UCF STIG Viewer Logo

The system must be configured to limit how often keep-alive packets are sent.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4113 WN08-SO-000041 SV-48125r1_rule ECSC-1 Low
Description
This setting controls how often TCP sends a keep-alive packet in attempting to verify that an idle connection is still intact. A higher value could allow an attacker to cause a denial of service with numerous connections.
STIG Date
Windows 8 Security Technical Implementation Guide 2014-01-07

Details

Check Text ( C-44851r1_chk )
Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.)
Expand the Security Configuration and Analysis tree view.
Navigate to Local Policies -> Security Options.

(See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.)

If the value for "MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds" is not set to "300000 or 5 minutes (recommended)" or less, this is a finding.

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Subkey: \System\CurrentControlSet\Services\Tcpip\Parameters\

Value Name: KeepAliveTime

Value Type: REG_DWORD
Value: 300000
Fix Text (F-41262r1_fix)
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds" to "300000 or 5 minutes (recommended)" or less.