registry tweaks related to network

8
I havn't seen much on Registry Security so i took the time out to put something together: Important! Learn the registry-settings, before enabling/disabling them. These registry tweaks are for Windows NT4, Windows 2000 and Windows XP. disabling IP Forwarding [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS] "IPENABLEROUTER"=DWORD:00000000 disallow fragmented IP [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS] "ENABLEFRAGMENTCHECKING"=DWORD:00000001 disabling ICMP-Redirect [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS] "ENABLEICMPREDIRECTS"=DWORD:00000000 enabling TCP/IP-Filtering [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS] "ENABLESECURITYFILTERS"=DWORD:00000001 disallow forward of fragmented IP-Pakets [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS] "DEFAULTFORWARDFRAGMENTS"=DWORD:00000000 restart if Evenlog fails [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA] "CRASHONAUDITFAIL"=DWORD:00000001

Upload: hamami-inkazo

Post on 06-Mar-2015

145 views

Category:

Documents


9 download

DESCRIPTION

Registry Tweaks Related to Network

TRANSCRIPT

Page 1: Registry Tweaks Related to Network

I havn't seen much on Registry Security so i took the time out to put something together:Important! Learn the registry-settings, before enabling/disabling them. These registry tweaks are for Windows NT4, Windows 2000 and Windows XP.

disabling IP Forwarding

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]"IPENABLEROUTER"=DWORD:00000000

disallow fragmented IP

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]"ENABLEFRAGMENTCHECKING"=DWORD:00000001

disabling ICMP-Redirect

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]"ENABLEICMPREDIRECTS"=DWORD:00000000

enabling TCP/IP-Filtering

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]"ENABLESECURITYFILTERS"=DWORD:00000001

disallow forward of fragmented IP-Pakets

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]"DEFAULTFORWARDFRAGMENTS"=DWORD:00000000

restart if Evenlog fails

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]"CRASHONAUDITFAIL"=DWORD:00000001

Winsock Protection

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\AFD\PARAMETERS]"ENABLEDYNAMICBACKLOG"=DWORD:00000020"MAXIMUMDYNAMICBACKLOG"=DWORD:00020000"DYNAMICBACKLOGGROWTHDELTA"=DWORD:00000010

Denial-of-Service Protection

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]

Page 2: Registry Tweaks Related to Network

"SYNATTACKPROTECT"=DWORD:00000002"TCPMAXDATARETRANSMISSIONS"=DWORD:00000003"TCPMAXHALFOPEN"=DWORD:00000064"TCPMAXHALFOPENRETRIED"=DWORD:00000050"TCPMAXPORTSEXHAUSTED"=DWORD:00000001"TCPMAXCONNECTRESPONERETRANSMISSIONS"=DWORD:00000002"ENABLEDEADGWDETECT"=DWORD:00000000"ENABLEPMTUDISCOVERY"=DWORD:00000000"KEEPALIVETIME"=DWORD:00300000"ALLOWUNQUALIFIEDQUERY"=DWORD:00000000"DISABLEDYNAMICUPDATE"=DWORD:00000001

Disable Router-Discovery

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES]"PERFORMROUTERDISCOVERY"=DWORD:00000000

Disabling DomainMaster

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\BROWSER\PARAMETERS]"MAINTAINSERVERLIST"="No""ISDOMAINMASTER"="False"

Disable Netbios-Name exposing

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NETBT\PARAMETERS]"NONAMERELEASEONDEMAND"=DWORD:00000001

Fix for MS DNS Compatibility with BIND versions earlier than 4.9.4

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DNS\PARAMETERS]"BINDSECONDARIES"=DWORD:00000001

disabling Caching of Logon-Credentials (possible also with USRMGR.EXE)

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]"CACHEDLOGONCOUNT"=DWORD:00000001

disabling IP-Source-Routing

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]"DISABLEIPSOURCEROUTING"=DWORD:0000001

allow only MS CHAP v2.0 for VPN connections

Page 3: Registry Tweaks Related to Network

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]"SECUREVPN"=DWORD:00000001

disabling caching of RAS-Passwords

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS]"DISABLESAVEPASSWORD"=DWORD:00000001

Printerinstallation only by Admins/Print Operators

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\PRINT\PROVIDERS\LANMANPRINT SERVICES\SERVERS]"ADDPRINTDRIVERS"=DWORD:00000001

disabling Administrative Shares NT4.0 Server ($c, $d, $e etc)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]"AUTOSHARESERVER"=DWORD:00000000

disabling Administrative Shares NT4.0 Workstation ($c, $d, $e etc)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]"AUTOSHAREWKS"=DWORD:00000000

allow only authenicated PPP Clients

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]"FORCEENCRYPTEDPASSWORD"=DWORD:00000002

enabling RAS-Logging

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS]"LOGGING"=DWORD:00000001

disabling NTFS 8.3 Namegeneration

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\FILESYSTEM]"NTFSDISABLE8DOT3NAMEGENERATION"=DWORD:00000001

disallow anonymous IPC-Connections

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]

Page 4: Registry Tweaks Related to Network

"RESTRICTANONYMOUS"=DWORD:00000001

enabling SMB Signatures (Server)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]"REQUIRESECURITYSIGNATURE"=DWORD:00000001

enabling SMB Signatures (Client)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RDR\PARAMETERS]"REQUIRESECURITYSIGNATURE"=DWORD:00000001

NT LSA DoS (Phantom) Vulnerability

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG]"AUTO"="0"

MDAC runs in secured [1] / unsecured [0] Mode

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DATAFACTORY\HANDLERINFO]"HANDLERREQUIRED"=DWORD:00000001

disable Lan Manager authentication

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]"LMCOMPATIBILITYLEVEL"=DWORD:00000002Level 0 - Send LM response and NTLM response; never use NTLMv2Level 1 - Use NTLMv2 session security if negotiatedLevel 2 - Send NTLM response onlyLevel 3 - Send NTLMv2 response onlyLevel 4 - DC refuses LM responsesLevel 5 - DC refuses LM and NTLM responses (accepts only NTLMv2)

disabling DCOM (possible also with DCOMCNFG.EXE)

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\OLE]"ENABLEDCOM"="N"

restrict Null-User-/Guest-Access to Eventlog

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION]"RESTRICTGUESTACCESS=DWORD:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SECURITY]"RESTRICTGUESTACCESS=DWORD:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SYSTEM]

Page 5: Registry Tweaks Related to Network

"RESTRICTGUESTACCESS=DWORD:00000001

disable displaying last logged in user

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]"DONTDISPLAYLASTUERNAME"="0"

restrict Floppy-/CD-ROM-access to the current logged on user

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]"ALLOCATEFLOPPIES"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]"ALLOCATECDROMS"="1"

no Autorun for CD-Rom (1=enabled 0=disabled)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\CDROM]"AUTORUN"=DWORD:00000000

clear pagefile on shutdown

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\MEMORY MANAGEMENT]"CLEARPAGEFILEATSHUTDOWN"=DWORD:00000001

enabling Screensaver Lockout

[HKEY_USERS\.DEFAULT\CONTROLPANNEL\DESKTOP]"SCREENSAVEACTIVE"="1"

disabling OS/2 Subsystem (if not needed)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS]NAME: OS2

disabling POSIX Subsystem (if not needed)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS]NAME: POSIX

run IIS CGI with context of "IUSR_computername"

Page 6: Registry Tweaks Related to Network

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]"CreateProcessAsUser"=dword:00000001

Security Message (Logon)

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]"Welcome"="   Unauthorized Access is prohibited "

Policies (1=enabled 0=disabled)

[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS][HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS][HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM]

enable logging of successful http requests

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]"LogSuccessfulRequests"=dword:00000001

disable IIS FTP bounce attack (IIS 2/3)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\MSFTPSVC\PARAMETERS]"EnablePortAttack"=dword:00000000

enable logging of bad http requests

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]"LogErrorRequests"=dword:00000001

After you make your registry tweaks do a Start/Run regedt32/Security/Permissions.Go to the hives you made the changes and set permissions to each key so they can't be changed.

I took the time out to individually make these 43 registry tweaks seperatly with there titles into one zip file...Enjoy..

Feel free to add to this thread if you have others not listed here.