The MSS settings

Published Jun 18 2019 01:15 PM 17.7K Views
Former Employee
First published on TechNet on Oct 02, 2016
You can download the custom Administrative Template for the "MSS (Legacy)" settings here: MSS-legacy . Note that it is available only for "en-us" (US English).

Explanation:

Many years ago, before the advent of Trustworthy Computing, some Microsoft security experts identified about 20 Windows registry values (many or perhaps all of which were undocumented at the time) that could be tweaked for what was then perceived to be significant security gain. For manageability, they developed a script that added these entries to the local security settings editor with descriptive names prefixed with "MSS:" as seen in the screenshot below. [Historical note: I believe they landed there because these tweaks predated Windows 2000, Group Policy, and Administrative Templates.]
MSS settings in Security Options



Many of the settings remained part of our security configuration guidance until our "reset" with the Windows 10 recommendations. As part of the reset, we also created a custom ADMX and ADML and moved the settings from the Security Options section of the policy editor to Administrative Templates, as shown in this screenshot:
MSS Settings in Administrative Templates



The reason we did this was because adding them to Security Options relied on a technique that is no longer supportable. The script that had added them to the security editor did so in part by modifying %windir%\inf\sceregvl.inf, a text file. With the introduction of service identities in Windows Vista and Windows Server 2008, Windows configured many OS-owned resources as read-only to everyone except to the TrustedInstaller service. When a resource is configured this way, Windows explicitly tells you that even if you're an administrator, modifying the resource is unsupported. Sceregvl.inf is one of those resources, so the script was updated to take ownership and change the permissions of the file so that the script could edit its content.

The new custom ADMX and ADML file reference the same registry settings as the older script, but in a manner that is supportable. We have included these files in the download packages with our Windows 10 and Windows Server 2016 baselines, and offer them here separately for your convenience. Note that our baselines no longer include recommendations to configure many of the MSS settings we had recommended in the past, as they have no security value against contemporary threats. The few that are still configured in our baseline have limited benefit at most.
3 Comments
Occasional Contributor

Thanks for this link, life saver!

Occasional Visitor

Do you have a working link for the downloads?
thank you.

Occasional Visitor

The ADMX download seems to have been removed from Microsoft's servers, but was captured by Archive.org:

 

https://web.archive.org/web/20200723045549/https://msdnshared.blob.core.windows.net/media/2016/10/MSS-legacy.zip 

%3CLINGO-SUB%20id%3D%22lingo-sub-701055%22%20slang%3D%22en-US%22%3EThe%20MSS%20settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-701055%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3EFirst%20published%20on%20TechNet%20on%20Oct%2002%2C%202016%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20%3CSPAN%20style%3D%22font-size%3A%20large%3B%22%3E%20%3CSTRONG%3E%20You%20can%20download%20the%20custom%20Administrative%20Template%20for%20the%20%22MSS%20(Legacy)%22%20settings%20here%3A%20%3C%2FSTRONG%3E%20%3C%2FSPAN%3E%20%3CSTRONG%3E%20%3CA%20href%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2016%2F10%2FMSS-legacy.zip%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20MSS-legacy%20%3C%2FA%3E%20%3C%2FSTRONG%3E%20.%20Note%20that%20it%20is%20available%20only%20for%20%22en-us%22%26nbsp%3B(US%20English).%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Explanation%3A%20Many%20years%20ago%2C%20before%20the%20advent%20of%20Trustworthy%20Computing%2C%20some%20Microsoft%20security%20experts%20identified%20about%2020%20Windows%20registry%20values%20(many%20or%20perhaps%20all%20of%20which%20were%20undocumented%20at%20the%20time)%20that%20could%20be%20tweaked%20for%20what%20was%20then%20perceived%20to%20be%20significant%20security%20gain.%20For%20manageability%2C%20they%20developed%20a%20script%20that%20added%20these%20entries%20to%20the%20local%20security%20settings%20editor%20with%20descriptive%20names%20prefixed%20with%20%22MSS%3A%22%20as%20seen%20in%20the%20screenshot%20below.%20%5BHistorical%20note%3A%20I%20believe%20they%20landed%20there%20because%20these%20tweaks%20predated%20Windows%202000%2C%20Group%20Policy%2C%20and%20Administrative%20Templates.%5D%20%3CBR%20%2F%3E%3CBLOCKQUOTE%3E%3CIMG%20alt%3D%22MSS%20settings%20in%20Security%20Options%22%20class%3D%22alignnone%20size-full%20wp-image-575%22%20height%3D%22572%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119322i992EB5E7B6DFA58E%22%20width%3D%22710%22%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Many%20of%20the%20settings%20remained%20part%20of%20our%20security%20configuration%20guidance%20until%20our%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fsecguide%2F2015%2F11%2F18%2Fchanges-from-the-windows-8-1-baseline-to-the-windows-10-th11507-baseline%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20%22reset%22%20%3C%2FA%3E%20with%20the%20Windows%2010%20recommendations.%20As%20part%20of%20the%20reset%2C%20we%20also%20created%20a%20custom%20ADMX%20and%20ADML%20and%20moved%20the%20settings%20from%20the%20Security%20Options%20section%20of%20the%20policy%20editor%20to%20Administrative%20Templates%2C%20as%20shown%20in%20this%20screenshot%3A%20%3CBR%20%2F%3E%3CBLOCKQUOTE%3E%3CIMG%20alt%3D%22MSS%20Settings%20in%20Administrative%20Templates%22%20class%3D%22alignnone%20size-full%20wp-image-585%22%20height%3D%22615%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F119323iEB05B771C584A386%22%20width%3D%22887%22%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20The%20reason%20we%20did%20this%20was%20because%20adding%20them%20to%20Security%20Options%20relied%20on%20a%20technique%20that%20is%20no%20longer%20supportable.%20The%20script%20that%20had%20added%20them%20to%20the%20security%20editor%20did%20so%20in%20part%20by%20modifying%20%25windir%25%5Cinf%5Csceregvl.inf%2C%20a%20text%20file.%20With%20the%20introduction%20of%20service%20identities%20in%20Windows%20Vista%20and%20Windows%20Server%202008%2C%20Windows%20configured%20many%20OS-owned%20resources%20as%20read-only%20to%20everyone%20except%20to%20the%20TrustedInstaller%20service.%20When%20a%20resource%20is%20configured%20this%20way%2C%20Windows%20explicitly%20tells%20you%20that%20even%20if%20you're%20an%20administrator%2C%20modifying%20the%20resource%20is%20unsupported.%20Sceregvl.inf%20is%20one%20of%20those%20resources%2C%20so%20the%20script%20was%20updated%20to%20take%20ownership%20and%20change%20the%20permissions%20of%20the%20file%20so%20that%20the%20script%20could%20edit%20its%20content.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20The%20new%20custom%20ADMX%20and%20ADML%20file%20reference%20the%20same%20registry%20settings%20as%20the%20older%20script%2C%20but%20in%20a%20manner%20that%20is%20supportable.%20We%20have%20included%20these%20files%20in%20the%20download%20packages%20with%20our%20Windows%2010%20and%20Windows%20Server%202016%20baselines%2C%20and%20offer%20them%20here%20separately%20for%20your%20convenience.%20Note%20that%20our%20baselines%26nbsp%3Bno%20longer%20include%20recommendations%20to%20configure%20many%20of%20the%20MSS%20settings%20we%20had%20recommended%20in%20the%20past%2C%20as%20they%20have%20no%20security%20value%20against%20contemporary%20threats.%20The%20few%20that%20are%20still%20configured%20in%20our%20baseline%20have%20limited%20benefit%20at%20most.%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-701055%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TechNet%20on%20Oct%2002%2C%202016%20You%20can%20download%20the%20custom%20Administrative%20Template%20for%20the%20%22MSS%20(Legacy)%22%20settings%20here%3A%26nbsp%3BMSS-legacy.%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2367947%22%20slang%3D%22en-US%22%3ERe%3A%20The%20MSS%20settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2367947%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20this%20link%2C%20life%20saver!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2556189%22%20slang%3D%22en-US%22%3ERe%3A%20The%20MSS%20settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2556189%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20you%20have%20a%20working%20link%20for%20the%20downloads%3F%3CBR%20%2F%3Ethank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2595555%22%20slang%3D%22en-US%22%3ERe%3A%20The%20MSS%20settings%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2595555%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20ADMX%20download%20seems%20to%20have%20been%20removed%20from%20Microsoft's%20servers%2C%20but%20was%20captured%20by%20Archive.org%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3Ehttps%3A%2F%2Fweb.archive.org%2Fweb%2F20200723045549%2Fhttps%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2016%2F10%2FMSS-legacy.zip%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jun 18 2019 01:15 PM
Updated by: