4

In the past I have gone through a server hardening checklist on a Windows Server 2008 web server for PCI compliance. Basically there are a lot of Group Policy, Registry, and other settings that need to conform to the industry best practices for security, encryption, etc. When looking at one particular section, it states the following:

The system should be configured to disallow IP Source Routing, ICMP Redirects, and Internet Router Discovery Protocol. Additionally, configure the system to allow connections to time out sooner if a SYN flood is detected.

In the past I was able to set these restrictions using the group policy settings that start with "MSS:" under Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options

After looking back at my notes there was a file to edit in %SystemRoot%\inf named sceregvl.inf, but I didn't take enough detail to reproduce that method.

How can I view and edit these MSS group policy settings on Windows Server 2012 R2?

CodesInChaos
  • 143
  • 7
ibsk8in31
  • 103
  • 2
  • 2
  • 6
  • See https://pelicanohintsandtips.wordpress.com/2015/03/23/windows-2012-r2-group-policy-settings-including-mss-settings/ for details of getting LocalGPO.wsf to run on Windows Server 2012 R2 –  Mar 24 '15 at 10:04

5 Answers5

4

Officially, you cannot. (On Server 2012 R2 as of the time of this writing.)

Unofficially? Maybe...

The "MSS" Group Policy settings are not and never have been included with a default, out-of-the-box installation of Active Directory. They were an add-on developed by a consulting group out in the field, and the settings were deemed so useful that they were included with the "Solution Accelerator" known as Security Compliance Manager. (It's been known under various similar names previously, such as "Windows 7 Security Compliance Management Toolkit.")

The problem is, the Security Compliance Manager comes with a whole bunch of junk that you do not want, such as a SQL Express instance. Junk that you really do not want to install on a domain controller. You only want to extract from it just the piece that you want, which is the "LocalGPO.msi" package.

The next problem is that Security Compliance Manager was never updated for 2012 R2. 2012, yes. 2012 R2, no.

That being said, you might still be able to get it to work on 2012 R2, but beware - doing so might put your server in an unsupportable state.

Download the Security Compliance Manager installation. Run it on your server.

Run the .exe, but do not continue with the installation. The installer deflates some files into a temp directory on the hard drive, such as C:\a1b2c3d4e5f6a0b1c2 or D:\a1b2c3d4e5f6a0b1c2. In that directory you will find a data.cab file. Open that file, and extract the file named GPOMSI and rename that file to LocalGPO.msi. Now cancel the SCM installer and it will delete the temp files.

Install LocalGPO.msi on your server. Then launch the new "LocalGPO Command-line" shortcut that you will find in your Start Screen. Run it as Administrator. Type cscript LocalGPO.wsf /ConfigSCE.

You will get an error that you are not running a supported operating system.

Open LocalGPO.wsf in notepad and comment out the ChkOSVer procedure in the script so that it will not check your version. Now run the above command again.

I have seen multiple reports of this working for other people, however it did not work for me. I still got a VBscript error at line 2245 of the script, at a WriteLine statement. I haven't bothered to debug any deeper, resigning myself to the fact that it simply has not been updated for 2012 R2.


Edit 4/11/2016: The version that is hosted on this Microsoft blog written by Aaron Margosis contains a download link to a version of the MSS Extension that works for me with 2012 R2 with no 'hacking' required. That's a link to a zip file. Inside the zip file, you will see a directory named 'Local_Script'. Inside that folder, you will find a subfolder named 'MSS_Extension'. Simply transfer that MSS_Extension directory to your 2012 R2 domain controller. Then open a command prompt and browse to that directory. Then run:

Cscript LocalGPO.wsf /ConfigSCE

Jake Reece
  • 103
  • 5
Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • Following this guide gave me the ability to finally see the settings. Instead of commenting out the check for OS, the example here adds a case: [link](http://blog.datencamp.org/2014/07/mss-gpo-mystery-solved-w2012r2/) I think there is still was a typo on the code he displays: capitalization of strOs -> strOS. – ibsk8in31 Jan 02 '15 at 22:57
  • @ibsk8in31 Excellent! I'm glad it worked for you. The MSS settings are still relevant today, so we need them even on 2012 R2. – Ryan Ries Jan 02 '15 at 23:00
1

The MSS Security Settings can be restored with the Microsoft Security Compliance Manager 3.
This will actually install on Server 2012, but you need MS SQL Express and the Visual C++ 2010 runtime libs installed. It will also complain about program compatibility, and you may have to re-run the setup routine a second time.

Once installed, you will find a file called LocalGPO.msi in C:\Program Files (x86)\Microsoft Security Compliance Manager\LGPO (or wherever you installed Security Compliance Manager to.

Run this MSI file on your server. This will install to C:\Program Files (x86)\LocalGPO (or wherever else you choose to install it).

Running: cscript LocalGPO.wsf /? will show you the various options available with this script, notably including:

/ConfigSCE       : Configures Security Configuration Editor (SCE) to display MSS settings.  

So, run this command:

C:\Program Files (x86)\LocalGPO>cscript LocalGPO.wsf /configsce
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Modifying the Security Configuration Editor to the include MSS settings...

Updating the registry
89 subkeys found.
Subkeys deleted successfully
Subkeys added successfully
Registering SceCli.dll to complete SCE modification

The Security Configuration Editor is updated.

Security Configuration Editor has been modified successfully!


The Security Configuration Editor is updated.

And now, when you run gpedit.msc on your Server 2012 machine, you should find all the MSS settings are available again.

To do this to all machines, just take the LocalGPO.MSI file and install it on them, and then run the LocalGPO.wsf script on each of them to make the settings visible.

Adam Thompson
  • 587
  • 3
  • 12
0

All solution is the same as RyanRes, but:

To run with 2012R2 we must not comment the ChkOSVer procedure but edit it:

search for the routine called ‘ChkOSVersion’, scroll down you will find a bunch of if-statements. You will want it to look as follows:

If(Left(strOpVer,3) = "6.3") and (strProductType <> "1") then
strOs = "WS12"
ElseIf(Left(strOpVer,3) = "6.2") and (strProductType <> "1") then
strOS = "WS12"
ElseIf(Left(strOpVer,3) = "6.2") and (strProductType = "1") then
strOS = "Win8"
ElseIf(Left(strOpVer,3) = "6.1") and (strProductType <> "1") then
strOS = "WS08R2"
ElseIf(Left(strOpVer,3) = "6.1") and (strProductType = "1") then
strOS = "Win7"
ElseIf(Left(strOpVer,3) = "6.0") and (strProductType <> "1") then
strOS = "WS08"
ElseIf(Left(strOpVer,3) = "6.0") and (strProductType = "1") then
strOS = "VISTA"
ElseIf(Left(strOpVer,3) = "5.2") and (strProductType <> "1") then
strOS = "WS03"
ElseIf(Left(strOpVer,3) = "5.2") and (strProductType = "1") then
strOS = "XP"
ElseIf(Left(strOpVer,3) = "5.1") and (strProductType = "1") then
strOS = "XP"

Else

strMessage = DisplayMessage(conLABEL_CODE002)
Call MsgBox(strMessage, vbOKOnly + vbCritical, strTitle)
Call CleanupandExit

End If

Note the first statement. Ensure you are saving the file using UTF-8 encoding and that it still resides in the same folder as there are dependencies to other files.

Next right-click on the “LocalGPO command-line” icon and choose “Run as Administrator”

At the command prompt type “cscript LocalGPO.wsf /ConfigSCE” and press enter.

That's all. We have the MSS GP settings in our GPMC

DmiBar
  • 1
  • 1
0

There's an update which includes the 2012 R2 Polices as shown in the pic below:

Make sure you get Version 4 of SCM

Make sure you get Version 4 of SCM.

chicks
  • 3,639
  • 10
  • 26
  • 36
0

What I discovered for both Win10 and Server2K12R2 is that the LocalGPO.WSF needs to be modified so that the INF file it opens to update the entries is opened and saved as Unicode in the UpdateSCEwithMSSValues sub. That seems to at least make the script happy, and the INF file is indeed updated in Windows/Inf. However, I have yet to actually see the MSS hidden entries when running GPEDIT.MSC under Computer/Windows Settings/Security Settings/Local Policies/Security Options as you would see in Win7. To actually access the entries, you need to copy the ADMX and ADML templates to Windows/PolicyDefinitions, the MSS entries show up under Computer/Administrative Templates. My $.02

TonyD
  • 1