Monday, April 5, 2010

Hardening the TCP/IP Stack

I had to spend some time today writing a registry file that would harden the TCP/IP stack. I did not want to manually update all the servers so figured I would just set up a registry file to do it for me. Below is the setting you can put in a .reg file to harden the stack. REMINDER : this comes with no warranty and you should always backup your registry before you make any changes.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters]
"SynAttackProtect"=dword:00000002
"TcpMaxPortsExhausted"=dword:00000001
"TcpMaxHalfOpen"=dword:000001f4
"TcpMaxHalfOpenRetried"=dword:00000190
"TcpMaxConnectResponseRetransmissions"=dword:00000002
"TcpMaxDataRetransmissions"=dword:00000002
"EnablePMTUDiscovery"=dword:00000000
"KeepAliveTime"=dword:000493e0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameter]
"NoNameReleaseOnDemand"=dword:00000001

[HKLM\System\CurrentControlSet\Services\TcpIp\Parameters]
"EnableICMPRedirect"=dword:00000000

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"EnableDeadGWDetect"=dword:00000000

[HKLM\System\CurrentControlSet\Services\AFD\Parameters]
"EnableDynamicBacklog"=dword:00000001
"MinimumDynamicBacklog"=dword:00000014
"MaximumDynamicBacklog"=dword:00004e20
"DynamicBacklogGrowthDelta"=dword:0000000a

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"DisableIPSourceRouting"=dword:00000001
"EnableMulticastForwarding"=dword:00000000
"IPEnableRouter"=dword:00000000
"EnableAddrMaskReply"=dword:00000000

Share this post :

No comments: