none
MSS : Enable Safe DLL search mode

    Question

  • Hello,

    I want to apply "Enable Safe DLL search mode" policy in my windows server 2012 r2.I want to apply this policy throgh admx and adml. Can any one provide me the script for that.

    Actually I tried the following one but i don't know its right are wrong 


    Setting Description Recommended value
    MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Defines whether a user with physical access to a computer is able to automatically log on. Disabled
    MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Determines if Windows will accept source routed packets.
    0 – Accepts and forwards
    1 – Accept but do not forward
    2 – Do not accept 2
    MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Allows ICMP redirects to overwrite OSFP generated routes Disabled
    MSS: (KeepAliveTime) How often keep-alive packets are sent in millisecond Defines every how many milliseconds TCP attempts to send a keep-alive packet to verify that an idle connection is still intact No recommendation
    MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic Defines which traffic is allowed to reach the machine outside IPSec
    0 – Multicast, Broadcast, RSVP, Kerberos and IKE(ISAKMP are exempt from IPSec filtering
    1 – Kerberos and RSVP are not exempt, but Multicast, Broadcast and IKE are exempt from IPSec filtering
    2 -  Multicast and Broadcast are not exempt, but RSVP, Kerberos andand IKE traffic are exempt from IPSEC filtering
    3 – Only IKE traffic is exempt from IPSec filtering 3
    MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Defines whether a computer disregards NetBIOS name release requests except those from WINS server in the SCE. Enabled
    MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) Defines whether a computer can stop generating 8.3 style file names:
    0 – NTFS creates short file names.
    1 – Disable NTFS short file name creation on all volumes.2 – NTFS sets the 8.3 naming convention creation on a per volume basis.
    3 – NTFS disables 8dot3 name creation on all volumes except the system volume. 1
    MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Defines whether Internet Router Discovery Protocol (IRDP) is used to automatically detect and configure default gateway addresses:
    0 – Disabled
    1 – Enabled
    2 – Enable only if DHCP server sends the Perform Router Discovery Option 0
    MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Defines whether an application is forced to begin its DLL search in the system path before searching the current working folder Enabled
    MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Defines how many seconds between when the screen saver is launched and when the computer console is actually locked. 0
    MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Defines the number of times that TCP retransmits an individual data segment before the connection is aborted 3
    MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Defines whether an entry is added to the Security event log when the log reaches a user-defined threshold <=90%
    MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Determines if Windows will accept source routed packets.
    0 – Accepts and forwards
    1 – Accept but do not forward
    2 – Do not accept 2
    MSS: (TCPMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Defines the number of times that TCP retransmits an individual data segment before the connection is aborted 3

    Thanks

    Sunday, October 16, 2016 5:51 PM

Answers

All replies

  • https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by vijay a singh Sunday, October 16, 2016 11:01 PM
    Sunday, October 16, 2016 8:20 PM
  • Thanks a Lot Bossss
    Sunday, October 16, 2016 11:01 PM
  • Can you please tell me the functionality of this rules.i.e what activity should i do check this rule.

    Sunday, October 16, 2016 11:07 PM
  • some are referenced here: https://technet.microsoft.com/en-us/library/cc766102(v=ws.10).aspx

    there were previously other references on TechNet Library but from memory they have been archived because they are Windows2000/older.

    These settings are no longer considered very useful for security/protection purposes...


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, October 17, 2016 7:45 AM
  • these articles are also relevant to the topic of safeDLLsearchmode

    https://technet.microsoft.com/en-us/library/security/2269637.aspx

    https://msdn.microsoft.com/library/ff919712

    https://msdn.microsoft.com/en-au/library/ms682586


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Monday, October 17, 2016 7:58 PM
    Monday, October 17, 2016 7:57 PM
  • Hello,

    According to rule "Enable Safe DLL search mode" after enabling  the policy

    system searches the directories in the following order:

    1. The directory from which the application loaded.
    2. System directory (C:\Windows\System32).
    3. The 16-bit system directory (C:\Windows\System).
    4. The Windows directory (C:\Windows).
    5. The Current Directory.
    6. Directories that are listed in the PATH variables.

    I deleted  some DLLs from Application directory and after that search that DLL inC:windows\ 0System32 also, but I did not found and any DLL there.

    When I tried to  start that application, it's working  fine can any one tell me from where its picking that DLL.

    Thanks

     

    Wednesday, October 19, 2016 3:59 PM
  • Hello,

    According to rule "Enable Safe DLL search mode" after enabling  the policy

    system searches the directories in the following order:

    1. The directory from which the application loaded.
    2. System directory (C:\Windows\System32).
    3. The 16-bit system directory (C:\Windows\System).
    4. The Windows directory (C:\Windows).
    5. The Current Directory.
    6. Directories that are listed in the PATH variables.

    I deleted  some DLLs from Application directory and after that search that DLL inC:windows\ 0System32 also, but I did not found and any DLL there.

    When I tried to  start that application, it's working  fine can any one tell me from where its picking that DLL.

    Thanks

     

    you can use ProcessMonitor to diagnose this

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, October 19, 2016 8:53 PM