MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated route

MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated route

3 Minutes Read Updated on May 21, 2025

EnableICMPRedirect is a configuration setting in Windows operating systems that controls whether the system accepts and processes ICMP Redirect messages.  It’s found within the “MSS (Legacy)” section of Group Policy or the registry and allows automatic route updates from routers, which can optimize paths.

hardening white paper

POLICY DESCRIPTION

The registry value entry EnableICMPRedirect was added to the template file in the HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters registry key. The entry appears as MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes in the SCE.

Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)–generated routes. Windows Server recommends to configure this setting to Not Defined for enterprise environments and to Disabled for high security environments.

Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes.

ICMP Redirect and why it matters for security

Routers, configured with Cisco IOS, utilize ICMP redirects to indicate improved routing paths from one network to another, influenced by the default gateway settings and host preferences. This fundamentally alters the routing and destinations of packets.

POTENTIAL VULNERABILITY

Anticipated behavior, yet problematic. The 10-minute time-out of ICMP redirect-plumbed routes causes a temporary network disruption for the affected host. Ignoring such redirects minimizes exposure to attacks affecting network participation.

Security concerns with ICMP Redirect

There are several significant security concerns with ICMP Redirect due to its inherent vulnerabilities:

Spoofing: Attackers can easily forge ICMP Redirect messages, directing traffic to malicious servers instead of the intended destination. This can lead to:

Man-in-the-middle attacks: Intercepting and manipulating communication between a host and the targeted server.

Phishing attacks: Tricking users into visiting fake websites for data theft.

Denial-of-service attacks: Flooding the targeted server with unnecessary traffic.

Misconfiguration: Accidental acceptance of ICMP Redirect messages from untrusted sources can expose systems to the aforementioned attacks.

While ICMP Redirect may offer potential efficiency gains, the associated security risks are significant. Disabling it generally represents a sound security practice.

automate cis benchmarks

COUNTERMEASURES

Configure the MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes entry to a value of Disabled.

The possible values for this registry entry are:

  • 1 or 0. The default configuration is 1 (enabled).

In the SCE UI, these options appear as:

  • Enabled
  • Disabled
  • Not Defined

IMPACT

When Routing and Remote Access Service (RRAS) is configured as an autonomous system boundary router (ASBR), it does not correctly import connected interface subnet routes.

Instead, this router injects host routes into the OSPF routes. However, the OSPF router can not be used as an ASBR router, and when connected interface subnet routes are imported into OSPF the result is confusing routing tables with strange routing paths.

MSS: (DisableIPSourceRouting) IP source routing protection level (protect against packet spoofing)

HOW TO CONFIGURE: EnableICMPRedirect

The policy referenced configures the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE

Registry Path: SystemCurrentControlSetServicesTcpipParameters

Value Name: EnableICMPRedirect

Value Type: REG_DWORD

Value: 0

Remediation

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer ConfigurationPoliciesAdministrative TemplatesMSS (Legacy)MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required.

Best practices for configuring EnableICMPRedirect:

Disable ICMP redirect in Windows.

CIS Benchmark security setting: Ensure ‘MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes’ is set to ‘Disabled’ (Automated) recommended state for this setting is: Disabled.

Be Audit Ready with Automated Hardening

Hardening this setting provides a standardized secure baseline for network devices and servers. Rather than relying on administrators to manually assess and assign proper values, automated hardening establishes a consistently secure posture across all devices.

Hardening the ICMP redirect setting provides exploit mitigation, secure configuration standardization, compliance benefits and centralized traffic control to limit security risks.

server hardening

Ben Balkin
Ben Balkin is a professional writer and blogger specializing in technology and innovation. As a contributor to the Calcom blog, Ben shares practical insights, useful tips, and engaging articles designed to simplify complex processes and make advanced technological solutions accessible to everyone. His writing style is clear, insightful, and inspiring, reflecting his strong belief in technology's power to enhance quality of life and empower businesses.

Related Articles

Disable SMBv1: Understanding Risks and Remediation Steps

Disable SMBv1: Understanding Risks and Remediation Steps

December 13, 2023

In various editions of Windows, Server Message Block version 1 (SMBv1), a widely exploited vulnerability…

Understanding Structured Exception Handling Overwrite Protection (SEHOP)

Understanding Structured Exception Handling Overwrite Protection (SEHOP)

July 21, 2024

What does SEHOP do Structured Exception Handling Overwrite Protection (SEHOP) is a security safeguard setting…

CMMC compliance for beginners

CMMC compliance for beginners

December 18, 2019

The Department of Defense (DoD) is facing severe difficulties when it comes to securing data.…

Ready to simplify compliance?

See automated compliance in action—book your demo today!

Share this article