Detections
Analytics
1.1.1.2.1.85 Set 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.'
Information
1.1.1.2.1.85 Set 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' to 'Only ISAKMP is exempt (recommended for Windows Server 2003)'The registry value entry NoDefaultExempt was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\ registry key. The entry appears as MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic in the SCE. The default exemptions to IPsec policy filters are documented in the online help for the specific operating system. These filters make it possible for Internet Key Exchange (IKE) and the Kerberos authentication protocol to function. The filters also make it possible for the network Quality of Service (QoS) to be signaled (RSVP) when the data traffic is secured by IPsec, and for traffic that IPsec might not secure such as multicast and broadcast traffic. IPsec is increasingly used for basic host-firewall packet filtering, particularly in Internet-exposed scenarios, and the affect of these default exemptions has not been fully understood. Therefore, some IPsec administrators may create IPsec policies that they think are secure, but are not actually secure against inbound attacks that use the default exemptions. For additional information, see the Knowledge Base article 811832, IPSec Default Exemptions Can Be Used to Bypass IPsec Protection in Some Scenarios. As IPsec is increasingly used for basic host-firewall packet filtering, particularly in Internet-exposed scenarios, the affect of these default exemptions has not been fully understood. Some IPsec administrators may create IPsec policies that they think are secure, but are not actually secure against inbound attacks that use the default exemptions. Attackers could forge network traffic that appears to consist of legitimate IKE, RSVP, or Kerberos protocol packets but direct them to other network services on the host.
Solution
To implement the recommended configuration state, set the following Group Policy setting to 3.Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS- (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.
Impact- After you enable this entry, security policies that already exist may have to be changed to work correctly. For details, refer to the Microsoft Knowledge Base article 'IPSec Default Exemptions Can Be Used to Bypass IPsec Protection in Some Scenarios' at http-//support.microsoft.com/default.aspx?kbid=811832.
See Also
Item Details
Audit Name: CIS Windows 2003 MS v3.1.0
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-8, CCE|CCE-8601-7
Plugin: Windows
Control ID: 2fe451d0ec4f72ead779382c26b9d55e2cd6c1f02c3a1494e75143cb561d1ce7