Details
This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis.
The recommended state for this setting is: Disabled.
Rationale:
An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer.
Impact:
Windows will not automatically detect and configure default gateway addresses on the computer.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled:
Computer ConfigurationPoliciesAdministrative TemplatesMSS (Legacy)MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)
Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required – it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog
Default Value:
Enable only if DHCP sends the Perform Router Discovery option.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.