The system is configured to allow dead gateway detection.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4109	3.093	SV-29607r1_rule	ECSC-1	Low

Description
Allows TCP to peform dead-gateway detection, switching to a backup gateway if a number of connections to a gateway are experiencing difficulty. If enabled, an attacker could force internal traffic to be directed to a gateway outside the network. This setting applies to all network adapters, regardless of their individual settings.

STIG	Date
Windows 2003 Domain Controller Security Technical Implementation Guide	2013-10-01

Details

Check Text ( C-278r1_chk )
Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for “MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)” is not set to “Disabled”, then this is a finding. The policy referenced configures the following registry value. Registry Path: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableDeadGWDetect Value Type: REG_DWORD Value: 0

Check Text ( C-278r1_chk )

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view.

Navigate to Local Policies -> Security Options. If the value for “MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)” is not set to “Disabled”, then this is a finding.

The policy referenced configures the following registry value.

Registry Path: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableDeadGWDetect
Value Type: REG_DWORD
Value: 0

Fix Text (F-5712r1_fix)
Configure the system to disable dead gateway detection.