Author: Mandy Tidwell, Senior Consultant 

 

As many of you may have noticed, the FDCC Group Policy settings spreadsheet and FDCC Group Policy Objects (GPOs) downloaded from NIST (http://csrc.nist.gov/fdcc) contain settings that are not exposed by default in the Group Policy Editor interface.  These settings are easily identified in that they all begin with MSS.

Ex. MSS: (AutoAdminLogon) Enable Automatic Logon (Not Recommended)

These additional group policy settings were developed by the Microsoft Solutions for Security group and are documented in the appropriate Windows XP and Windows Vista Security Guides.

The Windows XP and Windows Vista Security Guides are available using the following links:

Windows Vista

http://technet.microsoft.com/en-us/bb629420.aspx

 

Windows XP

http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx

Exposing these additional settings prefaced with MSS can be accomplished by downloading the appropriate Windows Vista or Windows XP Security Guide and using the following steps:

Windows Vista

To modify the SCE to display MSS settings

1.       Ensure that you have met the following prerequisites:

·         The computer is joined to the domain using Active Directory where you created the GPOs.

·         The Windows Vista Security Guide GPOAccelerator Tool directory is installed.

o   Note You can also simply copy the GPOAccelerator Tool directory from a computer on which you have installed the directory to another computer that you want to use to run the script. The GPOAccelerator Tool folder and subfolders for it must be present on the local computer for the script to run as described in this procedure.

2.       Log on to the computer as an administrator.

3.       On the desktop, click the Windows Vista Start button, click All Programs, and click Windows Vista Security Guide.

4.       Open the GPOAccelerator Tool\Security Group Policy Objects folder.

5.       Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full administrative privileges.

6.       At the command prompt, type cscript GPOAccelerator.wsf /ConfigSCE and then press ENTER.

7.       In the Click Yes to continue, or No to exit the script message box, click Yes.

8.       In The Security Configuration Editor is updated message box, click OK.

 

To reset the SCE tool to the default settings in Windows Vista

1.       Log on to the computer as an administrator.

2.       On the desktop, click the Windows Vista Start button, click All Programs, and click Windows Vista Security Guide.

3.       Open the GPOAccelerator Tool\Security Group Policy Objects folder.

4.       Right-click the Command-line Here.cmd file, and then click Run as administrator to open a command prompt with full administrative privileges.

Note If prompted for logon credentials, type your user name and password, and then press ENTER.

5.       At the command prompt, type cscript GPOAccelerator.wsf /ResetSCE and then press ENTER.

6.       In the Click Yes to continue, or No to exit the script message box, click Yes.

Note Completing this procedure reverts the Security Configuration Editor on your computer to the default settings in Windows Vista. Any settings added to the default Security Configuration Editor will be removed. This will only affect the ability to view the settings with the Security Configuration Editor. Configured Group Policy settings remain in place.

7.       In The Security Configuration Editor is updated message box, click OK.

 

Windows XP

To manually update Sceregvl.inf

1.       Use a text editor such as Notepad to open the Values-sceregvl.txt file from the SCE Update folder of the download for this guide.

2.       Open another window in the text editor and then open the %systemroot%\inf\sceregvl.inf file.

3.       Navigate to the bottom of the “[Register Registry Values]” section in the sceregvl.inf file. Copy and paste the text from the Values-sceregvl.txt file, without any page breaks, into this section of the sceregvl.inf file.

4.       Close the Values-sceregvl.txt file and open the Strings-sceregvl.txt file from the SCE Update folder of the download.

5.       Navigate to the bottom of the “[Strings]” section in the sceregvl.inf file. Copy and paste the text from the Strings-sceregvl.txt file, without any page breaks, into this section of the sceregvl.inf file.

6.       Save the sceregvl.inf file and close the text editor.

7.       Open a command prompt and execute the command regsvr32 scecli.dll to re-register the DLL file.

To automatically update sceregvl.inf

1.       The Values-sceregvl.txt, Strings-sceregvl.txt, and Update_SCE_with_MSS_Regkeys.vbs files that are located in the SCE Update folder of the download for this guide must all be in the same location for the script to function.

2.       Execute the Update_SCE_with_MSS_Regkeys.vbs script on the computer you wish to update.

3.       Follow the onscreen prompts.

To reverse the changes made by the Update_SCE_with_MSS_Regkeys.vbs script

1.       Execute the Rollback_SCE_for_MSS_Regkeys.vbs script on the computer you wish to update.

2.       Follow the onscreen prompts.

 After extending the Security Configuration Editor interface using the above steps, you should now be able to see the MSS settings under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options using Group Policy Editor:  all the new entries will start with “MSS:”. 

Final Important Note

Note that although all of the FDCC Group Policy objects should be imported on a machine running the Group Policy Management Console on either a Windows 2000 or a Windows Server 2003 server, the Windows Vista and Internet Explorer 7 Group Policy Objects must only be viewed and edited from a machine running either Windows Vista or Windows Server 2008.  For more information about this requirement, please see the following web site:

http://technet2.microsoft.com/WindowsVista/en/library/02633470-396c-4e34-971a-0c5b090dc4fd1033.mspx?mfr=true