Re: IP Stack Hardening clarification
From: Steve Clark [MSFT] (bogus_at_microsoft.com)
Date: 04/18/05
- Next message: Leon2005: "Re: Windows 2003 SP1 Firewall on Domain Controller"
- Previous message: Tom Allen: "RE: Microsoft Security Bulletins for April 2005"
- In reply to: Steven L Umbach: "Re: IP Stack Hardening clarification"
- Next in thread: Steven L Umbach: "Re: IP Stack Hardening clarification"
- Reply: Steven L Umbach: "Re: IP Stack Hardening clarification"
- Reply: GeeB: "Re: IP Stack Hardening clarification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Apr 2005 09:40:58 -0700
Let me say this, about that. :)
We did indeed state in the 2003 "gold" Security guide that PMTU discovery
should be disabled. There will be notes in the upcoming 2003 SP1 update
that explains when *not* to do this. One example that leaps to mind is
using IPsec transport mode. You definitely do not want to disable PMTU
discovery in that case.
As to IPstack hardening in general, you need to understand that some of
those settings are stop-gap at best: no setting in particular will keep you
from getting DDoS'd off the net if someone wants to knock you off. I would
strongly encourage people to think of those as performance and stability
settings rather than providing outright protection from an attack.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uBhyk86QFHA.248@TK2MSFTNGP15.phx.gbl...
> Usually if there is not a recommendation other than default settings, then
> the default settinng is considered best choice or good enough at the time
> the article was written. The Windows 2003 Security Guide does recommend a
> setting of 0 for EnablePMTUDiscovery in chapter 3 page 139. Apparently a
> setting of 1 is best if fragmentation is a problem but 1 is the most
> secure. I would refer to documentation specific for SP1 for more
> information on settings for it. The links below may help. --- Steve
>
> http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
> --- W2003 Security guide
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/overview.mspx
>
>
> "GeeB" <Geeb@newsgroup.nospam> wrote in message
> news:uwxegx5QFHA.2604@TK2MSFTNGP10.phx.gbl...
>> At these guides for TCP/IP stack hardening, the TCPMaxHalfOpen and
>> TCPMaxHalfOpenRetried don't specifiy a 'Recommendation' like the
>> remaining settings noted. So, what are the recommendations?
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#EDAA
>>
>> http://www.microsoft.com/downloads/details.aspx?familyid=06c60bfe-4d37-4f50-8587-8b68d32fa6ee&displaylang=en
>>
>> If you also compare the above documents with KB 324270, they contradict
>> each other for the EnablePMTUDiscovery setting. The KB recommends 0,
>> while the doc recommends 1. Which one is correct?
>>
>> Also, the online guide does not reference the SP1 change for the
>> SynAttackProtect change, whereas the downloadabel doc does.
>>
>>
>>
>
>
- Next message: Leon2005: "Re: Windows 2003 SP1 Firewall on Domain Controller"
- Previous message: Tom Allen: "RE: Microsoft Security Bulletins for April 2005"
- In reply to: Steven L Umbach: "Re: IP Stack Hardening clarification"
- Next in thread: Steven L Umbach: "Re: IP Stack Hardening clarification"
- Reply: Steven L Umbach: "Re: IP Stack Hardening clarification"
- Reply: GeeB: "Re: IP Stack Hardening clarification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
