Why don’t all of the FDCC settings appear in the Group Policy Editor?


Author: Mandy Tidwell, Senior Consultant 

 

As many of you may have noticed, the FDCC Group Policy settings spreadsheet and FDCC Group Policy Objects (GPOs) downloaded from NIST (http://csrc.nist.gov/fdcc) contain settings that are not exposed by default in the Group Policy Editor interface.  These settings are easily identified in that they all begin with MSS.

Ex. MSS: (AutoAdminLogon) Enable Automatic Logon (Not Recommended)

These additional group policy settings were developed by the Microsoft Solutions for Security group and are documented in the appropriate Windows XP and Windows Vista Security Guides.

The Windows XP and Windows Vista Security Guides are available using the following links:

Windows Vista

http://technet.microsoft.com/en-us/bb629420.aspx

 

Windows XP

http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx

Exposing these additional settings prefaced with MSS can be accomplished by downloading the appropriate Windows Vista or Windows XP Security Guide and using the following steps:

Windows Vista

To modify the SCE to display MSS settings

1.       Ensure that you have met the following prerequisites:

·         The computer is joined to the domain using Active Directory where you created the GPOs.

·         The Windows Vista Security Guide GPOAccelerator Tool directory is installed.

o   Note You can also simply copy the GPOAccelerator Tool directory from a computer on which you have installed the directory to another computer that you want to use to run the script. The GPOAccelerator Tool folder and subfolders for it must be present on the local computer for the script to run as described in this procedure.

2.       Log on to the computer as an administrator.

3.       On the desktop, click the Windows Vista Start button, click All Programs, and click Windows Vista Security Guide.

4.       Open the GPOAccelerator ToolSecurity Group Policy Objects folder.

5.       Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full administrative privileges.

6.       At the command prompt, type cscript GPOAccelerator.wsf /ConfigSCE and then press ENTER.

7.       In the Click Yes to continue, or No to exit the script message box, click Yes.

8.       In The Security Configuration Editor is updated message box, click OK.

 

To reset the SCE tool to the default settings in Windows Vista

1.       Log on to the computer as an administrator.

2.       On the desktop, click the Windows Vista Start button, click All Programs, and click Windows Vista Security Guide.

3.       Open the GPOAccelerator ToolSecurity Group Policy Objects folder.

4.       Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full administrative privileges.

Note If prompted for logon credentials, type your user name and password, and then press ENTER.

5.       At the command prompt, type cscript GPOAccelerator.wsf /ResetSCE and then press ENTER.

6.       In the Click Yes to continue, or No to exit the script message box, click Yes.

Note Completing this procedure reverts the Security Configuration Editor on your computer to the default settings in Windows Vista. Any settings added to the default Security Configuration Editor will be removed. This will only affect the ability to view the settings with the Security Configuration Editor. Configured Group Policy settings remain in place.

7.       In The Security Configuration Editor is updated message box, click OK.

 

Windows XP

To manually update Sceregvl.inf

1.       Use a text editor such as Notepad to open the Values-sceregvl.txt file from the SCE Update folder of the download for this guide.

2.       Open another window in the text editor and then open the %systemroot%infsceregvl.inf file.

3.       Navigate to the bottom of the “[Register Registry Values]” section in the sceregvl.inf file. Copy and paste the text from the Values-sceregvl.txt file, without any page breaks, into this section of the sceregvl.inf file.

4.       Close the Values-sceregvl.txt file and open the Strings-sceregvl.txt file from the SCE Update folder of the download.

5.       Navigate to the bottom of the “[Strings]” section in the sceregvl.inf file. Copy and paste the text from the Strings-sceregvl.txt file, without any page breaks, into this section of the sceregvl.inf file.

6.       Save the sceregvl.inf file and close the text editor.

7.       Open a command prompt and execute the command regsvr32 scecli.dll to re-register the DLL file.

To automatically update sceregvl.inf

1.       The Values-sceregvl.txt, Strings-sceregvl.txt, and Update_SCE_with_MSS_Regkeys.vbs files that are located in the SCE Update folder of the download for this guide must all be in the same location for the script to function.

2.       Execute the Update_SCE_with_MSS_Regkeys.vbs script on the computer you wish to update.

3.       Follow the onscreen prompts.

To reverse the changes made by the Update_SCE_with_MSS_Regkeys.vbs script

1.       Execute the Rollback_SCE_for_MSS_Regkeys.vbs script on the computer you wish to update.

2.       Follow the onscreen prompts.

 

After extending the Security Configuration Editor interface using the above steps, you should now be able to see the MSS settings under Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options using Group Policy Editor:  all the new entries will start with “MSS:”. 

Final Important Note

Note that although all of the FDCC Group Policy objects should be imported on a machine running the Group Policy Management Console on either a W


Comments (8)

  1. Anonymous says:

    Regarding that final note about GPMC, can the IE 7 and Vista settings be imported using the import feature of GPMC with SP1 on Windows 2003, or does the edit and view comment also apply to actually using Windows 2003 and GPMC to import them in the first
    place.

    [Mandy Tidwell]No.  As a matter of fact, you MUST use Windows Server 2003 or Windows 2000 GPMC to import all of the GPOs.  You cannot import them on a Windows Vista/Windows Server 2008 machine. However, after the import, all further work on the IE7 and
    Vista policies should be performed from Vista or Windows Server 2008.

  2. Anonymous says:

    As Bill  noted above: The GPOAccelerator is no longer available. It has been replaced with Microsoft Security Compliance Manager and the Local Policy Tool, see social.technet.microsoft.com/…/what-happened-to-the-gpo-accelerator.aspx for more details. You can download SCM at technet.microsoft.com/…/cc677002.aspx. If you have more questions feel free to contact me directly our our team's address, secwish@microsoft.com.

  3. Anonymous says:

    There are two parts required, the value and the string.  Both parts must be placed in the sceregvl.inf file.

    First: The string, as listed in the previous comment, is one line.  It resides within the === MSS Values === section of the .inf file.

    Second, the registry value must be placed in the appropriate section of the ===MSS Values=== section:

    MACHINESystemCurrentControlSetServicesTcpipParametersEnablePMTUDiscovery,4,%EnablePMTUDiscovery%,0

    These two lines could be added to the scripts before importing them to simplify the task.  However, editing the .inf file in notepad is trival.

    The DLL should be re-registered and the GPO editor should be closed and reponed before the changes will appear.  

    Obviously, replication should be checked to ensure no delays are present which may cause unexpected behavior in the GPO.

  4. Anonymous says:

    FYI, The following setting does not appear to be available in the provided MSS update and will need to be added manually:

    EnablePMTUDiscovery = "MSS: (Enable PMTUDiscovery) Allow automatic

    detection of MTU size (Possible DOS by an attacker using a small MTU)."

  5. Tom Rogers says:

    Since the Windows Vista Security Guide.msi and its included GPOAccelerator Tool are no longer made available, how do you go about exposing MSS Settings in the GPMC now??

  6. WAEPride says:

    @ Tom Rogers – Tom I was looking at the same issue and came across your post.  Researching more I found the Microsoft Security Compliance Manager

    technet.microsoft.com/…/cc514539.aspx

    In the help section I found the below statement, which I needed to import the missing MSS GPO's, which I have not done…yet, but will be focusing on today.

    Updating the Security Configuration Editor User Interface

    The solution presented in this guidance uses GPO settings that do not display in the standard user interface (UI) for the GPMC or the Security Configuration Editor (SCE) tool. These settings, which are all prefixed with MSS:, were developed by the Microsoft Solutions for Security group for previous security guidance.

    For this reason, you need to extend these tools so that you can view the security settings and edit them as required. To accomplish this, the LPT automatically updates your computer while it creates the GPOs. Use the following procedure to update the SCE on the computers where you plan to manage the GPOs created with the SCM tool.

    I hope this helps you.  I still need to read and learn the program.

    Bill

  7. Trolly says:

    I’m with USDA and I can’t control my web browser history since we went to Internet Explorer 8.  I was told by our computer help desk staff that this is an FDCC requirement, but I seen nothing in the guidelines about it.  Does anyone know if this is true?

    [Aaron Margosis]  Your help desk staff is correct.  FDCC (now rebranding as USGCB) mandates that your browsing history be available for 40 days.  The stated justification is "To retain browsing history data for forensics or investigations."

  8. Yemi Ray says:

    I couldnt even install the Security Compliance Manager on my Windows XP sp3 computer..I keep getting "Object reference not set to an instance of an object" error… Has anyone encountered this problem and had it fixed?