RE: FW: TCP/IP Stack Hardening

From: Scott Cleven-Mulcahy (scottcm3_at_hotmail.com)
Date: 12/20/03

Next message: dave kleiman: "RE: TCP/IP Stack Hardening"

Previous message: Frank Knobbe: "RE: TCP/IP Stack Hardening"
Maybe in reply to: James Bowman: "TCP/IP Stack Hardening"
Next in thread: Mike Shaw: "RE: TCP/IP Stack Hardening"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: AHoffmann@cta.net
Date: Fri, 19 Dec 2003 17:24:18 -0600

I've not had that problem with those settings. I have seen improperly
configured network devices wreck havock when various dynamically network
configurgation settings are disabled. For example, routing devices that
don't return back the MTU size of the next hop when a packet's MTU size is
too large. In those cases, re-enabling a dynamic configuration feature hid
the underlying problem. This is especially true of EnableICMPRedirect,
which I've seen "fix" a multi-homed server's improperly configured routing
table or default gateway.

Most of the settings produce faster responses or terminate a TCP connection
more quickly and result in better responsiveness.

The backlog settings can potentially hurt performance. However, setting
"EnableDynamicBacklog = 0x1" enables the feature which helps performance.
The other ones put constraints on how much memory the backlog can consume,
how quickly it grows, and the step at which it grows. When changing these
settings you need to be careful of how much memory you're letting the
backlog consume and the size of the growth delta. When the growth delta is
set too low, the server will suffer from having to constantly create new
connections.

MaxUserPort set to 65534 gives a server plenty of ports to use when acting
as a client and is about 10x larger than the default. My experience is that
application servers create a large number of client ports as they connect to
middle-tier or backend systems. It also helps mitigate poorly designed apps
that create a massive number of client connections.

Most of the remaining settings address well known DoS attacks, such as
RefuseReset and NoNameReleaseOnDemand and wouldn't have an impact on
performance.

Scott

>-----Original Message-----
>From: Hoffmann, Aran [mailto:AHoffmann@cta.net]
>Sent: Friday, December 19, 2003 2:12 PM
>To: focus-ms@securityfocus.com
>Subject: RE: TCP/IP Stack Hardening
>
>
>I used to work in a data center with high security requirements and we
>applied all the referenced tcp/ip hardening to our Win2k servers. The
>results? Crappy network performance and file transfer timeouts but boy
>were we secure. As soon as we removed the hardening the network
>performance problems went away.
>
>-----Original Message-----
>From: James Bowman [mailto:jim@drexel.edu]
>Sent: Friday, December 19, 2003 9:03 AM
>To: focus-ms@securityfocus.com
>Subject: TCP/IP Stack Hardening
>
>
>
>
>Wondering if anyone has experienced issues after hardening the TCP/IP
>stack under Win2K server?
>
>Specifically, I'm wondering about the potential impact of applying:
>
>(pulled from previous posts - don't recall the original poster, but
>thanks...)
>
>HKLM\System\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrow
>thDelta Dword:A
>HKLM\System\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBackl
>og
>Dword:1
>HKLM\System\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBack
>log Dword:4E20
>HKLM\System\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBack
>log Dword:14
>HKLM\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters\QueryIPMatchi
>ng
>Dword:1
>HKLM\SYSTEM\CurrentControlSet\Services\MrxSmb\Parameter\RefuseReset
>Dword:1
>HKLM\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnD
>emand Dword:1
>HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ArpAlwaysSourceR
>oute Dword:0
>HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceR
>outing Dword:2
>HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableAddrMaskRe
>ply Dword:0
>HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableBCastArpRe
>ply Dword:0
>HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedire
>ct
>Dword:0
>HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
>Dword:493E0
>HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort
>Dword:FFFE
>HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
>Dword:2
>HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectRes
>ponseRetransmissions Dword:2
>HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectRet
>ransmissions Dword:2
>HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetran
>smissions Dword:3
>HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRe
>tried Dword:190
>HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen
>Dword:1F4
>HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhau
>sted Dword:5
>
>Knowledge Base-article - 315669
>http://support.microsoft.com/default.aspx?scid=kb;en-us;315669
>SynAttackProtect = 2
>EnableDeadGWDetect=0
>EnablePMTUDiscovery=0
>KeepAliveTime=300 000 (5 minutes)
>NoNameReleaseOnDemand=1
>
>Knowledge Base-article - 142641
>http://support.microsoft.com/default.aspx?scid=http://support.microsoft...
>com:80/support/kb/articles/q142/6/41.asp&NoWebContent=1&NoWebContent=1
>TcpMaxConnectResponseRetransmissions=2
>BacklogIncrement=3 (NetBT)
>MaxConnBackLog=1000 (NetBT)
>For systems under attack:
>EnableDynamicBacklog=1
>MinimumDynamicBacklog=20
>MaximumDynamicBacklog<5000/32 MB RAM
>DynamicBacklogGrowthDelta=10
>
>
>
>------------------------------------------------------------------------
>---
>------------------------------------------------------------------------
>---
>
>
>---------------------------------------------------------------------------
>---------------------------------------------------------------------------
>

_________________________________________________________________
Make your home warm and cozy this winter with tips from MSN House & Home.
http://special.msn.com/home/warmhome.armx

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: dave kleiman: "RE: TCP/IP Stack Hardening"

Previous message: Frank Knobbe: "RE: TCP/IP Stack Hardening"
Maybe in reply to: James Bowman: "TCP/IP Stack Hardening"
Next in thread: Mike Shaw: "RE: TCP/IP Stack Hardening"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Network drives - slow initial access
... Just to clarify the actual fix in this case, it was within Network control ... To think of all the settings I've changed on the server in the last month! ... And does this happen if an admin logs onto a workstation, ...
(microsoft.public.windows.server.sbs)
Re: What would prevent an ISAPI extension from opening a socket on IIS 6?
... Both fail when they try to make that network ... I looked through the local security policy settings ... >> Are you talking about an ISAPI Extension or an ISAPI Filter? ... >> on your Windows Server 2003 but not your customer's? ...
(microsoft.public.inetserver.iis.security)
Re: Open file - security warning....How do I disable it?
... I want to be able to specify anything with a url that starts: ... IE security settings. ... We are in the process of migrating to windows server 2003. ... and then remove security inside the network. ...
(microsoft.public.security)
Re: 80072AFC
... Please check that you can resolve correctly this server over DNS/WINS. ... the DNS / WINS settings are missing in the DHCP options? ... the IP of the server and map a network drive, ... Account on the SMS Component Settings under "Software Distribution". ...
(microsoft.public.sms.tools)
Re: Connecting to two different domains
... Plug your laptop on the network. ... I have Active Directory Set-up on my Windows 2003 home server. ... to restore my previous settings to get it to boot properly ...
(microsoft.public.windowsxp.general)