Title

The system is configured to allow dead gateway detection. (Cat III impact)

Discussion

Allows TCP to perform dead-gateway detection, switching to a backup gateway if a number of connections to a gateway are experiencing difficulty. If enabled, an attacker could force internal traffic to be directed to a gateway outside the network. This setting applies to all network adapters, regardless of their individual settings.

Check Content

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for “MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)” is not set to “Disabled”, then this is a finding. The policy referenced configures the following registry value. Registry Path: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ Value Name: EnableDeadGWDetect Value Type: REG_DWORD Value: 0

Fix Text

Configure the system to disable dead gateway detection.

Additional Identifiers

Rule ID: SV-4109r1_rule

Vulnerability ID: V-4109

Group Title: Disable Dead Gateway Detection

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.