CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

18.4.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' (Scored)

ProfileApplicability:

 Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:

IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network.

The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled .

Rationale:

An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters:Disabl eIPSourceRouting

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled :

Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)

Note: This Group Policy path does not exist by default. An additional Group Policy template ( MSS-legacy.admx/adml ) isrequired - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog

542 | P a g e