Howto: System Security Hardening w/ Admin Tools

[dirtyepic]

(sorry bout the formatting)

edit: forgot to mention, this info applies to XP and Server 2003. i don't know

what the results would be for other versions of Windows, so use at your own risk.

Here's an easy way to manage a bunch of useful networking and security settings

without having to go digging through your registry whenever you want to adjust

something.

This information comes via Microsoft's Threats and Countermeasures security guide:

[ http://www.microsoft.com/technet/Security/...cg/tcgch10.mspx ]

This method gives you easy access to the following keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\

EnableICMPRedirect

SynAttackProtect

EnableDeadGWDetect

EnablePMTUDiscovery

KeepAliveTime

DisableIPSourceRouting

TcpMaxConnectResponseRetransmissions

TcpMaxDataRetransmissions

PerformRouterDiscovery

TCPMaxPortsExhausted

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD\Parameters\

DynamicBacklogGrowthDelta

EnableDynamicBacklog

MinimumDynamicBacklog

MaximumDynamicBacklog

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\

NoNameReleaseOnDemand

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\

NtfsDisable8dot3NameCreation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

NoDriveTypeAutoRun

HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

ScreenSaverGracePeriod

HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Eventlog\Security\

WarningLevel

HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\Session Manager\

SafeDllSearchMode

Instructions

1. Navigate to your %systemroot%\inf folder (eg. c:\windows\inf)

2. Open sceregvl.inf in notepad.

3. Navigate to the bottom of the [Register Registry Values] section and copy the following text into the file:

;================================ MSS Values ================================
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect,4,%EnableICMPRedirect%,0
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect,4,%SynAttackProtect%,3,0|%SynAttackProtect0%,1|%SynAttackProtect1%
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect,4,%EnableDeadGWDetect%,0
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery,4,%EnablePMTUDiscovery%,0
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime,4,%KeepAliveTime%,3,150000|%KeepAliveTime0%,300000|%KeepAliveTime1%,600000|%KeepAliveTime2%,1200000|%KeepAliveTime3%,2400000|%KeepAliveTime4%,3600000|%KeepAliveTime5%,7200000|%KeepAliveTime6%
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting,4,%DisableIPSourceRouting%,3,0|%DisableIPSourceRouting0%,1|%DisableIPSourceRouting1%,2|%DisableIPSourceRouting2%
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions,4,%TcpMaxConnectResponseRetransmissions%,3,0|%TcpMaxConnectResponseRetransmissions0%,1|%TcpMaxConnectResponseRetransmissions1%,2|%TcpMaxConnectResponseRetransmissions2%,3|%TcpMaxConnectResponseRetransmissions3%
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions,4,%TcpMaxDataRetransmissions%,1
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery,4,%PerformRouterDiscovery%,0
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhausted,4,%TCPMaxPortsExhausted%,1
MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand,4,%NoNameReleaseOnDemand%,0
MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation,4,%NtfsDisable8dot3NameCreation%,0
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun,4,%NoDriveTypeAutoRun%,3,0|%NoDriveTypeAutoRun0%,255|%NoDriveTypeAutoRun1%
MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel,4,%WarningLevel%,3,50|%WarningLevel0%,60|%WarningLevel1%,70|%WarningLevel2%,80|%WarningLevel3%,90|%WarningLevel4%
MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod,4,%ScreenSaverGracePeriod%,1
MACHINE\System\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrowthDelta,4,%DynamicBacklogGrowthDelta%,1
MACHINE\System\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBacklog,4,%EnableDynamicBacklog%,0
MACHINE\System\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBacklog,4,%MinimumDynamicBacklog%,1
MACHINE\System\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBacklog,4,%MaximumDynamicBacklog%,3,10000|%MaximumDynamicBacklog0%,15000|%MaximumDynamicBacklog1%,20000|%MaximumDynamicBacklog2%,40000|%MaximumDynamicBacklog3%,80000|%MaximumDynamicBacklog4%,160000|%MaximumDynamicBacklog5%
MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode,4,%SafeDllSearchMode%,0

(note that every line above should start w/ MACHINE. if the text gets wrapped,

make sure you fix it after pasting it.)

4. Navigate to the bottom of the [strings] section and copy the following text into the file:

;================================ MSS Settings ================================
EnableICMPRedirect = "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes"
SynAttackProtect = "MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)"
SynAttackProtect0 = "No additional protection, use default settings"
SynAttackProtect1 = "Connections time out sooner if a SYN attack is detected"
EnableDeadGWDetect = "MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)"
EnablePMTUDiscovery = "MSS: (EnablePMTUDiscovery ) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU)"
KeepAliveTime = "MSS: How often keep-alive packets are sent in milliseconds"
KeepAliveTime0 ="150000 or 2.5 minutes"
KeepAliveTime1 ="300000 or 5 minutes (recommended)"
KeepAliveTime2 ="600000 or 10 minutes"
KeepAliveTime3 ="1200000 or 20 minutes"
KeepAliveTime4 ="2400000 or 40 minutes"
KeepAliveTime5 ="3600000 or 1 hour"
KeepAliveTime6 ="7200000 or 2 hours (default value)"
DisableIPSourceRouting = "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)"
DisableIPSourceRouting0 = "No additional protection, source routed packets are allowed"
DisableIPSourceRouting1 = "Medium, source routed packets ignored when IP forwarding is enabled"
DisableIPSourceRouting2 = "Highest protection, source routing is completely disabled"
TcpMaxConnectResponseRetransmissions = "MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged"
TcpMaxConnectResponseRetransmissions0 = "No retransmission, half-open connections dropped after 3 seconds"
TcpMaxConnectResponseRetransmissions1 = "3 seconds, half-open connections dropped after 9 seconds"
TcpMaxConnectResponseRetransmissions2 = "3 & 6 seconds, half-open connections dropped after 21 seconds"
TcpMaxConnectResponseRetransmissions3 = "3, 6, & 9 seconds, half-open connections dropped after 45 seconds"
TcpMaxDataRetransmissions = "MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)"
PerformRouterDiscovery = "MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)"
TCPMaxPortsExhausted = "MSS: (TCPMaxPortsExhausted) How many dropped connect requests to initiate SYN attack protection (5 is recommended)"
NoNameReleaseOnDemand = "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers"
NtfsDisable8dot3NameCreation = "MSS: Enable the computer to stop generating 8.3 style filenames"
NoDriveTypeAutoRun = "MSS: Disable Autorun for all drives"
NoDriveTypeAutoRun0 = "Null, allow Autorun"
NoDriveTypeAutoRun1 = "255, disable Autorun for all drives"
WarningLevel = "MSS: Percentage threshold for the security event log at which the system will generate a warning"
WarningLevel0 = "50%"
WarningLevel1 = "60%"
WarningLevel2 = "70%"
WarningLevel3 = "80%"
WarningLevel4 = "90%"
ScreenSaverGracePeriod = "MSS: The time in seconds before the screen saver grace period expires (0 recommended)"
DynamicBacklogGrowthDelta = "MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended)"
EnableDynamicBacklog = "MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended)"
MinimumDynamicBacklog = "MSS: (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for systems under attack, 10 otherwise)"
MaximumDynamicBacklog = "MSS: (AFD MaximumDynamicBacklog) Maximum number of 'quasi-free' connections for Winsock applications"
MaximumDynamicBacklog0 = "10000"
MaximumDynamicBacklog1 = "15000"
MaximumDynamicBacklog2 = "20000 (recommended)"
MaximumDynamicBacklog3 = "40000"
MaximumDynamicBacklog4 = "80000"
MaximumDynamicBacklog5 = "160000"
SafeDllSearchMode = "MSS: Enable Safe DLL search mode (recommended)"

(ditto.)

5. Save sceregvl.inf and close notepad.

6. Start -> cmd. Type regsvr32 scecli.dll.

7. Open the Local Security Policy console in Administrative Tools. Browse to Local

Policies -> Security Options. You'll now see a selection of "MSS" policies you can set.

B)

For more information on each setting, the recommended values, and detailed info on

the vulnerabilities and countermeasures for each key, check out

[ http://www.microsoft.com/technet/Security/...cg/tcgch10.mspx ]. It's written for the

Enterprise IT tech or network administrator in mind, but you can still use a lot of the info provided.