Archive for March, 2011

Security GPOs provide a number of ‘hidden’ settings that all start with the ‘MSS’ prefix. These settings are referenced in the NIST FDCC guidelines for group policy as well as many other locations. The settings would all normally be found under Computer Configuration\Windows Settings\Security Settings\Local Policy\Security Options. However, the settings are not readily visible or available within a GPO.

If you search for instructions on enabling the settings, you will find the following instructions:

  1. Download and install the Windows 7 Security Compliance Management Toolkit. (http://www.microsoft.com/downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displaylang=en)
  2. Log on to the computer as an administrator.
  3. On the desktop, click the Start button, click All Programs, and click Microsoft Security Compliance Manager and then Local GPO.
  4. On the desktop, click the Start button, click All Programs, and click LocalGPO
  5. Right-click the LocalGPO command-line file, and then click Run as administrator to open a command prompt with full administrative privileges.
  6. At the command prompt, type cscript LocalGPO.wsf /ConfigSCE and then press ENTER.
  7. In the Click Yes to continue, or No to exit the script message box, click Yes.
  8. In The Security Configuration Editor is updated message box, click OK.

These instructions will do the trick but they always frustrate me because the installation of the Security Compliance Management Toolkit is quite large and includes the installation of SQL Express. It seems that a simple task like viewing important GPO settings doesn’t need this full package to be installed on each GPO management console.

Well, it turns out that it doesn’t. With a little manipulation, you can install only the required pieces. Just follow this procedure:

  1. Download the toolkit and start the installation but don’t click any buttons when the wizard starts.
  2. Navigate to the root of your C drive and look for the temporary directory created by the installation. The directory name will be a long hex string.
  3. Open the directory and extract the contents of the data.cab file using any decompression tool.
  4. Find the extracted file GPOMSI and rename it to LocalGPO.MSI.
  5. Run LocalGPO.MSI and complete the installation.
  6. Cancel the original installation of the toolkit.
  7. Continue with step 4 in the instructions above.

Nice, quick and simple and you can keep the LocalGPO.Msi file for installation on other systems.

Advertisements