TCP/IP Stack Hardening

From: James Bowman (jim_at_drexel.edu)
Date: 12/19/03

  • Next message: Scott Cleven-Mulcahy: "RE: FW: Local Security Policy" 
    Date: 19 Dec 2003 19:02:31 -0000
To: focus-ms@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Wondering if anyone has experienced issues after hardening the TCP/IP stack under Win2K server?

    Specifically, I'm wondering about the potential impact of applying:

    (pulled from previous posts - don't recall the original poster, but thanks...)

    HKLM\System\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrowthDelta Dword:A
    HKLM\System\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBacklog
    Dword:1
    HKLM\System\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBacklog Dword:4E20
    HKLM\System\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBacklog Dword:14
    HKLM\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters\QueryIPMatching
    Dword:1
    HKLM\SYSTEM\CurrentControlSet\Services\MrxSmb\Parameter\RefuseReset Dword:1
    HKLM\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand Dword:1
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ArpAlwaysSourceRoute Dword:0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting Dword:2
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableAddrMaskReply Dword:0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableBCastArpReply Dword:0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
    Dword:0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime Dword:493E0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort
    Dword:FFFE
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
    Dword:2
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions Dword:2
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectRetransmissions Dword:2
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions Dword:3
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried Dword:190
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen
    Dword:1F4
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhausted Dword:5

    Knowledge Base-article – 315669
    http://support.microsoft.com/default.aspx?scid=kb;en-us;315669
    SynAttackProtect = 2
    EnableDeadGWDetect=0
    EnablePMTUDiscovery=0
    KeepAliveTime=300 000 (5 minutes)
    NoNameReleaseOnDemand=1

    Knowledge Base-article – 142641
    http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q142/6/41.asp&NoWebContent=1&NoWebContent=1
    TcpMaxConnectResponseRetransmissions=2
    BacklogIncrement=3 (NetBT)
    MaxConnBackLog=1000 (NetBT)
    For systems under attack:
    EnableDynamicBacklog=1
    MinimumDynamicBacklog=20
    MaximumDynamicBacklog<5000/32 MB RAM
    DynamicBacklogGrowthDelta=10

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Scott Cleven-Mulcahy: "RE: FW: Local Security Policy"