2.2 Message Syntax
Messages exchanged in the Group Policy: Security Protocol Extension correspond to security policy files transferred by using the SMB Protocol. The protocol is driven through the exchange of these messages, as specified in section 3.
All security policy files processed by the Group Policy: Security Protocol Extension MUST be encoded in UTF-16LE with Byte Order Mark (0xFFFE). The .inf file syntax is as follows.
-
InfFile = UnicodePreamble VersionPreamble Sections UnicodePreamble = *("[Unicode]" LineBreak "Unicode=yes" LineBreak) VersionPreamble = "[Version]" LineBreak "signature=" DQUOTE "$CHICAGO$" DQUOTE LineBreak "Revision=1" LineBreak Sections = Section / Section Sections Section = Header Settings Header = "[" HeaderValue "]" LineBreak HeaderValue = StringWithSpaces Settings = Setting / Setting Settings Setting = Key Wsp "=" Wsp ValueList LineBreak / Name "," Mode "," AclString LineBreak Name = String / QuotedString Mode = [0-9]+ AclString = SDDL / DQUOTE SDDL DQUOTE ValueList = Value / Value Wsp "," Wsp ValueList Key = String Value = String / QuotedString
The preceding syntax is given in the Augmented Backus-Naur Form (ABNF) grammar, as specified in [RFC4234] and as augmented by the following rules.
-
LineBreak = CRLF String = *(ALPHANUM / %d47 / %d45 / %d58 / %d59) StringWithSpaces = String / String Wsp StringWithSpaces QuotedString = DQUOTE *(%x20-21 / %x23-7E) DQUOTE Wsp = *WSP ALPHANUM = ALPHA / DIGIT
For more information about .inf files and their uses, see [MSDN-INF].
The protocol further restricts the values that can be assigned to HeaderValue. HeaderValue MUST be assigned one of the values listed in the following table.
|
HeaderValue |
Purpose |
|---|---|
|
MUST contain settings that pertain to account lockout, password policies, and local security options. |
|
|
MUST contain settings that pertain to the Kerberos policy, as specified in [RFC1510]. |
|
|
System Log |
MUST contain settings that pertain to maximum size, retention policy, and so on for the system log. For more details, see section 2.2.3. |
|
Security Log |
MUST contain settings that pertain to maximum size, retention policy, and so on for the security log. For more details, see section 2.2.3. |
|
Application Log |
MUST contain settings that pertain to maximum size, retention policy, and so on for the application log. For more details, see section 2.2.3. |
|
MUST contain settings that pertain to audit policy. |
|
|
MUST contain registry values to be configured. |
|
|
MUST contain a list of privileges to be assigned to specific accounts. |
|
|
MUST contain configuration settings that pertain to services. |
|
|
MUST contain a list of registry keys and their corresponding security information to be applied. |
|
|
MUST contain a list of files, folders, and their corresponding security information to be applied. |
|
|
MUST contain group membership information, for example, which users are part of what group. |
Note The plug-in that implements the client side of the protocol documented here does not understand the semantics of any of the (name, value) pairs it handles. Its operation is to set those named values in client-side stores indicated by the HeaderValue. When that client-side store is the Registry, the plug-in does not need to know the list of possible names for (name, value) pairs. This implies that new security settings stored in registry keys can be created and populated by GP. For other stores, the plug-in maintains a precompiled list of mappings from setting name to the application programming interface (API) used to apply the setting.