The DisablePagingExecutive value governs whether or not Windows will page the NT executive to disk.
Setting this entry to a value of 1 will prevent pageable drivers and system code in the Windows NT Executive from being paged out to disk. Although this decreases the response time in systems with extremely large amounts of physical memory (RAM), it is critical that there is enough RAM installed, otherwise the server could be rendered unstable.
DisablePagingExecutive
Key: HKLM:\System\CurrentControlSet\Control\Session Manager\Memory Management
Value: DisablePagingExecutive
Data Type: REG_DWORD
Range: 0 to 1
Default value: 0
Recommended value: 1
Value exists by default? Yes
The IRPStackSize value specifies the number of stack locations in I/O request packets (IRPs) that are used by Windows 2000 Server, by Windows Server 2003, and by Windows XP. You may have to increase this number for certain transports, for media access control (MAC) drivers, or for file system drivers. Each stack uses 36 bytes of memory for each receive buffer.
IRPStackSize
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Value: IRPStackSize
Data Type: REG_DWORD
Range: 11 to 50
Default value: 15
Recommended value: 32
Value exists by default? No, needs to be added.
The SizReqBuf value specifies the size in bytes of the raw receive buffers (work items) that the Server service uses. Small work items use less memory, but large work items can improve performance. The value that works best in a particular environment depends on the configuration of that environment. For an optional value, you might try increasing the value as high as 4410 (hexadecimal); this has been shown to work well in a fairly standard Ethernet environment. However, going over setting a value over 4000 hexadecimal has been seen to cause other issues on some servers. Therefore, the default starting point for the SizeReqBuf entry should be 4000 hexadecimal (16384 decimal). By default, the value for this entry is 4356 bytes on servers with less than 512 MB of memory. On servers with more than 512 MB of memory, this value is increased to 16384 bytes (16 KB). A receive buffer that is larger can improve performance on directory queries and similar commands, but at the price of more memory per work item.
Increasing the SizReqBuf value can increase performance significantly in a high-latency environment. However, note that increasing the SizReqBuf value also increases the non-paged pool memory used by the Server service. If you increase the SizReqBuf value, monitor non-paged pool memory to make sure that the change does not adversely impact the performance of the server.
SizReqBuf
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Value: SizReqBuf Data
Type: REG_DWORD
Range: 1-65535 Default value: 16,384 (bytes) on servers with 512 MB or more or physical memory, 4,356 (bytes) on servers with less than 512 MB physical memory.
Recommended value: 17424 (bytes) on servers with 512 MB or more or physical memory, 4,356 (bytes) on servers with less than 512 MB physical memory.
Value exists by default? No, needs to be added.
Review the following information to configure TCP/IP registry settings for optimal performance:
The DefaultTTL value specifies the default time-to-live (TTL) value set in the header of outgoing IP packets. The TTL determines the maximum amount of time that an IP packet may live in the network without reaching its destination. It is effectively a limit on the number of links on which an IP packet is allowed to travel before being discarded. DefaultTTL
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: DefaultTTL
Data Type: REG_DWORD
Range: 1 to 255 (seconds)
Default value: 128
Recommended value: 64
Value exists by default? No, needs to be added
The EnablePMTUDiscovery value governs whether TCP will attempt to discover the Maximum Transmission Unit (MTU), or largest packet size for the entire path to a remote host. By discovering the Path MTU (PMTU) and limiting TCP segments to this size, TCP can eliminate packet fragmentation at routers along the path that connect networks with different MTUs. Fragmentation adversely affects TCP throughput and causes network congestion. Setting this parameter to 0 (or off) causes an MTU of 576 bytes to be used for all connections to destinations other than the local subnet. Ee377084.Important(en-US,BTS.10).gifImportant This entry should not be set to a value of 1 if the server is directly exposed to potential attackers.
EnablePMTUDiscovery Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: EnablePMTUDiscovery
Data Type: 0 to 1
Default value: 1
Recommended value: 1
Value exists by default? No, needs to be added.
The EnablePMTUBHDetect value governs whether TCP tries to detect black hole routers during the Path MTU (maximum transmission unit) discovery process. Enabling black hole detection increases the maximum number of times TCP retransmits a given segment. If the value of this entry is 1, TCP recognizes when it has transmitted the same segment several times without receiving an acknowledgement. It reduces the maximum segment size (MSS) to 536 bytes, and it sets the Don't-Fragment bit. If, as a result, receipt of the segment is acknowledged, TCP continues this practice in all subsequent transmissions on the connection. EnablePMTUBHDetect
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: EnablePMTUBHDetect
Data Type: REG_DWORD
Range: 0 to 1 Default value: 1
Value exists by default? No, needs to be added.
The TcpMaxDupAcks value determines the number of duplicate ACKs that must be received for the same sequence number of sent data before fast retransmit is triggered to resend the segment that has been dropped in transit. If you set the value of this entry to 1, then the system retransmits a segment when it receives an ACK for a segment with a sequence number that is less than the number of the segment currently being sent. When data arrives with a sequence number that is greater than expected, the receiver assumes that data with the expected number was dropped, and it immediately sends an ACK with the ACK number set to the expected sequence number. The receiver sends ACKs set to the same missing number each time it receives a TCP segment that has a sequence number greater than expected. The sender recognizes the duplicate ACKs and sends the missing segment. The recommended value of 2 is also the default value but Windows Server 2003 does not add this entry to the registry, so it should be added. TcpMaxDupAcks
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: TcpMaxDupAcks
Data Type: REG_DWORD
Range: 1 to 3
Default value: 2
Recommended value: No, needs to be added.
The Tcp1323Opts value governs whether TCP uses the timestamping and window scaling features described in RFC 1323, TCP Extensions for High Performance. Window scaling permits TCP to negotiate a scaling factor for the TCP receive window size, allowing for a very large TCP receive window of up to 1 GB. The TCP receive window is the amount of data that the sending host can send at one time on a connection. Timestamps help TCP measure round trip time (RTT) accurately in order to adjust retransmission timeouts. The Timestamps option provides two timestamp fields of 4 bytes each in the TCP header, one to record the time the initial transmission is sent and one to record the time on the remote host. This entry is a 2-bit bitmask. The lower bit determines whether scaling is enabled; the higher bit determines whether timestamps are enabled. Tcp1323Opts
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: Tcp1323Opts
Data Type: REG_DWORD
Range: 0 to 3 Default value:
Recommended value: 1 (also consider setting to a value of 3 if high packet loss / retransmits are occurring).
Value exists by default? No, needs to be added.
The SackOpts value governs whether the Selective Acknowledgment (SACK) feature of Windows Server 2003 TCP/IP is enabled. SACK is an optimizing feature based upon RFC 2018, TCP Selective Acknowledgement Options. SACK permits receipt acknowledgement of individual blocks of data in a continuous sequence, rather than just the last sequence number. When SACK is enabled, the recipient can tell the sender that one or more data blocks are missing from the middle of a sequence, and the sender can retransmit only the missing data. SackOpts
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: SackOpts
Data Type: REG_DWORD
Range: 0 to 1
Default value: 1
Recommended value: 1
Value exists by default? No, needs to be added.
The MaxFreeTcbs value determines the number of TCP control blocks (TCBs) the system creates to support active connections. Because each connection requires a control block, this value determines how many active connections TCP can support simultaneously. If all control blocks are used and more connection requests arrive, TCP can prematurely release connections in the TIME_WAIT state in order to free a control block for a new connection. Ee377084.note(en-US,BTS.10).gifNote If the value for this entry is increased, then the value for the MaxHashTableSize value should also be increased.
MaxFreeTcbs
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: MaxFreeTcbs
Data Type: REG_DWORD
Range: 0 to 4294967295
Default value: Varies with the system and amount of physical memory on the computer.
Recommended value: 65535
Value exists by default? No, needs to be added.
The MaxHashTableSize value controls how fast the system can find a TCB and should be increased if the
MaxFreeTcbs value is increased from its default value.
Ee377084.note(en-US,BTS.10).gifNote
This value should be set to a power of 2 (for example, 512, 1024, 2048, and so on.) If this value is not a power of 2,
the system configures the hash table to the next power of 2 value (for example, a setting of 513 is rounded up to 1024).
MaxHashTableSize
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: MaxHashTableSize
Data Type: REG_DWORD
Range: 64 to 65536
Default value: 512
Recommended value: 65536
Value exists by default? No, needs to be added.
The MaxUserPort value controls the maximum port number used when an application requests any available user port from the system. Normally, short-lived ports are allocated in the range from 1024 through 5000. Setting this parameter to a value outside of the valid range causes the nearest valid value to be used (5000 or 65534). MaxUserPort
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: MaxUserPort
Data Type: REG_DWORD
Range: 5000 to 65534
Default value:
5000
65534
Value exists by default? No, needs to be added.
The TcpTimedWaitDelay value determines the length of time that a connection stays in the TIME_WAIT state when being closed. While a connection is in the TIME_WAIT state, the socket pair cannot be reused. This is also known as the 2MSL state because the value should be twice the maximum segment lifetime on the network. For more information, see Internet RFC 793 (http://go.microsoft.com/fwlink/?LinkId=113719). TcpTimedWaitDelay
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: TcpTimedWaitDelay
Data Type: REG_DWORD
Range: 30 to 300
Default value: 240
Recommended value: 30
Value exists by default? No, needs to be added.
The GlobalMaxTcpWindowSize value specifies the maximum size of the TCP receive window. The receive window specifies the number of bytes that a sender can transmit without receiving an acknowledgment. In general, larger receive windows improve performance over high-latency, high-bandwidth networks. For greatest efficiency, the receive window should be an even multiple of the TCP Maximum Segment Size. The TCP/IP stack of Windows Server 2003 was designed to tune itself in most environments. Instead of using a fixed size for the receive window, TCP negotiates for and adjusts to an even increment of the maximum segment size. Matching the receive window to even increments of the maximum segment size increases the percentage of full-sized TCP segments used during bulk data transmission. Ee377084.note(en-US,BTS.10).gifNote Setting this entry to a value greater than 64 KB can only be achieved when connecting to other systems that support window scaling as described in Internet RFC 1323 (http://go.microsoft.com/fwlink/?LinkId=84406).
GlobalMaxTcpWindowSize
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: GlobalMaxTcpWindowSize
Data Type: REG_DWORD
Range: 0 to 1073741823
Default value: This value does not exist by default
Recommended value: 65535
Value exists by default? No, needs to be added.
The NumTCBTablePartitions value controls the number of TCB table partitions. The TCB table can be portioned to improve scalability on multi-processor systems by reducing contention on the TCB table. This value should not be modified without a careful performance study. A suggested maximum value is (number of CPUs) * 4 (not counting hyper-threaded CPUs).
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: NumTCBTablePartitions
Data Type: REG_DWORD
Range: 1 to 65535 Default value:
Recommended value: Number of physical CPUs or physical CPU cores * 4 (not counting hyper-threaded CPUs)
Value exists by default? No, needs to be added.
The TcpAckFrequency value specifies the number of ACKs that will be outstanding before the delayed ACK timer is
ignored.
Do not change the value of this entry before carefully studying the effect of different values in a test environment.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: TcpAckFrequency
Data Type: REG_DWORD
Range: 0 to 255 Default value:
Recommended value:
* 5 for 100 MB networks
* 13 MB for 1 GB networks
Value exists by default? No, needs to be added.
The SynAttackProtect value specifies whether the SYN flooding attack protection feature of TCP/IP is enabled. The SYN flooding attack protection feature of TCP detects symptoms of denial-of-service (DOS) attacks (also known as SYN flooding), and it responds by reducing the time that the server spends on connection requests that it cannot acknowledge. For more information about the SynAttackProtect registry entry, see the “Disable Windows Server 2003 Service Pack 1 and Service Pack 2 denial of service checking” section of Optimizing Operating System Performance. SynAttackProtect
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: SynAttackProtect
Data Type: REG_DWORD
Range: 1 for Windows Server 2003 SP1 and later, 0 otherwise
Recommended value: 0 (Only set this on systems with Web exposure if other hardware or software is providing denial of service (DOS)
attack protection)
Value exists by default? No, needs to be added.
The MTU value specifies the size of the maximum transmission unit (MTU) that TCP/IP uses for the network interface. The value of this entry takes precedence over the MTU that the network adapter detects dynamically. For more information about the MTU value, see Appendix A: TCP/IP Configuration Parameters (http://go.microsoft.com/fwlink/?LinkId=113716). MTU
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\interfaceGUID
Value: MTU
Data Type: REG_DWORD
Range: 88 to the dynamically determined MTU (in bytes)
Default value: 4294967295
Recommended value: Determine the optimal MTU value as described in the Find the Optimal MTU below, under “Applying registry settings
with the network optimization Windows PowerShell script”
Value exists by default? No, needs to be added.
The ForwardBufferMemory value specifies the size of the buffer that IP allocates for storing packet data in the router packet queue. Because packet queue data buffers are 256 bytes long, the value of this entry must be a multiple of 256. ForwardBufferMemory
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: ForwardBufferMemory
Data Type: REG_DWORD
Range: 0 to 4294967295 (bytes, in 256 byte increments
Default value: 74240
Recommended value: Set to a value 100 * the optimal MTU value as described in the Find the Optimal MTU below, under “Applying
registry settings with the network optimization Windows PowerShell script”
Value exists by default? No, needs to be added.
The MaxForwardBufferMemory value limits the total amount of memory that IP can allocate to store packet data in the router packet queue MaxForwardBufferMemory HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: MaxForwardBufferMemory
Data Type: REG_DWORD
Range: Dynamically determined MTU to 4294967295 (in bytes)
Default value: 2097152 (bytes)
Recommended value: Set to a value 100 * the optimal MTU value as described in Find the Optimal MTU below, under “Applying registry settings with the network optimization Windows PowerShell script”. This value must be greater than or equal to the value specified for ForwardBufferMemory.
Value exists by default? No, needs to be added.
The NumForwardPackets value determines the number of IP packet headers that are allocated for the router packet queue. When all headers are in use, the system attempts to allocate more, up to the value configured for MaxNumForwardPackets. This value should be at least as large as the ForwardBufferMemory value divided by the maximum IP data size of the networks that are connected to the router. It should be no larger than the ForwardBufferMemory value divided by 256 because at least 256 bytes of forward buffer memory is used for each packet. The optimal number of forward packets for a given ForwardBufferMemory size depends on the type of traffic that is carried on the network and is somewhere between these two values. This parameter is ignored and no headers are allocated if routing is not enabled. NumForwardPackets
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters NumForwardPackets
Data Type: REG_DWORD
Range: 1 to 4294967295 Default value:
Recommended value: Set to 1/256 of the value specified for ForwardBufferMemory
Value exists by default? No, needs to be added.
The MaxNumForwardPackets value limits the total number of IP packet headers that can be allocated for the router packet queue. This value must be greater than or equal to the value of the NumForwardPackets entry. MaxNumForwardPackets
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: MaxNumForwardPackets
Data Type: REG_DWORD
Range: 1 to 4294967295 4294967295
Recommended value: Set to 1/256 of the value specified for ForwardBufferMemory
Value exists by default? No, needs to be added.
The TcpWindowSize value specifies the maximum size of the TCP receive window. The receive window specifies the number of bytes that a sender can transmit without receiving an acknowledgment. In general, larger receive windows improve performance over high-latency, high-bandwidth networks. For greatest efficiency, the receive window should be an even multiple of the TCP Maximum Segment Size. The TCP/IP stack of Windows Server 2003 was designed to tune itself in most environments. Instead of using a fixed size for the receive window, TCP negotiates for and adjusts to an even increment of the maximum segment size (MSS).
TcpWindowSize
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Value: TcpWindowSize
Data Type: REG_DWORD
Range: 0 to 4294967295 ( bytes, in 256-byte increments )
Default value: 65535
The value of the GlobalMaxTcpWindowSize registry entry.
16384 rounded up to an even multiple of the TCP Maximum Segment Size (MSS)
Recommended value: Value closest to 64420 that is a multiple of the MSS value.
Value exists by default? No, needs to be added.
The EnableDynamicBacklog value is a global switch that enables AFD.SYS functionality to withstand large numbers of SYN_RCVD connections efficiently. For more information, see Microsoft Knowledge Base Article 142641, "Internet Server Unavailable Because of Malicious SYN Attacks” (http://go.microsoft.com/fwlink/?LinkId=158218). EnableDynamicBacklog
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters
Value: EnableDynamicBacklog
Data Type: REG_DWORD
Range: 0 to 1
Default value:
Recommended value: No, needs to be added.
The MinimumDynamicBacklog value spcifies the minimum number of free connections allowed on a listening endpoint. If the number of free connections drops below this value, a thread is queued to create additional free connections. MinimumDynamicBacklog
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters
Value: MinimumDynamicBacklog
Data Type: REG_DWORD
Range: 0 to 4294967295
Default value: This value does not exist by default Recommended value:
Value exists by default? No, needs to be added.
The MaximumDynamicBacklog value controls the maximum number of "quasi-free" connections allowed on a listening endpoint. "Quasi-free" connections include the number of free connections plus those connections in a half-connected (SYN_RECEIVED) state. No attempt is made to create additional free connections if doing so would exceed this value. To take advantage of the changes to Afd.sys, Windows Sockets applications must specifically request a backlog greater than the value configured for MinimumDynamicBacklog when they issue a listen() call. Microsoft applications, such as Internet Information Services (IIS), which has a default backlog of 25, are configurable. MaximumDynamicBacklog
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters
Value: MaximumDynamicBacklog
Data Type: REG_DWORD
Range: 0 to 4294967295
Default value: This value does not exist by default
Recommended value: 20000
Value exists by default? No, needs to be added.
The DynamicBacklogGrowthDelta value controls the number of free connections to create when additional connections are necessary. Be careful with this value, as a very large value could lead to explosive free connection allocations.
DynamicBacklogGrowthDelta
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters
Value: DynamicBacklogGrowthDelta
Data Type: REG_DWORD
Range: 0 to 4294967295
Default value: This value does not exist by default
Recommended value: Value exists by default? No, needs to be added.
How To_ Harden the TCP_IP Stack
This How To is divided into sections that address specific types of denial of service protections that apply to the network.
Those sections are:
What You Must Know Protect Against SYN Attack Protect Against ICMP Attacks Protect Against SNMP Attacks AFD.SYS Protections Additional Protections Pitfalls Additional Resources
What You Must Know
TCP/IP is an inherently insecure protocol. However, the Windows and 2003 implementation allows you to configure its operation to counter network denial of service attacks. Some of the keys and values referred to in this How To may not exist by default.
In those cases, create the key, value, and value data.
Protect Against SYN Attacks
A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism.
To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server.
This prevents other users from establishing network connections.
To protect the network against SYN attacks, follow these generalized steps, explained later in this document:
Enable SYN attack protection
Set SYN protection thresholds
Set additional protections
Enable SYN Attack Protection
The named value to enable SYN attack protection is located beneath the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameter
Value name: SynAttackProtect
Recommended value: 2
Valid values: 0, 1, 2
Description: Causes TCP to adjust retransmission of SYN-ACKS.
When you configure this value the connection responses timeout more quickly in the event of a SYN attack.
A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.
Set SYN Protection Thresholds
The following values determine the thresholds for which SYN protection is triggered.
All of the keys and values in this section are under the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameter
These keys and values are:
Value name: TcpMaxPortsExhausted
Recommended value: 5
Valid values: 065535
Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.
Value name: TcpMaxHalfOpen
Recommended value data: 500
Valid values: 10065535
Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.
Value name: TcpMaxHalfOpenRetried
Recommended value data: 400
Valid values: 8065535
Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered.
Set Additional Protections
All the keys and values in this section are located under the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameter
These keys and values are:
Value name: TcpMaxConnect
ResponseRetransmissions
Recommended value data: 2
Valid values: 0255
Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.
Value name: TcpMaxDataRetransmissions
Recommended value data: 2
Valid values: 065535
Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.
Value name: EnablePMTUDiscovery
Recommended value data: 0
Valid values: 0, 1
Description: Setting this value to 1 (the default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation, which overworks the stack. Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.
Value name: KeepAliveTime
Recommended value data: 300000
Valid values: 804294967295
Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.
Set NetBIOS Protections
All the keys and values in this section are located under the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameter.
These keys and values are:
Value name: NoNameReleaseOnDemand
Recommended value data: 1
Valid values: 0, 1
Description: Specifies to not release the NetBIOS name of a computer when it receives a name-release request.
Use the values that are summarized in Table 1 for maximum protection.
Recommended Values
Value Name : Value (REG_DWORD)
SynAttackProtect 2
TcpMaxPortsExhausted 1
TcpMaxHalfOpen 500
TcpMaxHalfOpenRetried 400
TcpMaxConnectResponseRetransmissions 2
TcpMaxDataRetransmissions 2
EnablePMTUDiscovery 0
KeepAliveTime 300000 (5 minutes)
NoNameReleaseOnDemand 1
Protect Against ICMP Attacks
The named value in this section is under the registry key
HKLM\System\CurrentControlSet\Services\TcpIp\Parameters
Value: EnableICMPRedirect Recommended value data: 0
Valid values: 0 (disabled), 1 (enabled)
Description: Modifying this registry value to 0 prevents the creation of expensive host routes when an ICMP redirect packet is received.
Use the value summarized in Table 2 for maximum protection:
Table 2 Recommended Values
Value Name : Value (REG_DWORD)
EnableICMPRedirect 0
Protect Against SNMP Attacks
The named value in this section is located under the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters.
Value: EnableDeadGWDetect
Recommended value data: 0
Valid values: 0 (disabled), 1, (enabled) Description: Prevents an attacker from forcing the switching to a secondary gateway
Use the value summarized in Table 3 for maximum protection.
Table 3 Recommended Values
Value Name : Value (REG_DWORD)
EnableDeadGWDetect 0
AFD.SYS Protections
The following keys specify parameters for the kernel mode driver Afd.sys. Afd.sys is used to support Windows sockets applications. All of the keys and values in this section are located under the registry key HKLM\System\CurrentControlSet\Services\AFD\Parameters.
These keys and values are:
Value: EnableDynamicBacklog
Recommended value data: 1
Valid values: 0 (disabled), 1 (enabled)
Description: Specifies AFD.SYS functionality to withstand large numbers of SYN_RCVD connections efficiently. For more information, see "Internet Server Unavailable Because of Malicious SYN Attacks," at http://support.microsoft.com/default.aspx?scid=kb;en-us;142641.
Value name: MinimumDynamicBacklog
Recommended value data: 20
Valid values: 04294967295
Description: Specifies the minimum number of free connections allowed on a listening endpoint. If the number of free connections drops below this value, a thread is queued to create additional free connections
Value name: MaximumDynamicBacklog
Recommended value data: 0
Valid values: 04294967295
Description: Specifies the maximum total amount of both free connections plus those in the SYN_RCVD state.
Value name: DynamicBacklogGrowthDelta
Recommended value data: 10
Valid values: 04294967295 Present by default: No
Description: Specifies the number of free connections to create when additional connections are necessary.
Use the values summarized in Table 4 for maximum protection.
Table 4 Recommended Values
Value Name : Value (REG_DWORD)
EnableDynamicBacklog 1
MinimumDynamicBacklog 20
MaximumDynamicBacklog 0
DynamicBacklogGrowthDelta 10
Additional Protections
All of the keys and values in this section are located under the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters.
Protect Screened Network Details
Network Address Translation (NAT) is used to screen a network from incoming connections. An attacker can circumvent this screen to determine the network topology using IP source routing.
Value: DisableIPSourceRouting
Recommended value data: 1
Valid values: 0 (forward all packets), 1 (do not forward Source Routed packets), 2 (drop all incoming source routed packets).
Description: Disables IP source routing, which allows a sender to determine the route a datagram should take through the network.
Do Not Forward Packets Destined for Multiple Hosts Multicast packets may be responded to by multiple hosts, resulting in responses that can flood a network.
Value: EnableMulticastForwarding
Recommended value data: 0
Valid range: 0 (false), 1 (true)
Description: The routing service uses this parameter to control whether or not IP multicasts are forwarded. This parameter is created by the Routing and Remote Access Service.
Only Firewalls Forward Packets Between Networks
A multi-homed server must not forward packets between the networks it is connected to. The obvious exception is the firewall.
Value: IPEnableRouter
Recommended value data: 0 Valid range: 0 (false), 1 (true)
Description: Setting this parameter to 1 (true) causes the system to route IP
packets between the networks to which it is connected.
Mask Network Topology Details
The subnet mask of a host can be requested using ICMP packets. This disclosure of information by itself is harmless; however, the responses of multiple hosts can be used to build knowledge of the internal network.
Value: EnableAddrMaskReply
Recommended value data: 0
Valid range: 0 (false), 1 (true)
Description: This parameter controls whether the computer responds to an ICMP address mask request.
Use the values summarized in Table 5 for maximum protection
Table 5 Recommended Values
Value Name : Value (REG_DWORD)
DisableIPSourceRouting 1
EnableMulticastForwarding 0
IPEnableRouter 0
EnableAddrMaskReply 0
Pitfalls
When testing the changes of these values, test against the network volumes you expect in production. These settings modify the thresholds of what is considered normal and are deviating from the tested defaults. Some may be too narrow to support clients reliably if the connection speed from clients varies greatly.
Those sections are:
What You Must Know Protect Against SYN Attack Protect Against ICMP Attacks Protect Against SNMP Attacks AFD.SYS Protections Additional Protections Pitfalls Additional Resources
What You Must Know
TCP/IP is an inherently insecure protocol. However, the Windows and 2003 implementation allows you to configure its operation to counter network denial of service attacks. Some of the keys and values referred to in this How To may not exist by default.
In those cases, create the key, value, and value data.
Protect Against SYN Attacks
A SYN attack exploits a vulnerability in the TCP/IP connection establishment mechanism.
To mount a SYN flood attack, an attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server.
This prevents other users from establishing network connections.
To protect the network against SYN attacks, follow these generalized steps, explained later in this document:
Enable SYN attack protection
Set SYN protection thresholds
Set additional protections
Enable SYN Attack Protection
The named value to enable SYN attack protection is located beneath the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameter
Value name: SynAttackProtect
Recommended value: 2
Valid values: 0, 1, 2
Description: Causes TCP to adjust retransmission of SYN-ACKS.
When you configure this value the connection responses timeout more quickly in the event of a SYN attack.
A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.
Set SYN Protection Thresholds
The following values determine the thresholds for which SYN protection is triggered.
All of the keys and values in this section are under the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameter
These keys and values are:
Value name: TcpMaxPortsExhausted
Recommended value: 5
Valid values: 065535
Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.
Value name: TcpMaxHalfOpen
Recommended value data: 500
Valid values: 10065535
Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded, SYN flood protection is triggered.
Value name: TcpMaxHalfOpenRetried
Recommended value data: 400
Valid values: 8065535
Description: When SynAttackProtect is enabled, this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded, SYN flood protection is triggered.
Set Additional Protections
All the keys and values in this section are located under the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameter
These keys and values are:
Value name: TcpMaxConnect
ResponseRetransmissions
Recommended value data: 2
Valid values: 0255
Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.
Value name: TcpMaxDataRetransmissions
Recommended value data: 2
Valid values: 065535
Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.
Value name: EnablePMTUDiscovery
Recommended value data: 0
Valid values: 0, 1
Description: Setting this value to 1 (the default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation, which overworks the stack. Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.
Value name: KeepAliveTime
Recommended value data: 300000
Valid values: 804294967295
Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.
Set NetBIOS Protections
All the keys and values in this section are located under the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameter.
These keys and values are:
Value name: NoNameReleaseOnDemand
Recommended value data: 1
Valid values: 0, 1
Description: Specifies to not release the NetBIOS name of a computer when it receives a name-release request.
Use the values that are summarized in Table 1 for maximum protection.
Recommended Values
Value Name : Value (REG_DWORD)
SynAttackProtect 2
TcpMaxPortsExhausted 1
TcpMaxHalfOpen 500
TcpMaxHalfOpenRetried 400
TcpMaxConnectResponseRetransmissions 2
TcpMaxDataRetransmissions 2
EnablePMTUDiscovery 0
KeepAliveTime 300000 (5 minutes)
NoNameReleaseOnDemand 1
Protect Against ICMP Attacks
The named value in this section is under the registry key
HKLM\System\CurrentControlSet\Services\TcpIp\Parameters
Value: EnableICMPRedirect Recommended value data: 0
Valid values: 0 (disabled), 1 (enabled)
Description: Modifying this registry value to 0 prevents the creation of expensive host routes when an ICMP redirect packet is received.
Use the value summarized in Table 2 for maximum protection:
Table 2 Recommended Values
Value Name : Value (REG_DWORD)
EnableICMPRedirect 0
Protect Against SNMP Attacks
The named value in this section is located under the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters.
Value: EnableDeadGWDetect
Recommended value data: 0
Valid values: 0 (disabled), 1, (enabled) Description: Prevents an attacker from forcing the switching to a secondary gateway
Use the value summarized in Table 3 for maximum protection.
Table 3 Recommended Values
Value Name : Value (REG_DWORD)
EnableDeadGWDetect 0
AFD.SYS Protections
The following keys specify parameters for the kernel mode driver Afd.sys. Afd.sys is used to support Windows sockets applications. All of the keys and values in this section are located under the registry key HKLM\System\CurrentControlSet\Services\AFD\Parameters.
These keys and values are:
Value: EnableDynamicBacklog
Recommended value data: 1
Valid values: 0 (disabled), 1 (enabled)
Description: Specifies AFD.SYS functionality to withstand large numbers of SYN_RCVD connections efficiently. For more information, see "Internet Server Unavailable Because of Malicious SYN Attacks," at http://support.microsoft.com/default.aspx?scid=kb;en-us;142641.
Value name: MinimumDynamicBacklog
Recommended value data: 20
Valid values: 04294967295
Description: Specifies the minimum number of free connections allowed on a listening endpoint. If the number of free connections drops below this value, a thread is queued to create additional free connections
Value name: MaximumDynamicBacklog
Recommended value data: 0
Valid values: 04294967295
Description: Specifies the maximum total amount of both free connections plus those in the SYN_RCVD state.
Value name: DynamicBacklogGrowthDelta
Recommended value data: 10
Valid values: 04294967295 Present by default: No
Description: Specifies the number of free connections to create when additional connections are necessary.
Use the values summarized in Table 4 for maximum protection.
Table 4 Recommended Values
Value Name : Value (REG_DWORD)
EnableDynamicBacklog 1
MinimumDynamicBacklog 20
MaximumDynamicBacklog 0
DynamicBacklogGrowthDelta 10
Additional Protections
All of the keys and values in this section are located under the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters.
Protect Screened Network Details
Network Address Translation (NAT) is used to screen a network from incoming connections. An attacker can circumvent this screen to determine the network topology using IP source routing.
Value: DisableIPSourceRouting
Recommended value data: 1
Valid values: 0 (forward all packets), 1 (do not forward Source Routed packets), 2 (drop all incoming source routed packets).
Description: Disables IP source routing, which allows a sender to determine the route a datagram should take through the network.
Do Not Forward Packets Destined for Multiple Hosts Multicast packets may be responded to by multiple hosts, resulting in responses that can flood a network.
Value: EnableMulticastForwarding
Recommended value data: 0
Valid range: 0 (false), 1 (true)
Description: The routing service uses this parameter to control whether or not IP multicasts are forwarded. This parameter is created by the Routing and Remote Access Service.
Only Firewalls Forward Packets Between Networks
A multi-homed server must not forward packets between the networks it is connected to. The obvious exception is the firewall.
Value: IPEnableRouter
Recommended value data: 0 Valid range: 0 (false), 1 (true)
Description: Setting this parameter to 1 (true) causes the system to route IP
packets between the networks to which it is connected.
Mask Network Topology Details
The subnet mask of a host can be requested using ICMP packets. This disclosure of information by itself is harmless; however, the responses of multiple hosts can be used to build knowledge of the internal network.
Value: EnableAddrMaskReply
Recommended value data: 0
Valid range: 0 (false), 1 (true)
Description: This parameter controls whether the computer responds to an ICMP address mask request.
Use the values summarized in Table 5 for maximum protection
Table 5 Recommended Values
Value Name : Value (REG_DWORD)
DisableIPSourceRouting 1
EnableMulticastForwarding 0
IPEnableRouter 0
EnableAddrMaskReply 0
Pitfalls
When testing the changes of these values, test against the network volumes you expect in production. These settings modify the thresholds of what is considered normal and are deviating from the tested defaults. Some may be too narrow to support clients reliably if the connection speed from clients varies greatly.
Langganan:
Postingan (Atom)
.gif "Free backlink"){kind=small}
