I'm currently working on a new Windows Server 2012 and Windows 8 project. As part of that project is to implement new standarised security policies for both Windows Server 2012 and Windows 8, much like the Server 2008 and Windows 7 policies we use. These are based on the CIS Security Benchmarks from http://www.cisecurity.org/

While creating the group policy objects (GPOs) from these CIS benchmarks, I came across a problem which was a bunch of missing settings in my Group Policy Mangement console on Windows Server 2012. Specifically these settings were within:

Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Security Options --> MSS:

These settings are items such as TcpMaxDataRetransmissions and EnableICMPRedirect which I need to set.

Then followed a number of wasted hours trying to figure out how to get these MSS settings to appear so I could configure my GPO as required to comply with the CIS Benchmarks.

After much time wasted (thanks Microsoft for removing these settings) I found the following is the best way to get the MSS settings to appear in the group policy management console editor.

1.  Download the Microsoft Security Compliance Manager and install in a Windows Server 2008 R2 VM you can throw away.

http://technet.microsoft.com/en-gb/library/cc677002.aspx

I tried Windows Server 2012 and the installer kept crashing, well done again Microsoft!

The reason I used a throw away VM was because it installs SQL and a bunch of stuff I don't want.

We are after a specific MSI that once SCM installed we can get - thats all!

2. After SCM is installed copy the following MSI to your management station with GPMC where you are editing your GPOs.

C:\Program Files (x86)\Microsoft Security Compliance Manager\LGPO\LocalGPO.msi

3. Install the LocalGPO.msi on your to your management station with GPMC where you are editing your GPOs.

4. Run the LocalGPO command prompt as an administrator (search the 2012 start menu tiles - type "local")

5. Using LocalGPO, configure Security Configuration Editor (SCE) to display MSS settings.

C:\Program Files (x86)\LocalGPO>cscript LocalGPO.wsf /ConfigSCE

Microsoft (R) Windows Script Host Version 5.8

Copyright (C) Microsoft Corporation. All rights reserved.

Modifying the Security Configuration Editor to the include MSS settings...

Updating the registry

89 subkeys found.

Subkeys deleted successfull

Subkeys added successfully

Registering SceCli.dll to complete SCE modification

The Security Configuration Editor is updated.

Security Configuration Editor has been modified successfully!

The Security Configuration Editor is updated.#vmadmin

6. And there you have it! The MSS settings are back without having to install SQL and SCM on your domain controller or anything else.

Note: Keep the LocalGPO.msi handy so you can install it on any server and edit the MSS settings with GPMC.

You can also now delete the VM you created to install SCM as we no longer need it.

Hope that saved you some time and you came across this article first. It took me a few wasted hours to figure it out and right the above procedure.

referer:https://www.vmadmin.co.uk/microsoft/43-winserver2008/348-server2012mssgposettings

[转]Missing MSS Settings in Security Options of Group Policy (GPO)的更多相关文章

  1. DFS security warning and use group policy to set up internet security zones

    Opening a file from a DFS domain share shows a security warning while openning from the server share ...

  2. How to apply Local Group Policy settings silently using the ImportRegPol.exe and Apply_LGPO_Delta.exe utilities.

    参考:http://supportishere.com/how-to-apply-local-group-policy-settings-silently-using-the-importregpol ...

  3. mac远程桌面连接windows 8.1 update,提示: 远程桌面连接无法验证您希望连接的计算机的身份

    在网上找到解决方案: SolutionEnable RDP security layer in Group Policy on the machine: Verify that the firewal ...

  4. How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

    转自:https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windo ...

  5. Group Policy Object Editor

    Group Policy Object Editor   The Group Policy Object Editor is a tool that hosts MMC extension snap- ...

  6. Configure Security Settings for Remote Desktop(RDP) Services Connections

    catalogue . Configure Server Authentication and Encryption Levels . Configure Network Level Authenti ...

  7. Android Studio :enable vt-x in your bios security,已经打开还是报错的解决方法

    quote: For Windows 10: First of all, install the intelhaxm-android.exe located in the folder SDK\ext ...

  8. Cisco IOS Security command Guide

    copy system:running-config nvram:startup-config : to save your configuration changes to the startup ...

  9. What is XMLHTTP? How to use security zones in Internet Explorer

    Types of Security Zones Internet Zone This zone contains Web sites that are not on your computer or ...

随机推荐

  1. Luogu-4248 [AHOI2013]差异

    \(\sum_{i<j}len(i)+len(j)\)比较简单,稍微想想就出来了,问题在于怎么求任意两个后缀的\(lcp\)长度之和 因为求\(lcp\)实际上就是一个对\(h\)数组求区间最小 ...

  2. 论4.1loli模拟赛

    论如何合理的挂.... T1: 后缀数组+找规律...没了,别的就没什么了.... T2: 树链剖分+lca....没了, 别的没什么了..... T3: 平衡树可过..然后数据有两组错的... 实际 ...

  3. CF697E && CF696C PLEASE

    题意:给你三个杯子,一开始钥匙放在中间的杯子里,然后每一回合等概率将左右两个杯子中的一个与中间杯子交换.求n回合之后钥匙在中间杯子的概率.这里要求概率以分数形式输出,先化成最简,然后对1e9 + 7取 ...

  4. SpringMVC中响应json数据(异步传送)

    1.首先导入3个jar包: jackson-annotations-2.1.5.jar jackson-core-2.1.5.jar jackson-databind-2.1.5.jar JSON所需 ...

  5. waitpid使用的一点问题

    使用waipid的时候遇到了一个奇怪的问题,将情况简化后描述一下. 有关waitpid的基本介绍参见这里一下:http://www.cnblogs.com/mickole/p/3187770.html ...

  6. Qt 自定义PushButton

    http://blog.csdn.net/zddblog/article/details/11116191 功能:鼠标弹起并在按键区域内时,按键响应.并实现normal.hover.pressed效果 ...

  7. Git之(一)Git是什么[转]

    为什么使用Git 孔子曾经曰过的,名正则言顺 言顺则事成. 我们在学习一项新技术之前,弄清楚为什么要学它至关重要,至于为什么要学习Git,我用一段if-else语句告诉你原因: if(你相信我){ 我 ...

  8. mysql 注意事项

    1. mysql所有的存储引擎均不支持check约束,但可以使用check约束,而没有任何效果

  9. axios 拦截 , 页面跳转, token 验证(自己摸索了一天搞出来的)

    最近做项目,需要登录拦截,验证.于是使用了axios的拦截器(也是第一次使用,摸索了1天,终于搞出来了,真是太高兴啦!!!),废话不多说,直接上代码, 项目结构:vue-cli + webpack + ...

  10. 按住说话 speex压缩

    demo下载 speex要用自己的包名.类名 用ndk-build生成so文件,再删除jni文件使用