I used to work in a data center with high security requirements and we
applied all the referenced tcp/ip hardening to our Win2k servers. The
results? Crappy network performance and file transfer timeouts but boy
were we secure. As soon as we removed the hardening the network
performance problems went away.

-----Original Message-----
From: James Bowman [mailto:jim (at) drexel (dot) edu [email concealed]]
Sent: Friday, December 19, 2003 9:03 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: TCP/IP Stack Hardening

Wondering if anyone has experienced issues after hardening the TCP/IP
stack under Win2K server?

Specifically, I'm wondering about the potential impact of applying:

(pulled from previous posts - don't recall the original poster, but
thanks...)

HKLM\System\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrow

thDelta Dword:A
HKLM\System\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBackl

og
Dword:1
HKLM\System\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBack

log Dword:4E20
HKLM\System\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBack

log Dword:14
HKLM\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters\QueryIPMatchi

ng
Dword:1
HKLM\SYSTEM\CurrentControlSet\Services\MrxSmb\Parameter\RefuseReset
Dword:1
HKLM\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnD

emand Dword:1
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ArpAlwaysSourceR

oute Dword:0
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceR

outing Dword:2
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableAddrMaskRe

ply Dword:0
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableBCastArpRe

ply Dword:0
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedire

ct
Dword:0
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
Dword:493E0
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort
Dword:FFFE
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect

Dword:2
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectRes

ponseRetransmissions Dword:2
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectRet

ransmissions Dword:2
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetran

smissions Dword:3
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRe

tried Dword:190
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen
Dword:1F4
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhau

sted Dword:5

Knowledge Base-article - 315669
http://support.microsoft.com/default.aspx?scid=kb;en-us;315669
SynAttackProtect = 2
EnableDeadGWDetect=0
EnablePMTUDiscovery=0
KeepAliveTime=300 000 (5 minutes)
NoNameReleaseOnDemand=1

Knowledge Base-article - 142641
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.

com:80/support/kb/articles/q142/6/41.asp&NoWebContent=1&NoWebContent=1
TcpMaxConnectResponseRetransmissions=2
BacklogIncrement=3 (NetBT)
MaxConnBackLog=1000 (NetBT)
For systems under attack:
EnableDynamicBacklog=1
MinimumDynamicBacklog=20
MaximumDynamicBacklog<5000/32 MB RAM
DynamicBacklogGrowthDelta=10

------------------------------------------------------------------------

---
------------------------------------------------------------------------

---

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]