Get/set local security settings programmatically
JH
Security Settings console.
Along the same line, we are also trying to get and set the other entries. We
have found Windows APIs
to access some settings. For some other settings we are having a hard time
finding the right APIs.
We have tried WMI with some of the settings but WMI support seems to be
spotty and does
not reliably work on all versions of Windows, or is not available on earlier
versions.
So we'd like to get some help regarding retrieving and modifying the values
for the settings below.
There might be a few more - we we are still looking.
Thanks!
JH
Account Policies|Password Policy
Password must meet complexity requirements
Store passwords using reversible encryption
Local Policies|Security Options
Accounts: Administrator account status
Accounts: Guest account status
Accounts: Rename administrator account
Accounts: Rename guest account
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and
shares
Network access: Do not allow storage of credentials or .NET Passports
for network authentication
Network access: Remotely accessible registry paths and sub-paths
Network access: Remotely accessible registry paths
Network access: Restrict anonymous access to Named Pipes and Shares
DCOM: Machine Access Restrictions in Security Descriptor Definition
Language (SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition
Language (SDDL) syntax
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock
workstation
Interactive logon: Display user information when session is locked
System cryptography: Force strong key protection for user keys stored on
the computer
System cryptography: Use FIPS compliant algorithms for encryption,
hashing and signing
System settings: Optional subsystems
System settings: Use Certificate Rules on Windows Executables for
Software Restriction Policies
Jeffrey Tan[MSFT]
I do not believe there is a generic programming interface to get/set all
these LSA settings. Anyway, I will give it a deeper research and confirm for
you. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msd...@microsoft.com.
This posting is provided "AS IS" with no warranties, and confers no rights.
Jeffrey Tan[MSFT]
Sorry for letting you wait.
The answer I got from kernel&security team is what I suspected. There is no
single API for policy settings; most are stored in various registry
settings. If you wanted to get&set all these options programmatically,
each one of these will need to be researched separately and they might even
be different between OSs. This "How-to" question is mainly an advisory
issue which requires several support teams to work together. So it goes
beyond the support boundary of the MSDN newsgroup support.
The best option for this issue is the Micorosft Consulting Service. If you
need further assistance on this issue, you can directly contact our CSS for
Advisory Services following the link below:
http://support.microsoft.com/default.aspx?pr=AdvisoryService
Thanks for your understanding.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
=========================================
Jeffrey Tan[MSFT]
Service, I did get some information for you(during discussing with several
security experts internally):
Some of these options are exposed via the NetAPI32 DLL - NetSetUserModals
does some of the password stuff you want. A bunch of the rest of it is set
via registry keys.
The Lsa* set of APIs do tell you some of the things you want to know about
a system, but I don't think they cover most of what's below.
Regarding your issue,
Account Policies--> Password Policy
1) Password must meet complexity requirements
2) Store password using reversible encryption for all
users in the domain
there are no native Win32 APIs for these two local security settings.
On Windows XP or above, there is a new WMI Group Policy interface, the
RSOP_SecuritySettingBoolean WMI class that represents the boolean security
setting for an account policy. Account policies include password policies
and account lockout policies.
The MSDN link
http://msdn2.microsoft.com/en-us/library/aa375062.aspx
documents this WMI Group Policy interface.
For the first two tasks, there is only WMI interface.
For "Security Options", the information is stored in various places such as
registry, SAM etc, depending on which component of Windows is exposing that
security option. We discussed similar customer's requirement with secedit
PG, there is no single API set. For some options, there may not be an API.
As Dave mentioned, it varies from OS to OS.
Regarding security options:-
a. "Accounts: Administrator account status"
b. "Accounts: Guest account status"
a) and b) can be set/modified using NetUserGetInfo at level 3 (usri3_flags)
c. "Accounts: Rename administrator account"
d. "Accounts: Rename guest account"
If administrator or guest account is renamed, one can find the information
as explained in the following knowledge base article
Q157234 - HOWTO: Deal with Localized and Renamed User and Group Names
http://support.microsoft.com/support/kb/articles/Q157/2/34.asp
The other Security Options are stored under registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg
Values as subkeys. The DisplayName registry value under each of the subkey
corresponds to what gpedit.msc displays in the UI.
The easiest way to work with many of these settings is via secedit.exe.
Hope it helps.
JH
interface.
WMI doesn't exist on Win2K (although it can be installed) and we have found
that it
does not work reliably on the other platforms, hence why we are seeking
APIs.
We'll study the links and pointers that you provided in the reply.
""Jeffrey Tan[MSFT]"" <je...@online.microsoft.com> wrote in message
news:Uq81u8Vm...@TK2MSFTNGHUB02.phx.gbl...
Jeffrey Tan[MSFT]
Yes, I see your concern. However, it seems that we do not have a generic
programming interface for all these acrossing all NT systems, so we do not
have too many options now. Thanks.