Tuesday, November 4, 2014

IT: More Local Security Settings in Group Policy

I am working for a customer that wanted me to setup a baseline group policy for their new workstations.  One of the settings they asked for was to Disable IP source routing.  There is no out-of-the-box knob to control this with Group Policy.

I was ready to write a .ADMx for it, but I stumbled across another solution.  If you install Microsoft's Security Compliance manager, there is an MSI that contains a script to add this (and other) settings.

So first download SCM from http://technet.microsoft.com/en-us/library/cc677002.aspx.  I installed version 3.0, not the new Windows 2012 Beta.  Next, Install it.  I received an installer warning related to the version of SQL included.  Despite the warning, it installed successfully on a Windows 8.1 VM with no issues.

Once installed, you can find the .MSI for script that installs the new settings in 
c:\Program Files (x86)\Microsoft Security Compliance Manager\LGPO\LGPO.msi.

Install this MSI package to the machine you use for GPO Management.  SCM is not required on that machine.  Once installed, the final step is to run the vbscript.  Open an administrative command prompt and run these commands.

cd c:\Program Files (x86)\LocalGPO
cscript LocalGPO.wsf /ConfigSCE


That is it.  The new settings are installed.  I do not love this solution, as it creates something else that has to be installed.  In my humble opinion, an ADMX file would be a better solution.  On the other hand it matches the customer's request perfectly and is supported; I'm going with it.

Once installed, you have a couple of dozen shiny new settings in GPMC.  All of these MSS settings are new.


HTH.

No comments: