In the past I have gone through a server hardening checklist on a Windows Server 2008 web server for PCI compliance. Basically there are a lot of Group Policy, Registry, and other settings that need to conform to the industry best practices for security, encryption, etc. When looking at one particular section, it states the following:
The system should be configured to disallow IP Source Routing, ICMP Redirects, and Internet Router Discovery Protocol. Additionally, configure the system to allow connections to time out sooner if a SYN flood is detected.
In the past I was able to set these restrictions using the group policy settings that start with "MSS:" under Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options
After looking back at my notes there was a file to edit in %SystemRoot%\inf named sceregvl.inf, but I didn't take enough detail to reproduce that method.
How can I view and edit these MSS group policy settings on Windows Server 2012 R2?
Best Answer
Officially, you cannot. (On Server 2012 R2 as of the time of this writing.)
Unofficially? Maybe...
The "MSS" Group Policy settings are not and never have been included with a default, out-of-the-box installation of Active Directory. They were an add-on developed by a consulting group out in the field, and the settings were deemed so useful that they were included with the "Solution Accelerator" known as Security Compliance Manager. (It's been known under various similar names previously, such as "Windows 7 Security Compliance Management Toolkit.")
The problem is, the Security Compliance Manager comes with a whole bunch of junk that you do not want, such as a SQL Express instance. Junk that you really do not want to install on a domain controller. You only want to extract from it just the piece that you want, which is the "LocalGPO.msi" package.
The next problem is that Security Compliance Manager was never updated for 2012 R2. 2012, yes. 2012 R2, no.
That being said, you might still be able to get it to work on 2012 R2, but beware - doing so might put your server in an unsupportable state.
Download the Security Compliance Manager installation. Run it on your server.
Run the .exe, but do not continue with the installation. The installer deflates some files into a temp directory on the hard drive, such as
C:\a1b2c3d4e5f6a0b1c2orD:\a1b2c3d4e5f6a0b1c2. In that directory you will find adata.cabfile. Open that file, and extract the file namedGPOMSIand rename that file toLocalGPO.msi. Now cancel the SCM installer and it will delete the temp files.Install LocalGPO.msi on your server. Then launch the new "LocalGPO Command-line" shortcut that you will find in your Start Screen. Run it as Administrator. Type
cscript LocalGPO.wsf /ConfigSCE.You will get an error that you are not running a supported operating system.
Open LocalGPO.wsf in notepad and comment out the ChkOSVer procedure in the script so that it will not check your version. Now run the above command again.
I have seen multiple reports of this working for other people, however it did not work for me. I still got a VBscript error at line 2245 of the script, at a WriteLine statement. I haven't bothered to debug any deeper, resigning myself to the fact that it simply has not been updated for 2012 R2.
Edit 4/11/2016: The version that is hosted on this Microsoft blog written by Aaron Margosis contains a download link to a version of the MSS Extension that works for me with 2012 R2 with no 'hacking' required. That's a link to a zip file. Inside the zip file, you will see a directory named 'Local_Script'. Inside that folder, you will find a subfolder named 'MSS_Extension'. Simply transfer that MSS_Extension directory to your 2012 R2 domain controller. Then open a command prompt and browse to that directory. Then run:
Cscript LocalGPO.wsf /ConfigSCE