There are several user configured registry keys that are recommended for hardening Windows NT and Windows 2000 operating systems. This policy monitors these registry keys. This policy is a "Configure to Detect" policy and only works if the registry keys are configured.
Download Intruder Alert policy
Windows 2000, Windows NT Agents
This policy detects tampering with user configured registry keys. The registry keys listed are not pre-configured on a default Windows installation. Adding the keys listed below tightens the security of the Windows Operating System from a network perspective.
Policy rules include:
- Enable ICMP Redirect-Changed/Filter
Detects a change to the registry value controlling whether Windows will alter its route table in response to an ICMP redirect message. It is a REG_DWORD, with a value of 0 or 1 (False or True). The default value is 1. The recommended value is 0.
To add or modify this registry key, ensure the following settings are made to the system:
Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters]
Value Name: EnableICMPRedirect
Data Type: REG_DWORD (DWORD Value)
Value Data: Default value is 1, recommended value is 0.
- Keep Alive Time-Changed/Filter
Detects a change to the registry value that controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If a remote system is still reachable and functioning, it acknowledges the keep-alive transmission. This is a REG_DWORD value that is set to two hours by default. The recommended setting is five minutes.
To add or modify this registry key ensure the following settings are made to the system:
Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters]
Value Name: KeepAliveTime
Data Type: REG_DWORD (DWORD Value)
Value Data: Default is 7,200,000 (two hours), recommended is 300,000 (5 minutes).
- Perform Router Discovery-Changed/Filter
Detects a change to the registry value controlling whether Windows will try to perform router discovery (RFC 1256). This key is a per-interface key. It is a REG_DWORD key with three possible values, 0 (disabled), 1 (enabled), or 2 (DHCP control). 1 is enabled by default.
To add or modify this registry key ensure the following settings are made to the system:
Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\]
Value Name: PerformRouterDiscovery
Data Type: REG_DWORD (DWORD Value)
Value Data: Default is 2, recommended is 0
- TcpMaxHalfOpenRetried-Changed/Filter
Detects a change to the registry value that determines the number of connections in the SYN-RCVD state for which there has been at least one retransmission of the SYN sent before SYN-ATTACK protection begins to operate.
To add or modify this registry key ensure the following settings are made to the system:
Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters]
Value Name: TcpMaxHalfOpenRetried
Data Type: REG_DWORD (DWORD Value)
Value Data: 80 for W2K Professional and Server, 400 for Advanced Server.
- TcpMaxHalfOpen-Changed/Filter
Detects a change to the registry value that determines the number of connections in the SYN-RCVD state is allowed before SYN-ATTACK protection begins to operate.
To add or modify this registry key ensure the following settings are made to the system:
Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters]
Value Name: TcpMaxHalfOpen
Data Type: REG_DWORD (DWORD Value)
Value Data: Default value is 100 for W2K Professional and Server, 500 for Advanced Server.
- SynAttackProtect-Changed/Filter
Detects a change to the registry value that is configured to reduce the amount of time the system will wait for SYN-ACKs, thus protecting itself from a SYN attack. It is a REG_DWORD value with three possible values, 0 - no protection, 1 - reduces transmission retries and delays route cache entry, and 2 - 1 plus a delay indication to winsock. 0 is the default.
To add or modify this registry key ensure the following settings are made to the system:
Key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters]
Value Name: SynAttackProtect
Data Type: REG_DWORD ( DWORD Value)
Value Data: Default value is 0, recommended is 2.
Last modified on: Friday, 14-Dec-01 16:56:50
|
