EnableICMPRedirect is a configuration setting in Windows operating systems that controls whether the system accepts and processes ICMP Redirect messages. It’s found within the “MSS (Legacy)” section of Group Policy or the registry and allows automatic route updates from routers, which can optimize paths.
This blog post will cover:
- What is ‘Allow ICMP redirects to override OSPF generated routes’ policy?
- The potential vulnerability in this setting
- Countermeasures for mitigating this vulnerability
- The potential impact of the configuration change
- How to change the configuration
- How to be audit ready
POLICY DESCRIPTION
The registry value entry EnableICMPRedirect was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes in the SCE.
Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)-generated routes. Microsoft recommends to configure this setting to Not Defined for enterprise environments and to Disabled for high security environments.
Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes.
ICMP Redirect and why it matters for security
Routers utilize ICMP redirects to indicate improved routing paths from one network, influenced by host preferences. This fundamentally alters the routing and destinations of packets.
POTENTIAL VULNERABILITY
Anticipated behavior, yet problematic. The 10-minute time-out of ICMP redirect-plumbed routes causes a temporary network disruption for the affected host. Ignoring such redirects minimizes exposure to attacks affecting network participation.
Security concerns with ICMP Redirect
There are several significant security concerns with ICMP Redirect due to its inherent vulnerabilities:
Spoofing: Attackers can easily forge ICMP Redirect messages, directing traffic to malicious servers instead of the intended destination. This can lead to:
Man-in-the-middle attacks: Intercepting and manipulating communication between a host and the targeted server.
Phishing attacks: Tricking users into visiting fake websites for data theft.
Denial-of-service attacks: Flooding the targeted server with unnecessary traffic.
Misconfiguration: Accidental acceptance of ICMP Redirect messages from untrusted sources can expose systems to the aforementioned attacks.
While ICMP Redirect may offer potential efficiency gains, the associated security risks are significant. Disabling it generally represents a sound security practice.
COUNTERMEASURES
Configure the MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes entry to a value of Disabled.
The possible values for this registry entry are:
- 1 or 0. The default configuration is 1 (enabled).
In the SCE UI, these options appear as:
- Enabled
- Disabled
- Not Defined
IMPACT
When Routing and Remote Access Service (RRAS) is configured as an autonomous system boundary router (ASBR), it does not correctly import connected interface subnet routes. Instead, this router injects host routes into the OSPF routes. However, the OSPF router can not be used as an ASBR router, and when connected interface subnet routes are imported into OSPF the result is confusing routing tables with strange routing paths.
MSS: (DisableIPSourceRouting) IP source routing protection level (protect against packet spoofing)
HOW TO CONFIGURE: EnableICMPRedirect
The policy referenced configures the following registry value:
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \System\CurrentControlSet\Services\Tcpip\Parameters\
Value Name: EnableICMPRedirect
Value Type: REG_DWORD
Value: 0
Remediation
To establish the recommended configuration via GP, set the following UI path to Disabled:
| Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes |
Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required.
Best practices for configuring EnableICMPRedirect:
Disable ICMP redirect in Windows.
CIS Benchmark security setting: Ensure ‘MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes’ is set to ‘Disabled’ (Automated) recommended state for this setting is: Disabled.
Be Audit Ready with Automated Hardening
Hardening this setting provides a standardized secure baseline for network devices and servers. Rather than relying on administrators to manually assess and assign proper values, automated hardening establishes a consistently secure posture across all devices.
Hardening the ICMP redirect setting provides exploit mitigation, secure configuration standardization, compliance benefits and centralized traffic control to limit security risks.
