In addition to the access control list provided by the hisecws. inf template, there are also files protected by the "Member Server benchmark policy.
File baseline permission
% Systemdrive %/boot. ini administrators: full control
System: full control
% Systemdrive %/ntdetect.com administrators: full control
System: full control
% Systemdrive %/ntldr administrators: full control
System: full control
% Systemdrive %/IO. sys administrators: full control
System: full control
% Systemdrive %/autoexec. Bat administrators: full control
System: full control
Authenticated Users: read and execute, list folder content, read
% SystemDir %/config administrators: full control
System: full control
Authenticated Users: read and execute, list folder content, read
% SystemRoot %/system32/append.exe administrators: full control
% SystemRoot %/system32/arp.exe administrators: full control
% SystemRoot %/system32/at.exe administrators: full control
% SystemRoot %/system32/attrib.exe administrators: full control
% SystemRoot %/system32/cacls.exe administrators: full control
% SystemRoot %/system32/change.exe administrators: full control
% SystemRoot %/system32/chcp.com administrators: full control
% SystemRoot %/system32/chglogon.exe administrators: full control
% SystemRoot %/system32/chgport.exe administrators: full control
% SystemRoot %/system32/chguser.exe administrators: full control
% SystemRoot %/system32/chkdsk.exe administrators: full control
% SystemRoot %/system32/chkntfs.exe administrators: full control
% SystemRoot %/system32/cipher.exe administrators: full control
% SystemRoot %/system32/cluster.exe administrators: full control
% SystemRoot %/system32/cmd.exe administrators: full control
% SystemRoot %/system32/compact.exe administrators: full control
% SystemRoot %/system32/command.com administrators: full control
% SystemRoot %/system32/convert.exe administrators: full control
% SystemRoot %/system32/cscript.exe administrators: full control
% SystemRoot %/system32/debug.exe administrators: full control
% SystemRoot %/system32/dfscmd.exe administrators: full control
% SystemRoot %/system32/diskcomp.com administrators: full control
% SystemRoot %/system32/diskcopy.com administrators: full control
% SystemRoot %/system32/doskey.exe administrators: full control
% SystemRoot %/system32/edlin.exe administrators: full control
% SystemRoot %/system32/exe2bin.exe administrators: full control
% SystemRoot %/system32/expand.exe administrators: full control
% SystemRoot %/system32/fc.exe administrators: full control
% SystemRoot %/system32/find.exe administrators: full control
% SystemRoot %/system32/findstr.exe administrators: full control
% SystemRoot %/system32/finger.exe administrators: full control
% SystemRoot %/system32/forcedos.exe administrators: full control
% SystemRoot %/system32/format.com administrators: full control
% SystemRoot %/system32/ftp.exe administrators: full control
% SystemRoot %/system32/hostname.exe administrators: full control
% SystemRoot %/system32/iisreset.exe administrators: full control
% SystemRoot %/system32/ipconfig.exe administrators: full control
% SystemRoot %/system32/ipxroute.exe administrators: full control
% SystemRoot %/system32/label.exe administrators: full control
% SystemRoot %/system32/logoff.exe administrators: full control
% SystemRoot %/system32/lpq.exe administrators: full control
% SystemRoot %/system32/lpr.exe administrators: full control
% SystemRoot %/system32/makecab.exe administrators: full control
% SystemRoot %/system32/mem.exe administrators: full control
% SystemRoot %/system32/mmc.exe administrators: full control
% SystemRoot %/system32/mode.com administrators: full control
% SystemRoot %/system32/more.com administrators: full control
% SystemRoot %/system32/mountvol.exe administrators: full control
% SystemRoot %/system32/msg.exe administrators: full control
% SystemRoot %/system32/nbtstat.exe administrators: full control
% SystemRoot %/system32/net.exe administrators: full control
% SystemRoot %/system32/net1.exe administrators: full control
% SystemRoot %/system32/netsh.exe administrators: full control
% SystemRoot %/system32/netstat.exe administrators: full control
% SystemRoot %/system32/nslookup.exe administrators: full control
% SystemRoot %/system32/ntbackup.exe administrators: full control
% SystemRoot %/system32/ntsd.exe administrators: full control
% SystemRoot %/system32/pathping.exe administrators: full control
% SystemRoot %/system32/ping.exe administrators: full control
% SystemRoot %/system32/print.exe administrators: full control
% SystemRoot %/system32/query.exe administrators: full control
% SystemRoot %/system32/rasdial.exe administrators: full control
% SystemRoot %/system32/rcp.exe administrators: full control
% SystemRoot %/system32/recover.exe administrators: full control
% SystemRoot %/system32/regedit.exe administrators: full control
% SystemRoot %/system32/regedt32.exe administrators: full control
% SystemRoot %/system32/regini.exe administrators: full control
% SystemRoot %/system32/register.exe administrators: full control
% SystemRoot %/system32/regsvr32.exe administrators: full control
% SystemRoot %/system32/replace.exe administrators: full control
% SystemRoot %/system32/reset.exe administrators: full control
% SystemRoot %/system32/rexec.exe administrators: full control
% SystemRoot %/system32/route.exe administrators: full control
% SystemRoot %/system32/routemon.exe administrators: full control
% SystemRoot %/system32/router.exe administrators: full control
% SystemRoot %/system32/rsh.exe administrators: full control
% SystemRoot %/system32/runas.exe administrators: full control
% SystemRoot %/system32/runonce.exe administrators: full control
% SystemRoot %/system32/secedit.exe administrators: full control
% SystemRoot %/system32/setpwd.exe administrators: full control
% SystemRoot %/system32/shadow.exe administrators: full control
% SystemRoot %/system32/cmd.exe administrators: full control
% SystemRoot %/system32/snmp.exe administrators: full control
% SystemRoot %/system32/snmptrap.exe administrators: full control
% SystemRoot %/system32/subst.exe administrators: full control
% SystemRoot %/system32/telnet.exe administrators: full control
% SystemRoot %/system32/termsrv.exe administrators: full control
% SystemRoot %/system32/tftp.exe administrators: full control
% SystemRoot %/system32/tlntadmin.exe administrators: full control
% SystemRoot %/system32/tlntsess.exe administrators: full control
% SystemRoot %/system32/tlntsvr.exe administrators: full control
% SystemRoot %/system32/tracert.exe administrators: full control
% SystemRoot %/system32/tree.com administrators: full control
% SystemRoot %/system32/tsadmin.exe administrators: full control
% SystemRoot %/system32/tscon.exe administrators: full control
% SystemRoot %/system32/tsdiscon.exe administrators: full control
% SystemRoot %/system32/tskill.exe administrators: full control
% SystemRoot %/system32/tsprof.exe administrators: full control
% SystemRoot %/system32/tsshutdn.exe administrators: full control
% SystemRoot %/system32/usrmgr.com administrators: full control
% SystemRoot %/system32/wscript.exe administrators: full control
% SystemRoot %/system32/xcopy.exe administrators: full control