3.5.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'

Information

IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing.

The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled

An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: Highest protection, source routing is completely disabled

Administrative Templates\MSS (Legacy)\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)

Impact:

All incoming source routed packets will be dropped.

See Also

https://workbench.cisecurity.org/benchmarks/16853

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12)

Plugin: Windows

Control ID: f445f5a0cf2d71198b01c2e82dabc03b1feea9c67d93f1fc68076b8e46fb896b