I'm currently working on a new Windows Server 2012 and Windows 8 project. As part of that project is to implement new standarised security policies for both Windows Server 2012 and Windows 8, much like the Server 2008 and Windows 7 policies we use. These are based on the CIS Security Benchmarks from http://www.cisecurity.org/

While creating the group policy objects (GPOs) from these CIS benchmarks, I came across a problem which was a bunch of missing settings in my Group Policy Mangement console on Windows Server 2012. Specifically these settings were within:

Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Security Options --> MSS:

These settings are items such as TcpMaxDataRetransmissions and EnableICMPRedirect which I need to set.

Then followed a number of wasted hours trying to figure out how to get these MSS settings to appear so I could configure my GPO as required to comply with the CIS Benchmarks.

After much time wasted (thanks Microsoft for removing these settings) I found the following is the best way to get the MSS settings to appear in the group policy management console editor.

1.  Download the Microsoft Security Compliance Manager and install in a Windows Server 2008 R2 VM you can throw away.

http://technet.microsoft.com/en-gb/library/cc677002.aspx

I tried Windows Server 2012 and the installer kept crashing, well done again Microsoft!

The reason I used a throw away VM was because it installs SQL and a bunch of stuff I don't want.

We are after a specific MSI that once SCM installed we can get - thats all!

2. After SCM is installed copy the following MSI to your management station with GPMC where you are editing your GPOs.

C:\Program Files (x86)\Microsoft Security Compliance Manager\LGPO\LocalGPO.msi

3. Install the LocalGPO.msi on your to your management station with GPMC where you are editing your GPOs.

4. Run the LocalGPO command prompt as an administrator (search the 2012 start menu tiles - type "local")

5. Using LocalGPO, configure Security Configuration Editor (SCE) to display MSS settings.

C:\Program Files (x86)\LocalGPO>cscript LocalGPO.wsf /ConfigSCE

Microsoft (R) Windows Script Host Version 5.8

Copyright (C) Microsoft Corporation. All rights reserved.

Modifying the Security Configuration Editor to the include MSS settings...

Updating the registry

89 subkeys found.

Subkeys deleted successfull

Subkeys added successfully

Registering SceCli.dll to complete SCE modification

The Security Configuration Editor is updated.

Security Configuration Editor has been modified successfully!

The Security Configuration Editor is updated.#vmadmin

6. And there you have it! The MSS settings are back without having to install SQL and SCM on your domain controller or anything else.

Note: Keep the LocalGPO.msi handy so you can install it on any server and edit the MSS settings with GPMC.

You can also now delete the VM you created to install SCM as we no longer need it.

Hope that saved you some time and you came across this article first. It took me a few wasted hours to figure it out and right the above procedure.

referer:https://www.vmadmin.co.uk/microsoft/43-winserver2008/348-server2012mssgposettings

[转]Missing MSS Settings in Security Options of Group Policy (GPO)的更多相关文章

  1. DFS security warning and use group policy to set up internet security zones

    Opening a file from a DFS domain share shows a security warning while openning from the server share ...

  2. How to apply Local Group Policy settings silently using the ImportRegPol.exe and Apply_LGPO_Delta.exe utilities.

    参考:http://supportishere.com/how-to-apply-local-group-policy-settings-silently-using-the-importregpol ...

  3. mac远程桌面连接windows 8.1 update,提示: 远程桌面连接无法验证您希望连接的计算机的身份

    在网上找到解决方案: SolutionEnable RDP security layer in Group Policy on the machine: Verify that the firewal ...

  4. How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

    转自:https://support.microsoft.com/en-us/help/2696547/detect-enable-disable-smbv1-smbv2-smbv3-in-windo ...

  5. Group Policy Object Editor

    Group Policy Object Editor   The Group Policy Object Editor is a tool that hosts MMC extension snap- ...

  6. Configure Security Settings for Remote Desktop(RDP) Services Connections

    catalogue . Configure Server Authentication and Encryption Levels . Configure Network Level Authenti ...

  7. Android Studio :enable vt-x in your bios security,已经打开还是报错的解决方法

    quote: For Windows 10: First of all, install the intelhaxm-android.exe located in the folder SDK\ext ...

  8. Cisco IOS Security command Guide

    copy system:running-config nvram:startup-config : to save your configuration changes to the startup ...

  9. What is XMLHTTP? How to use security zones in Internet Explorer

    Types of Security Zones Internet Zone This zone contains Web sites that are not on your computer or ...

随机推荐

  1. uniqueidentifier in SQL becomes lower case in c#

     https://stackoverflow.com/questions/16938151/uniqueidentifier-in-sql-becomes-lower-case-in-c-sharp ...

  2. EF Code-First 学习之旅

    什么是Code-First 基本工作流: 写好应用程序的领域类和上下文类→配置领域类的额外映射→运行程序→Code-First API创建新的数据库或与现有数据库对应→添加种子数据到数据库中测试

  3. ambari2.4.2在CentOS7上的二次开发

    前言:如果想安装到CentOS7,就一定要将源码在CentOS7上编译,然后安装,否则可能会出现各种问题 目录 源码结构 技术点 编译环境的搭建  安装samba 安装编译环境 整体编译 ambari ...

  4. list!=null跟list.isEmpty()有什么区别?

    这就相当与,你要喝水,前面list!=null就是判断是不是连水杯都没有,后面!list.isEmpty就是判断水杯里面没有水,连盛水的东西都没有,这个水从何而来?所以一般的判断是if(list!=n ...

  5. Db2数据库在Linux下的安装和配置

    一.DB2数据库的安装和配置: 1.安装完成后,需要增加三个操作系统的组和三个操作系统用户,如下: groupadd -g 999 db2iadm1  #(管理实例的组) groupadd -g 99 ...

  6. jQuery Fancybox插件使用参数详解

    Fancybox的特点如下: 可以支持图片.html文本.flash动画.iframe以及ajax的支持 可以自定义播放器的CSS样式 可以以组的形式进行播放 如果将鼠标滚动插件(mouse whee ...

  7. Struts2学习(2)

    1.结果嗯配置 (1)全局结果页面 (2)局部结果页面 (3)result标签type属性 2.在action获取表单提交数据 (1)使用ActionContext类获取 (2)使用ServletAc ...

  8. python字典中dict.get()和dict.setdefault()的异同点

    相同点: 两者是参数相同:dict.get(key, default=None), dict.setdefault(key, default=None) 如果指定的键不存在时,两者都返回默认值,默认是 ...

  9. excel中日期设置星期

    在设置日期格式中-自定义中-设置填入yyyy-mm-dd [$-804]aaa;@ 即可.

  10. Mybatis_总结_06_用_插件开发

    一.前言 Mybatis采用责任链模式,通过动态代理组织多个插件(拦截器),通过这些插件可以改变Mybatis的默认行为(诸如SQL重写之类的),由于插件会深入到Mybatis的核心,因此在编写自己的 ...