[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-33792-3

Platform: cpe:/o:microsoft:windows_8.1Date: (C)2015-10-14   (M)2023-07-04



MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. The registry value entry NoDefaultExempt was added to the template file in the HKEY_LOCAL_MACHINESystemCurrentControlSetServicesIPSEC registry key. The entry appears as MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic in the SCE. The default exemptions to IPsec policy filters are documented in the online help for the specific operating system. These filters make it possible for Internet Key Exchange (IKE) and the Kerberos authentication protocol to function. The filters also make it possible for the network Quality of Service (QoS) to be signaled (RSVP) when the data traffic is secured by IPsec, and for traffic that IPsec might not secure such as multicast and broadcast traffic. IPsec is increasingly used for basic host-firewall packet filtering, particularly in Internet-exposed scenarios, and the affect of these default exemptions has not been fully understood. Therefore, some IPsec administrators may create IPsec policies that they think are secure, but are not actually secure against inbound attacks that use the default exemptions. For additional information, see the Knowledge Base article 811832, 'IPSec Default Exemptions Can Be Used to Bypass IPsec Protection in Some Scenarios.'


Parameter:

[allow all exemption (least secure)/multicast, broadcast and ISAKMP exempt (best for windows xp)/rsvp, broadcast and isakmp are exempt/only isakmp is exempt (recommended for windows server 2003)]


Technical Mechanism:

(1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options!MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. (2) REG: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesIPSEC!NoDefaultExempt

CCSS Severity:CCSS Metrics:
CCSS Score : 8.1Attack Vector: NETWORK
Exploit Score: 2.2Attack Complexity: HIGH
Impact Score: 5.9Privileges Required: NONE
Severity: HIGHUser Interaction: NONE
Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HScope: UNCHANGED
 Confidentiality: HIGH
 Integrity: HIGH
 Availability: HIGH
  

References:
Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:22377


OVAL    1
oval:org.secpod.oval:def:22377
XCCDF    7
xccdf_org.secpod_benchmark_HIPAA_45CFR_164_Windows_8_1
xccdf_org.secpod_benchmark_ISO27001_Windows_8_1
xccdf_org.secpod_benchmark_NIST_800_53_r4_Windows_8_1
xccdf_org.secpod_benchmark_PCI_3_2_Windows_8_1
...

© SecPod Technologies