18.4.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'

Information

IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network.

The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled.

Rationale:

An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled:

Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)

Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog

Impact:

All incoming source routed packets will be dropped.

Default Value:

No additional protection, source routed packets are allowed.

See Also

https://workbench.cisecurity.org/files/2700

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9, CSCv6|9.2

Plugin: Windows

Control ID: 2a3e65463caa7b4276de58f51a3672bd08eef52ec6852c903c9f9c26cd20365a