18.4.2 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'

Information

IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network.

The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled.

Rationale:

An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes.

Impact:

All incoming source routed packets will be dropped.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled:

Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)

Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog

Default Value:

No additional protection, source routed packets are allowed.

See Also

https://workbench.cisecurity.org/benchmarks/14249

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CCE|CCE-33790-7, CSCv7|9.2, CSCv7|9.3

Plugin: Windows

Control ID: 72a0c5a5dc18bbedf3158c8618055b8e19a7ed68448414799646fc2a0d71ef79