NT Gatekeeper: Use SCTS to Control Application-Specific Registry Settings

I'm using the Windows NT 4.0 Security Configuration Tool Set (SCTS) to audit and configure the security settings of my company's NT workstations. I've also deployed some inhouse applications whose security settings I control through registry values. How can I use SCTS to audit and configure these application-specific registry settings?

To check which registry settings you can use SCTS to control, open the Microsoft Management Console (MMC) Security Configuration Manager snap-in. In the Configurations folder, open the \%systemroot%\winnt\security\templates folder. Double-click a security template (e.g., the basicwk4 template). As Figure 1, page 12, shows, in the template, the \local policies\security options folder contains all the SCTS-controllable registry settings.

The options in this folder are in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SeCEdit\RegValues registry subkey. To audit and configure additional application-specific registry settings, you must add them to this registry subkey, as the Microsoft article "How to Add Custom Registry Settings to Security Configuration Editor" (http://support.microsoft.com/support/kb/articles/q214/7/52.asp) explains. (Be sure to back up the registry before you make changes to it, and use caution when making your changes.)

To further explain, let me show you an example. Let's say you want to use SCTS to control the following application-specific registry setting:

1. The registry value's name is workstation level.
2. The value's data type is REG_DWORD.
3. The value is in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CompanySettings\AppVersion registry subkey.
4. The value can have one of the following string values: User-Workstation, Group-Administrator, or Super-Administrator.

To set up this application-specific registry setting, perform these tasks on your SCTS administration machine, as Figure 2 shows:

1. Create a new registry subkey in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\RegValues. Name the new subkey MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\CompanySettings\AppVersion. (Notice that you replace the root name HKEY_LOCAL_MACHINE with MACHINE.)
2. Add these values to the subkey:

• DisplayChoices (REG_MULTI_SZ) containing 0|User-Workstation 1|Group-Administrator 2|Super-Administrator—This string tells the SCTS the entries that the value can have.
• DisplayName (REG_SZ), containing Workstation Level—This text will be displayed in the SCTS \local policies\security options folder.
• DisplayType (REG_DWORD), containing value 3—This value tells the SCTS to display the entries with an option-button interface.
• ValueType (REG_DWORD), containing value 4—This value tells the SCTS that the data type is REG_DWORD.

Figure 3 shows the resulting SCTS dialog box, which is in every security template that the SCTS administration machine hosts. The three Workstation Level choices appear as Always (value 0), As Request (value 1), and Not Compatible (value 2). To set the User-Workstation workstation level, choose Always. To set the Group-Administrator workstation level, choose As Request. To set the Super-Administrator workstation level, choose Not Compatible. The fact that the values don't show up as you initially set them in the registry is a known bug for this version of SCTS. Microsoft has resolved the problem in Windows 2000.