Recent scan identified the following vulnerability and i did not find any valid information associated to it.
Appreciate quick help on this.
"Microsoft Windows TCP Parameters, TCP/IP Hardening Guidelines"
The Threat and Solution section of this QID 90128 contains detailed information on hardening your TCP/IP stack.
From the QID:
You can harden the TCP/IP stack on a Windows 2000/2003 or Windows XP computer by customizing these registry values, which are stored in the registry key: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
EnablePMTUDiscovery: Determines whether path MTU discovery is enabled (1), in which case TCP attempts to discover the largest packet size over the path to a remote host. When path MTU discovery is disabled (0), the path MTU for all TCP connections will be fixed at 576 bytes.
DisableIPSourceRouting: Determines whether a computer allows clients to predetermine the route that packets take to their destination. When this value is set to 2, the computer will disable source routing for IP packets.
NoNameReleaseOnDemand: Determines whether the computer will release its NetBIOS name if requested by another computer or a malicious packet attempting to hijack the computer's NetBIOS name. This is configured under HKLM\System\CurrentControlSet\Services\Netbt\Parameters
PerformRouterDiscovery: Determines whether the computer performs router discovery on this interface. Router discovery solicits router information from the network and adds the information retrieved to the route table. Setting this value to 0 will prevent the interface from performing router discovery.
EnableDeadGWDetect: Determines whether the computer will attempt to detect dead gateways. When dead gateway detection is enabled (by setting this value to 1), TCP might ask IP to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways are defined in the TCP/IP configuration dialog box in the Network Control Panel for each adapter. When you leave this setting enabled, it's possible for an attacker to redirect the server to a gateway of his choosing.
EnableICMPRedirect: When ICMP redirects are disabled (by setting the value to 0), attackers cannot carry out attacks that require a host to redirect the ICMP-based attack to a third party.
SynAttackProtect: Enables SYN flood protection in Windows 2000 and Windows XP. You can set this value to 0, 1, or 2. The default setting 0 provides no protection. Setting the value to 1 will activate SYN/ACK protection contained in the TCPMaxPortsExhausted, TCPMaxHalfOpen, and TCPMaxHalfOpenRetried values. Setting the value to 2 will protect against SYN/ACK attacks by more aggressively timing out open and half-open connections. For Windows 2003, the recommended value is 1.
TCPMaxConnectResponseRetransmissions: Determines how many times TCP retransmits an unanswered SYN/ACK message. TCP retransmits acknowledgments until the number of retransmissions specified by this value is reached.
TCPMaxHalfOpen: Determines how many connections the server can maintain in the half-open state before TCP/IP initiates SYN flooding attack protection. This entry is used only when SYN flooding attack protection is enabled on this server, that is when the value of the SynAttackProtect entry is 1 or 2 and the value of the TCPMaxConnectResponseRetransmissions entry is at least 2.
TCPMaxHalfOpenRetired: Determines how many connections the server can maintain in the half open state even after a connection request has been retransmitted. If the number of connections exceeds the value of this entry, TCP/IP initiates SYN flooding attack protection. This entry is used only when SYN flooding attack protection is enabled on this server, that is when the value of the SynAttackProtect entry is 1 and the value of the TCPMaxConnectResponseRetransmissions entry is at least 2.
Refer to the Microsoft Security Topics document called How To: Harden the TCP/IP Stack for a detailed description of these parameters and other impacts these might have before deploying these settings.
I have another question on the QID 90128:
All recommended parameters have been configured and deployed to some test machines.
When I check the Qualys report some days later for a specific testmachine, I still get the vulnerability.
When controlling the recommended & actual values: they are identical.
Can somebody explain this behaviour + explain how to stop this vulnerability from being reported as vulnerable?
You best bet is to open a support case... The only way someone could really assist you would be for you to share actual data which I doubt you would nor would I recommend. You can upload data securely with support and they can help you diagnose what is going on.
I agree. You should open a support case to get this investigated.
Meanwhile, if you'd like to ignore this vulnerability (so it doesn't show up on your reports), check this: Want to ignore a vulnerability?
Retrieving data ...