[转]Missing MSS Settings in Security Options of Group Policy (GPO)

I'm currently working on a new Windows Server 2012 and Windows 8 project. As part of that project is to implement new standarised security policies for both Windows Server 2012 and Windows 8, much like the Server 2008 and Windows 7 policies we use. These are based on the CIS Security Benchmarks from http://www.cisecurity.org/

While creating the group policy objects (GPOs) from these CIS benchmarks, I came across a problem which was a bunch of missing settings in my Group Policy Mangement console on Windows Server 2012. Specifically these settings were within:

Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Security Options --> MSS:

These settings are items such as TcpMaxDataRetransmissions and EnableICMPRedirect which I need to set.

Then followed a number of wasted hours trying to figure out how to get these MSS settings to appear so I could configure my GPO as required to comply with the CIS Benchmarks.

After much time wasted (thanks Microsoft for removing these settings) I found the following is the best way to get the MSS settings to appear in the group policy management console editor.

1.  Download the Microsoft Security Compliance Manager and install in a Windows Server 2008 R2 VM you can throw away.

http://technet.microsoft.com/en-gb/library/cc677002.aspx

I tried Windows Server 2012 and the installer kept crashing, well done again Microsoft!

The reason I used a throw away VM was because it installs SQL and a bunch of stuff I don't want.

We are after a specific MSI that once SCM installed we can get - thats all!

2. After SCM is installed copy the following MSI to your management station with GPMC where you are editing your GPOs.

C:\Program Files (x86)\Microsoft Security Compliance Manager\LGPO\LocalGPO.msi

3. Install the LocalGPO.msi on your to your management station with GPMC where you are editing your GPOs.

4. Run the LocalGPO command prompt as an administrator (search the 2012 start menu tiles - type "local")

5. Using LocalGPO, configure Security Configuration Editor (SCE) to display MSS settings.

C:\Program Files (x86)\LocalGPO>cscript LocalGPO.wsf /ConfigSCE

Microsoft (R) Windows Script Host Version 5.8

Copyright (C) Microsoft Corporation. All rights reserved.

Modifying the Security Configuration Editor to the include MSS settings...

Updating the registry

89 subkeys found.

Subkeys deleted successfull

Subkeys added successfully

Registering SceCli.dll to complete SCE modification

The Security Configuration Editor is updated.

Security Configuration Editor has been modified successfully!

The Security Configuration Editor is updated.#vmadmin

6. And there you have it! The MSS settings are back without having to install SQL and SCM on your domain controller or anything else.

Note: Keep the LocalGPO.msi handy so you can install it on any server and edit the MSS settings with GPMC.

You can also now delete the VM you created to install SCM as we no longer need it.

Hope that saved you some time and you came across this article first. It took me a few wasted hours to figure it out and right the above procedure.

referer:https://www.vmadmin.co.uk/microsoft/43-winserver2008/348-server2012mssgposettings