The system must be configured to disable dead gateway detection.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-4109 | 3.093 | SV-29607r2_rule | ECSC-1 | Low |
| Description |
|---|
| Dead gateway detection allows switching to a backup gateway if a number of connections to a gateway are experiencing difficulty. An attacker could force internal traffic to be directed to a gateway outside the network if enabled. This setting applies to all network adapters, regardless of their individual settings. |
| STIG | Date |
|---|---|
| Windows 2003 Domain Controller Security Technical Implementation Guide | 2014-06-27 |
Details
| Check Text ( C-51791r3_chk ) |
|---|
| Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)" is not set to "Disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableDeadGWDetect Value Type: REG_DWORD Value: 0 |
| Fix Text (F-53579r2_fix) |
|---|
| Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)" to "Disabled". |