[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96174

 
 

909

 
 

78077

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-42220-4

Platform: win10Date: (C)2016-09-23   (M)2017-10-18



Disable: 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' for NoDefaultExempt MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. Counter Measure: Do not configure the MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) entry except on computers that use IPsec filters, where this entry should be configured to a value of Enabled. The possible values for this registry entry are: ? A value of 0 specifies that multicast, broadcast, RSVP, Kerberos, and IKE (ISAKMP) traffic are exempt from IPsec filters, which is the default configuration for Windows 2000 and Windows XP. Use this setting only if you require compatibility with an IPsec policy that already exists or Windows 2000 and Windows XP. ? A value of 1 specifies that Kerberos protocol and RSVP traffic are not exempt from IPsec filters, but multicast, broadcast, and IKE traffic are exempt. This setting is the recommended value for Windows 2000 and Windows XP. ? A value of 2 specifies that multicast and broadcast traffic are not exempt from IPsec filters, but RSVP, Kerberos, and IKE traffic are exempt. This setting is supported only in Windows Server 2003. ? A value of 3 specifies that only IKE traffic is exempt from IPsec filters. This setting is supported only in Windows Server 2003, which contains this default behavior although the registry key does not exist by default. In the SCE UI, these options appear as: ? 0 ? 1 ? 2 ? 3 Potential Impact: After you enable this entry, security policies that already exist may have to be changed to work correctly. For details, refer to the Microsoft Knowledge Base article "IPSec Default Exemptions Can Be Used to Bypass IPsec Protection in Some Scenarios" at http://support.microsoft.com/default.aspx?kbid=811832,which was referenced earlier in this section."


Parameter:


Technical Mechanism: (1) GPO: Computer Configuration\Administrative Templates\MSS (Legacy)\MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. (2) REG: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt

References:

Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:35078


OVAL    1
oval:org.secpod.oval:def:35078
XCCDF    4
xccdf_org.secpod_benchmark_NIST_800_53_r4_Windows_10
xccdf_org.secpod_benchmark_PCI_3_2_Windows_10
xccdf_org.secpod_benchmark_NIST_800_171_R1_Windows_10
xccdf_org.secpod_benchmark_general_Windows_10
...

© 2013 SecPod Technologies