RE: TCP/IP Stack Hardening

From: Hoffmann, Aran (AHoffmann_at_cta.net)
Date: 12/19/03

  • Next message: Jeffrey D. Hawley: "RE: FW: Local Security Policy" 
    Date: Fri, 19 Dec 2003 10:12:23 -1000
To: <focus-ms@securityfocus.com>

    I used to work in a data center with high security requirements and we
    applied all the referenced tcp/ip hardening to our Win2k servers. The
    results? Crappy network performance and file transfer timeouts but boy
    were we secure. As soon as we removed the hardening the network
    performance problems went away.

    -----Original Message-----
    From: James Bowman [mailto:jim@drexel.edu]
    Sent: Friday, December 19, 2003 9:03 AM
    To: focus-ms@securityfocus.com
    Subject: TCP/IP Stack Hardening

    Wondering if anyone has experienced issues after hardening the TCP/IP
    stack under Win2K server?

    Specifically, I'm wondering about the potential impact of applying:

    (pulled from previous posts - don't recall the original poster, but
    thanks...)

    HKLM\System\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrow
    thDelta Dword:A
    HKLM\System\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBackl
    og
    Dword:1
    HKLM\System\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBack
    log Dword:4E20
    HKLM\System\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBack
    log Dword:14
    HKLM\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters\QueryIPMatchi
    ng
    Dword:1
    HKLM\SYSTEM\CurrentControlSet\Services\MrxSmb\Parameter\RefuseReset
    Dword:1
    HKLM\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnD
    emand Dword:1
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ArpAlwaysSourceR
    oute Dword:0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceR
    outing Dword:2
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableAddrMaskRe
    ply Dword:0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableBCastArpRe
    ply Dword:0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedire
    ct
    Dword:0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
    Dword:493E0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort
    Dword:FFFE
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
    Dword:2
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectRes
    ponseRetransmissions Dword:2
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectRet
    ransmissions Dword:2
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetran
    smissions Dword:3
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRe
    tried Dword:190
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen
    Dword:1F4
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhau
    sted Dword:5

    Knowledge Base-article - 315669
    http://support.microsoft.com/default.aspx?scid=kb;en-us;315669
    SynAttackProtect = 2
    EnableDeadGWDetect=0
    EnablePMTUDiscovery=0
    KeepAliveTime=300 000 (5 minutes)
    NoNameReleaseOnDemand=1

    Knowledge Base-article - 142641
    http://support.microsoft.com/default.aspx?scid=http://support.microsoft.
    com:80/support/kb/articles/q142/6/41.asp&NoWebContent=1&NoWebContent=1
    TcpMaxConnectResponseRetransmissions=2
    BacklogIncrement=3 (NetBT)
    MaxConnBackLog=1000 (NetBT)
    For systems under attack:
    EnableDynamicBacklog=1
    MinimumDynamicBacklog=20
    MaximumDynamicBacklog<5000/32 MB RAM
    DynamicBacklogGrowthDelta=10

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Jeffrey D. Hawley: "RE: FW: Local Security Policy"