Title

The system must be configured to disable dead gateway detection. (Cat III impact)

Discussion

Dead gateway detection allows switching to a backup gateway if a number of connections to a gateway are experiencing difficulty. An attacker could force internal traffic to be directed to a gateway outside the network if enabled. This setting applies to all network adapters, regardless of their individual settings.

Check Content

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)" is not set to "Disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableDeadGWDetect Value Type: REG_DWORD Value: 0

Fix Text

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)" to "Disabled".

Additional Identifiers

Rule ID: SV-29607r2_rule

Vulnerability ID: V-4109

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.