Partager via


2.2 Message Syntax

Messages exchanged in the Group Policy: Security Protocol Extension correspond to security policy files transferred by using the SMB Protocol. The protocol is driven through the exchange of these messages, as specified in section 3.

All security policy files processed by the Group Policy: Security Protocol Extension MUST be encoded in UTF-16LE with Byte Order Mark (0xFFFE). The .inf file syntax is as follows.

 InfFile = UnicodePreamble VersionPreamble Sections
 UnicodePreamble = *("[Unicode]" LineBreak "Unicode=yes"
        LineBreak)
 VersionPreamble = "[Version]" LineBreak "signature=" 
        DQUOTE "$CHICAGO$" DQUOTE LineBreak "Revision=1" LineBreak
 Sections = Section /  Section Sections
 Section = Header Settings
 Header = "[" HeaderValue "]" LineBreak
 HeaderValue = StringWithSpaces
 Settings = Setting / Setting Settings
 Setting = Key Wsp "=" Wsp ValueList LineBreak /
 Name "," Mode "," AclString LineBreak 
 Name = String / QuotedString
 Mode = [0-9]+
 AclString = SDDL / DQUOTE SDDL DQUOTE
 ValueList = Value / Value Wsp "," Wsp ValueList
 Key = String
 Value = String / QuotedString

The preceding syntax is given in the Augmented Backus-Naur Form (ABNF) grammar, as specified in [RFC4234] and as augmented by the following rules.

            
 LineBreak = CRLF
 String = *(ALPHANUM / %d47 / %d45 / %d58 / %d59)
 StringWithSpaces = String / String Wsp StringWithSpaces
 QuotedString = DQUOTE *(%x20-21 / %x23-7E) DQUOTE
 Wsp = *WSP
 ALPHANUM = ALPHA / DIGIT

For more information about .inf files and their uses, see [MSDN-INF].

The protocol further restricts the values that can be assigned to HeaderValue. HeaderValue MUST be assigned one of the values listed in the following table.

HeaderValue

Purpose

System Access

MUST contain settings that pertain to account lockout, password policies, and local security options.

Kerberos Policy

MUST contain settings that pertain to the Kerberos policy, as specified in [RFC1510].

System Log

MUST contain settings that pertain to maximum size, retention policy, and so on for the system log. For more details, see section 2.2.3.

Security Log

MUST contain settings that pertain to maximum size, retention policy, and so on for the security log. For more details, see section 2.2.3.

Application Log

MUST contain settings that pertain to maximum size, retention policy, and so on for the application log. For more details, see section 2.2.3.

Event Audit

MUST contain settings that pertain to audit policy.

Registry Values

MUST contain registry values to be configured.

Privilege Rights

MUST contain a list of privileges to be assigned to specific accounts.

Service General Setting

MUST contain configuration settings that pertain to services.

Registry Keys

MUST contain a list of registry keys and their corresponding security information to be applied.

File Security

MUST contain a list of files, folders, and their corresponding security information to be applied.

Group Membership

MUST contain group membership information, for example, which users are part of what group.

Note The plug-in that implements the client side of the protocol documented here does not understand the semantics of any of the (name, value) pairs it handles. Its operation is to set those named values in client-side stores indicated by the HeaderValue. When that client-side store is the Registry, the plug-in does not need to know the list of possible names for (name, value) pairs. This implies that new security settings stored in registry keys can be created and populated by GP. For other stores, the plug-in maintains a precompiled list of mappings from setting name to the application programming interface (API) used to apply the setting.