Details
This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet.
The recommended state for this setting is: Enabled: 300,000 or 5 minutes (recommended).
Rationale:
An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended):
Computer ConfigurationPoliciesAdministrative TemplatesMSS (Legacy)MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required – it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog
Impact:
Keep-alive packets are not sent by default by Windows. However, some applications may configure the TCP stack flag that requests keep-alive packets. For such configurations, you can lower this value from the default setting of two hours to five minutes to disconnect inactive sessions more quickly.
Default Value:
7,200,000 milliseconds or 120 minutes.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.