| 87 |
| Tweak your registry on the server to help prevent DoS attacks |
| One of the most common attacks today is the Denial of Service (DoS) attack. With this kind of |
| attack, malicious users don't gain access to your private data or break your network security; |
| instead, they try to make the server unavailable to other network users. |
| Windows 2000 Professional and Server ships with registry settings you can tune to harden the |
| TCP/IP stack against DoS attacks. Before you apply these changes, evaluate them closely. (Note: |
| You should only make these changes on servers that are exposed to the outside world.) |
| All four of these registry changes are located under: |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters |
| SynAttackProtection of type REG_DWORD. You can harden the TCP/IP stack against SYN attack |
| by changing the value to 1 or 2. For best protection change it to 2. |
| EnableDeadGWDetect of type REG_DWORD. Setting this to 0 will prevent an attacker from |
| switching the gateway. Note that if your default gateway experiences some difficulties, Windows |
| 2000 won't switch to backup gateway when this settings is on 0. |
| EnablePMTUDiscovery of type REG_DWORD. Setting this value to 0 will prevent an attacker from |
| changing the MTU and thus overwhelming the TCP/IP stack. The MTU is set to 567 bytes. |
| KeepAliveTime of type REG_DWORD. The recommended settings for this value is 300.000. This |
| will cause the system to send keep-alive packets every 5 minutes. |
| You'll make this last change under: |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters |
| NoNameRelease with the type REG_DWORD. Microsoft recommends that you to set the value to 1, |
| which will prevent the computer from releasing its NetBIOS name when a name-release request is |
| Reminder: Editing the registry can be risky, so be sure you have a verified backup before making |
First Previous Next Last |