18.4.7 Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'

This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis.

The recommended state for this setting is: 'Disabled'.

Rationale:
An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router.

Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Disabled':


Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)

Note: This Group Policy path does not exist by default.

An additional Group Policy template ('MSS-legacy.admx/adml') is required - it is available from this TechNet blog post: [The MSS settings -- Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/10/02/the-mss-settings/)

Impact:
Windows will not automatically detect and configure default gateway addresses on the computer.

See Also

https://workbench.cisecurity.org/files/1937

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CSCv6|9, CSCv6|9.2

Plugin: Windows

Control ID: a508e79fcd110ea19e583e97c0465e40c858b7fca7e8a2502a5b7f961d67b2c2