registry tweaks related to network
DESCRIPTION
Registry Tweaks Related to NetworkTRANSCRIPT
I havn't seen much on Registry Security so i took the time out to put something together:Important! Learn the registry-settings, before enabling/disabling them. These registry tweaks are for Windows NT4, Windows 2000 and Windows XP.
disabling IP Forwarding
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]"IPENABLEROUTER"=DWORD:00000000
disallow fragmented IP
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]"ENABLEFRAGMENTCHECKING"=DWORD:00000001
disabling ICMP-Redirect
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]"ENABLEICMPREDIRECTS"=DWORD:00000000
enabling TCP/IP-Filtering
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]"ENABLESECURITYFILTERS"=DWORD:00000001
disallow forward of fragmented IP-Pakets
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]"DEFAULTFORWARDFRAGMENTS"=DWORD:00000000
restart if Evenlog fails
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]"CRASHONAUDITFAIL"=DWORD:00000001
Winsock Protection
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\AFD\PARAMETERS]"ENABLEDYNAMICBACKLOG"=DWORD:00000020"MAXIMUMDYNAMICBACKLOG"=DWORD:00020000"DYNAMICBACKLOGGROWTHDELTA"=DWORD:00000010
Denial-of-Service Protection
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"SYNATTACKPROTECT"=DWORD:00000002"TCPMAXDATARETRANSMISSIONS"=DWORD:00000003"TCPMAXHALFOPEN"=DWORD:00000064"TCPMAXHALFOPENRETRIED"=DWORD:00000050"TCPMAXPORTSEXHAUSTED"=DWORD:00000001"TCPMAXCONNECTRESPONERETRANSMISSIONS"=DWORD:00000002"ENABLEDEADGWDETECT"=DWORD:00000000"ENABLEPMTUDISCOVERY"=DWORD:00000000"KEEPALIVETIME"=DWORD:00300000"ALLOWUNQUALIFIEDQUERY"=DWORD:00000000"DISABLEDYNAMICUPDATE"=DWORD:00000001
Disable Router-Discovery
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES]"PERFORMROUTERDISCOVERY"=DWORD:00000000
Disabling DomainMaster
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\BROWSER\PARAMETERS]"MAINTAINSERVERLIST"="No""ISDOMAINMASTER"="False"
Disable Netbios-Name exposing
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NETBT\PARAMETERS]"NONAMERELEASEONDEMAND"=DWORD:00000001
Fix for MS DNS Compatibility with BIND versions earlier than 4.9.4
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DNS\PARAMETERS]"BINDSECONDARIES"=DWORD:00000001
disabling Caching of Logon-Credentials (possible also with USRMGR.EXE)
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]"CACHEDLOGONCOUNT"=DWORD:00000001
disabling IP-Source-Routing
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]"DISABLEIPSOURCEROUTING"=DWORD:0000001
allow only MS CHAP v2.0 for VPN connections
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]"SECUREVPN"=DWORD:00000001
disabling caching of RAS-Passwords
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS]"DISABLESAVEPASSWORD"=DWORD:00000001
Printerinstallation only by Admins/Print Operators
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\PRINT\PROVIDERS\LANMANPRINT SERVICES\SERVERS]"ADDPRINTDRIVERS"=DWORD:00000001
disabling Administrative Shares NT4.0 Server ($c, $d, $e etc)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]"AUTOSHARESERVER"=DWORD:00000000
disabling Administrative Shares NT4.0 Workstation ($c, $d, $e etc)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]"AUTOSHAREWKS"=DWORD:00000000
allow only authenicated PPP Clients
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]"FORCEENCRYPTEDPASSWORD"=DWORD:00000002
enabling RAS-Logging
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS]"LOGGING"=DWORD:00000001
disabling NTFS 8.3 Namegeneration
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\FILESYSTEM]"NTFSDISABLE8DOT3NAMEGENERATION"=DWORD:00000001
disallow anonymous IPC-Connections
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"RESTRICTANONYMOUS"=DWORD:00000001
enabling SMB Signatures (Server)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]"REQUIRESECURITYSIGNATURE"=DWORD:00000001
enabling SMB Signatures (Client)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RDR\PARAMETERS]"REQUIRESECURITYSIGNATURE"=DWORD:00000001
NT LSA DoS (Phantom) Vulnerability
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG]"AUTO"="0"
MDAC runs in secured [1] / unsecured [0] Mode
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DATAFACTORY\HANDLERINFO]"HANDLERREQUIRED"=DWORD:00000001
disable Lan Manager authentication
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]"LMCOMPATIBILITYLEVEL"=DWORD:00000002Level 0 - Send LM response and NTLM response; never use NTLMv2Level 1 - Use NTLMv2 session security if negotiatedLevel 2 - Send NTLM response onlyLevel 3 - Send NTLMv2 response onlyLevel 4 - DC refuses LM responsesLevel 5 - DC refuses LM and NTLM responses (accepts only NTLMv2)
disabling DCOM (possible also with DCOMCNFG.EXE)
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\OLE]"ENABLEDCOM"="N"
restrict Null-User-/Guest-Access to Eventlog
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION]"RESTRICTGUESTACCESS=DWORD:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SECURITY]"RESTRICTGUESTACCESS=DWORD:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SYSTEM]
"RESTRICTGUESTACCESS=DWORD:00000001
disable displaying last logged in user
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]"DONTDISPLAYLASTUERNAME"="0"
restrict Floppy-/CD-ROM-access to the current logged on user
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]"ALLOCATEFLOPPIES"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]"ALLOCATECDROMS"="1"
no Autorun for CD-Rom (1=enabled 0=disabled)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\CDROM]"AUTORUN"=DWORD:00000000
clear pagefile on shutdown
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\MEMORY MANAGEMENT]"CLEARPAGEFILEATSHUTDOWN"=DWORD:00000001
enabling Screensaver Lockout
[HKEY_USERS\.DEFAULT\CONTROLPANNEL\DESKTOP]"SCREENSAVEACTIVE"="1"
disabling OS/2 Subsystem (if not needed)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS]NAME: OS2
disabling POSIX Subsystem (if not needed)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS]NAME: POSIX
run IIS CGI with context of "IUSR_computername"
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]"CreateProcessAsUser"=dword:00000001
Security Message (Logon)
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]"Welcome"=" Unauthorized Access is prohibited "
Policies (1=enabled 0=disabled)
[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS][HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS][HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM]
enable logging of successful http requests
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]"LogSuccessfulRequests"=dword:00000001
disable IIS FTP bounce attack (IIS 2/3)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\MSFTPSVC\PARAMETERS]"EnablePortAttack"=dword:00000000
enable logging of bad http requests
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]"LogErrorRequests"=dword:00000001
After you make your registry tweaks do a Start/Run regedt32/Security/Permissions.Go to the hives you made the changes and set permissions to each key so they can't be changed.
I took the time out to individually make these 43 registry tweaks seperatly with there titles into one zip file...Enjoy..
Feel free to add to this thread if you have others not listed here.