MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) #66
Labels
potential test
Potential/Proposed Tests
Comments
|
If the value for "MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" is not set to "Highest protection, source routing is completely disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Value Name: DisableIpSourceRouting Type: REG_DWORD |
|
What would be the impact of this setting if you use a proxy to reroute client traffic to a different route so SDWAN in this case? |
|
Unfortunately, I don't know. This follows a recommendation from MS. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This control determines if Windows will accept source routed packets.
How to Validate
To validate this, go to the registery key (HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters) and look for the value named (DisableIPSourceRouting), check for the modifiers (ErrorNotOk), get the description (The recommended state for this setting is "Highest protection, source routing is completely disabled".), with the priority (Critical),
Acceptable Value(s)
2
Remediation Steps
#Remediation The GPO for this setting is located under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) For all profiles, the recommended state for this setting is Highest protection, source routing is completely disabled NOTE: For "MSS:"- prefixed settings, if they are not visible in the Group Policy Editor, download the Microsoft Security Compliance Manager, run LocalGPO.msi, and then execute the following command to make them available: cscript.exe LocalGPO.wsf /ConfigureSCE
The text was updated successfully, but these errors were encountered: