18.5.6 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes'


This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet.

The recommended state for this setting is: Enabled: 300,000 or 5 minutes

An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition.


To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes :

Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds

Note: This Group Policy path does not exist by default. An additional Group Policy template ( MSS-legacy.admx/adml ) is required - it is available from this TechNet blog post:

The MSS settings - Microsoft Security Guidance blog


Keep-alive packets are not sent by default by Windows. However, some applications may configure the TCP stack flag that requests keep-alive packets. For such configurations, you can lower this value from the default setting of two hours to five minutes to disconnect inactive sessions more quickly.

See Also


Item Details


References: 800-53|SC-7(12)

Plugin: Windows

Control ID: 75b1199571db733bd00543871ae1e159ecdd19ff14bcfa4656dddccbdd75466c