The mistery of the missing ‘MSS:’ setting on Windows 2008
The MSS: settings used to be here...
I recently got involved in a project where I defined the Baseline Security settings for windows and Linux. I used the settings provided by the Center for Internet Security (CIS).
We decided on the following approach:
- Based on the CIS templates we created a baseline document specific to our company
- I, in my security role, created a Nessus .audit file, so we could audit compliance to our own baseline with Seccubus
- The windows administrator created GPOs to apply the settings.
When creating in the GPOs we did a strange discovery. In a windows the settings that are normally marked as MSS: in the category Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options do not appear in a domain if its functional level is Windows 2008.
This made us wonder, have these setting become irrelevant ? If this is not the case, how can we still set them, preferably via group policy?
The settings are not irrelevant, as e.g. Peter van Eeckhoutte’s blog points out. Windows 2008 does not forward IPv4 packets that have source routing on them, but it does accept them if the machine is the final destination. However for IPv6 Windows 2008 will forward these packets by default.
So if the settings are not irrelevant, how can we apply them if they are not in the Group Policy Editor? For this purpose we created an .adm file, which can be loaded into the Group Policy editor as a Classic Administrative template. Read more…