Jump to content

Harden the TCP/IP Stack


streamer_

Recommended Posts

TCP/IP Registry Values That Harden the TCP/IP Stack

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.

The following list describes the TCP/IP-related registry values that you can configure to harden the TCP/IP stack on computers that are directly connected to the Internet. All of these values are located under the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services NOTE: All values are in hexadecimal unless otherwise noted.

  • Value name: SynAttackProtect
    Key: Tcpip\Parameters
    Value Type: REG_DWORD
    Valid Range: 0,1,2
    Default: 0
    This registry value causes Transmission Control Protocol (TCP) to adjust retransmission of SYN-ACKS. When you configure this value, the connection responses time out more quickly in the event of a SYN attack (a type of denial of service attack).
    The following list describes the parameters that you can use with this registry value:
    • 0 (default value): Set SynAttackProtect to 0 for typical protection against SYN attacks.
    • 1: Set SynAttackProtect to 1 for better protection against SYN attacks. This parameter causes TCP to adjust the retransmission of SYN-ACKS. When you set SynAttackProtect to 1, connection responses time out more quickly if it appears that there is a SYN attack in progress. Windows uses the following values to determine if an attack is in progress:
      • TcpMaxPortsExhausted
      • TCPMaxHalfOpen
      • TCPMaxHalfOpenRetried

      Note The TcpMaxPortsExhausted registry key is obsolete in Windows XP SP2 and in later Windows operating systems. [*]2: Set SynAttackProtect to 2 for the best protection against SYN attacks. This value adds additional delays to connection indications, and TCP connection requests quickly timeout when a SYN attack is in progress. This parameter is the recommended setting.

      NOTE: The following socket options no longer work on any socket when you set the SynAttackProtect value to 2:

      • Scalable windows
      • TCP parameters that are configured on each adapter (including Initial RTT and window size)

    [*]Value name: EnableDeadGWDetect

    Key: Tcpip\Parameters

    Value Type: REG_DWORD

    Valid Range: 0, 1 (False, True)

    Default: 1 (True)

    The following list describes the parameters that you can use with this registry value:

    • 1: When you set EnableDeadGWDetect to 1, TCP is allowed to perform dead-gateway detection. When dead-gateway detection is enabled, TCP may ask the Internet Protocol (IP) to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways are defined in the Advanced section of the TCP/IP configuration dialog box in Network Control Panel.
    • 0: It is recommended that you set EnableDeadGWDetect to 0. If you do not set this value to 0, an attack could force the server to switch gateways and cause it to switch to an unintended gateway.
  • Value name: EnablePMTUDiscovery
    Key: Tcpip\Parameters
    Value Type: REG_DWORD
    Valid Range: 0, 1 (False, True)
    Default: 1 (True)
    The following list describes the parameters that you can use with this registry value:
    • 1: When you set EnablePMTUDiscovery to 1, TCP attempts to discover either the maximum transmission unit (MTU) or then largest packet size over the path to a remote host. TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs by discovering the path MTU and limiting TCP segments to this size. Fragmentation adversely affects TCP throughput.
    • 0: It is recommended that you set EnablePMTUDiscovery to 0. When you do so, an MTU of 576 bytes is used for all connections that are not hosts on the local subnet. If you do not set this value to 0, an attacker could force the MTU value to a very small value and overwork the stack.
      Important Setting EnablePMTUDiscovery to 0 negatively affects TCP/IP performance and throughput. Even though Microsoft recommends this setting, it should not be used unless you are fully aware of this performance loss.

    [*]Value name: KeepAliveTime

    Key: Tcpip\Parameters

    Value Type: REG_DWORD-Time in milliseconds

    Valid Range: 1-0xFFFFFFFF

    Default: 7,200,000 (two hours)

    This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. Keep-alive packets are not sent by default. You can use a program to configure this value on a connection. The recommended value setting is 300,000 (5 minutes).[*]Value name: NoNameReleaseOnDemand

    Key: Netbt\Parameters

    Value Type: REG_DWORD

    Valid Range: 0, 1 (False, True)

    Default: 0 (False)

    This value determines whether the computer releases its NetBIOS name when it receives a name-release request. This value was added to allow the administrator to protect the computer against malicious name-release attacks. It is recommended that you set the NoNameReleaseOnDemand value to 1 (the default value).

    Back up the registry

    You must be logged on as an administrator to perform these steps. If you aren't logged in as an administrator, you can only change settings that apply to your user account.

    Before you make changes to a registry key or subkey, we recommend that you export, or make a backup copy, of the key or subkey. You can save the backup copy to a location you specify, such as a folder on your hard disk or a removable storage device. If you make changes that you want to undo, you can import the backup copy.

    1. Open the Registry Editor by clicking the Start button, typing regedit into the search box, and then pressing Enter.‌ If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
    2. Locate and click the key or subkey that you want to back up.
    3. Click the File menu, and then click Export.
    4. In the Save in box, select the location where you want to save the backup copy to, and then type a name for the backup file in the File name box.
    5. Click Save.

Link to comment
Share on other sites


  • Replies 4
  • Views 1.8k
  • Created
  • Last Reply

Nice one. In Microsoft Security Compliance manager have some baselines too (and a more easy way to apply i think).

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...