HOW TO: Harden the TCP/IP Stack Against Denial of Service Attacks in Windows Server 2003

http://support.microsoft.com/default.aspx?...kb;en-us;324270

I am making the registry keys available to save some time typing for everyone. Please review the read me file carefully.

Microsoft Disclaimer:

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs.

*************************************************

These are the keys for import into the Registry. The values are set exactly as Microsoft has suggested in Microsoft Knowledge Base Article - 324270 titled "HOW TO: Harden the TCP/IP Stack Against Denial of Service Attacks in Windows Server 2003."

Reference: http://support.microsoft.com/default.aspx?...kb;en-us;324270

The information in this article applies to:

*Microsoft Windows Server 2003, Datacenter Edition
*Microsoft Windows Server 2003, Enterprise Edition
*Microsoft Windows Server 2003, Standard Edition
*Microsoft Windows Server 2003, Web Edition
*Microsoft Windows Server 2003, 64-Bit Datacenter Edition
*Microsoft Windows Server 2003, 64-Bit Enterprise Edition

*************************************************

This information is provided as-is. There is no implied warranty of any kind.

READ THE ENTIRE MICROSOFT ARTICLE HERE BEFORE IMPORTING THESE KEYS.

Reference: http://support.microsoft.com/default.aspx?...kb;en-us;324270

*************************************************

Usage:

1.) Extract both keys and the read me file to your Windows Server 2003 Desktop.
2.) Review the Read Me file.
3.) Double-click each registry key once to import and confirm as needed.

NOTICE: The key values are set exactly as described in referenced link. Make sure they are correct for your situtation.

Value name: SynAttackProtect
Key: TcpipParameters
Value Type: REG_DWORD
Valid Range: 0,1
Default: 0

This registry value causes Transmission Control Protocol (TCP) to adjust retransmission of SYN-ACKS. When you configure this value, the connection responses time out more quickly during a SYN attack (a type of denial of service attack). The following parameters can be used with this registry value:

0 (default value): Set SynAttackProtect to 0 for typical protection against SYN attacks.
1: Set SynAttackProtect to 1 for better protection against SYN attacks. This parameter causes TCP to adjust the retransmission of SYN-ACKS. When you set SynAttackProtect to 1, connection responses time out more quickly if the system detects that a SYN attack is in progress. Windows uses the following values to determine whether an attack is in progress:
TcpMaxPortsExhausted
TCPMaxHalfOpen
TCPMaxHalfOpenRetried

Value name: EnableDeadGWDetect
Key: TcpipParameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 0 (False)

The following list explains the parameters that you can use with this registry value:
1: When you set EnableDeadGWDetect to 1, TCP is permitted to perform dead-gateway detection. When dead-gateway detection is enabled, TCP may ask the Internet Protocol (IP) to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways are defined in the Advanced section of the TCP/IP configuration dialog box in the Network tool in Control Panel.
0: Microsoft recommends that you set the EnableDeadGWDetect value to 0. If you do not set this value to 0, an attack may force the server to switch gateways and cause it to switch to an unintended gateway.

Value name: EnablePMTUDiscovery
Key: TcpipParameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 1 (True)

The following list explains the parameters that you can use with this registry value:
1: When you set EnablePMTUDiscovery to 1, TCP tries to discover either the maximum transmission unit (MTU) or the largest packet size over the path to a remote host. TCP can remove fragmentation at routers along the path that connect networks with different MTUs by discovering the path MTU and limiting TCP segments to this size. Fragmentation adversely affects TCP throughput.
0: Microsoft recommends that you set EnablePMTUDiscovery to 0. When you do so, an MTU of 576 bytes is used for all connections that are not hosts on the local subnet. If you do not set this value to 0, an attacker may force the MTU value to a very small value and overwork the stack.

Value name: KeepAliveTime
Key: TcpipParameters
Value Type: REG_DWORD-Time in milliseconds
Valid Range: 1-0xFFFFFFFF
Default: 7,200,000 (two hours)

This value controls how frequently TCP tries to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. Keep-alive packets are not sent by default. You can use a program to configure this value on a connection. The recommended value setting is 300,000 (5 minutes).

Value name: NoNameReleaseOnDemand
Key: NetbtParameters
Value Type: REG_DWORD
Valid Range: 0, 1 (False, True)
Default: 0 (False)

This value determines whether the computer releases its NetBIOS name when it receives a name-release request. This value was added to permit the administrator to protect the computer against malicious name-release attacks. Microsoft recommends that you set the NoNameReleaseOnDemand value to 1 (the default value).

Here's the manual registry values typed-out .....

((Removed, as response was given:)))

Greetings:

I did check the Microsoft support area prior to posting this question, but are there similar steps to take if the server is Windows 2000?

If so, where can I find the documentation / steps?

Thank you.

http://support.microsoft.com/?kbid=315669

I think it is the same...

Greetings:

Thank you.

This page will let you create the correct registry values for help in protecting against DOS attacks. If you haven't tweaked your box yet, take a look here for more information:

http://www.tcpiq.com/tcpIQ/DenialOfServiceAttack/