RE: TCP/IP Stach Hardening

dwr3ck_at_hushmail.com
Date: 12/22/03

  • Next message: Mike Shaw: "RE: TCP/IP Stack Hardening" 
    Date: Mon, 22 Dec 2003 06:13:23 -0800
To: AHoffmann@cta.net, jim@drexel.edu

    I have found one item that seems to affect network performance across
    slow WAN links.

         PMTU Discovery = 0 (Microsoft Recommendation Security Recommendation
    - Disables discovery)

    When PMTU discovery is disabled, a default MTU of 576 bytes is used for
    all non-local destination IP addresses.

    Changing the default MTU size from 576 to 1500 as you harden your servers
    may resolve your performance issues for remote sites.

    I would recommend against rolling back all settings at the first sign
    of trouble. Sniff the traffic first to try to figure out the exact cause.

    Also, hardening your dev environments first is a good place to start
    but issues that hardening causes may not show up until they're implemented
    on a production system with normal usage.

    I used to work in a data center with high security requirements and we
    applied all the referenced tcp/ip hardening to our Win2k servers. The
    results? Crappy network performance and file transfer timeouts but boy
    were we secure. As soon as we removed the hardening the network
    performance problems went away.

    -----Original Message-----
    From: James Bowman [mailto:jim@drexel.edu]
    Sent: Friday, December 19, 2003 9:03 AM
    To: focus-ms@securityfocus.com
    Subject: TCP/IP Stack Hardening

    Wondering if anyone has experienced issues after hardening the TCP/IP
    stack under Win2K server?

    Specifically, I'm wondering about the potential impact of applying:

    (pulled from previous posts - don't recall the original poster, but
    thanks...)

    HKLM\System\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrow
    thDelta Dword:A
    HKLM\System\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBackl
    og
    Dword:1
    HKLM\System\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBack
    log Dword:4E20
    HKLM\System\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBack
    log Dword:14
    HKLM\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters\QueryIPMatchi
    ng
    Dword:1
    HKLM\SYSTEM\CurrentControlSet\Services\MrxSmb\Parameter\RefuseReset
    Dword:1
    HKLM\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnD
    emand Dword:1
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ArpAlwaysSourceR
    oute Dword:0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceR
    outing Dword:2
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableAddrMaskRe
    ply Dword:0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableBCastArpRe
    ply Dword:0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedire
    ct
    Dword:0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
    Dword:493E0
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort
    Dword:FFFE
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
    Dword:2
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectRes
    ponseRetransmissions Dword:2
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectRet
    ransmissions Dword:2
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetran
    smissions Dword:3
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRe
    tried Dword:190
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen
    Dword:1F4
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhau
    sted Dword:5

    Knowledge Base-article - 315669
    http://support.microsoft.com/default.aspx?scid=kb;en-us;315669
    SynAttackProtect = 2
    EnableDeadGWDetect=0
    EnablePMTUDiscovery=0
    KeepAliveTime=300 000 (5 minutes)
    NoNameReleaseOnDemand=1

    Knowledge Base-article - 142641
    http://support.microsoft.com/default.aspx?scid=http://support.microsoft.
    com:80/support/kb/articles/q142/6/41.asp&NoWebContent=1&NoWebContent=1
    TcpMaxConnectResponseRetransmissions=2
    BacklogIncrement=3 (NetBT)
    MaxConnBackLog=1000 (NetBT)
    For systems under attack:
    EnableDynamicBacklog=1
    MinimumDynamicBacklog=20
    MaximumDynamicBacklog<5000/32 MB RAM
    DynamicBacklogGrowthDelta=10

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger
    https://www.hushmail.com/services.php?subloc=messenger&l=434

    Promote security and make money with the Hushmail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Mike Shaw: "RE: TCP/IP Stack Hardening"