WN12-SO-000041 - The system must be configured to limit how often keep-alive packets are sent.

Information

This setting controls how often TCP sends a keep-alive packet in attempting to verify that an idle connection is still intact. A higher value could allow an attacker to cause a denial of service with numerous connections.

Solution

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' to '300000 or 5 minutes (recommended)' or less.

(See 'Updating the Windows Security Options File' in the STIG Overview document if MSS settings are not visible in the system's policy tools.)

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_2012_and_2012_R2_DC_V3R7_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|III, CCI|CCI-002385, Rule-ID|SV-226305r852143_rule, STIG-ID|WN12-SO-000041, STIG-Legacy|SV-52927, STIG-Legacy|V-4113, Vuln-ID|V-226305

Plugin: Windows

Control ID: f38c96706fa852bd754c003c88989703036c045bb62119835f0f254edbe7b7cd