: Causes the UI to render a numeric spin control that allows the user to type in or select a numeric value in the range 0 to 99999. Numeric display types can specify "unit" strings such as "minutes", "seconds" etc. that appear next to the spin control in the UI. These "unit" strings are defined in the Options. The registry value is set to the number entered by the user.
2 - String: Causes the UI to render a text box. The registry value is set to the string entered by the user.
3 - List: Causes the UI to render a list box from which the user can select one of several options. The registry value is set to the numeric value associated with the option chosen by the user. The options presented to the user are defined in the Options field described below.
4 - Multivalued (available on Windows XP only): Causes the UI to render a Multi-line edit control that allows the user to enter multiple lines of text. This display type should be used to define values for MULTI_SZ types. The registry value is set to the strings entered by the user where each line is separated by a NULL byte.
5 - Bitmask (available on Windows XP only): Causes the UI to render a series of checkboxes where each checkbox corresponds to a numeric value defined in the Options field. The registry value is set to the bitwise OR of the selected values.
Options qualifies different DisplayTypes:
If DisplayType is 1 (Numeric), the options field may contain a string that defines the units for the numeric value. The unit string is displayed next to the spin control in the UI. The unit string has no impact on the value set in the registry.
If DisplayType is 3 (List), the options field defines the list options that are available to the user. Each option consists of a numeric value separated by the pipe | followed by the text for the choice. The registry value is set to the numeric value associated with the choice made by the user. See the LMCompatibilityLevel entry in Sceregvl.inf for an example that allows the user to select from one of five possible values.
If DisplayType is 5 (Bitmask), the options field defines the choices that are available to the user. Each choice consists of a numeric value separated by the pipe | followed by the text for the choice. The registry value is set to the bitwise OR of the choices selected by the user. See the NTLMMinClientSec entry in Sceregvl.inf for an example that allows the user to combine several choices into one numeric registry setting.
NOTE: Each time you finish modifing the Sceregvl.inf file, the changes need to be registered by running regsvr32 /s scecli.dll so that the next launch of the SCM UI exposes your settings.
NOTE: The registry entries that you define are stored in the local Secedit.sdb file. To remove an entry that you made, you must re-create the Secedit.sdb file:
1. Rename the Secedit.sdb file to Secedit.old.
secedit /refreshpolicy machine_policy /enforce