Equivalent registry entries related to TCP IP stack in Windows 2003
Hi,
I am hardening OS: Windows 2003 SP 2 and want to check the impact on my application. I want to implement the following "Harden the TCP/IP stack against denial of service attacks"
Reference "http://technet.microsoft.com/hi-in/library/dd277307(en-us).aspx". The reference based on Windows 2000
Can you please let me know equivalent registry in Windows 2003?
Key: Parameters Value Name: DisableIPSourceRouting
REG_DWORD
2
Key: Parameters Value Name: KeepAliveTime
REG_DWORD
300,000
Key: Parameters Value Name: PerformRouterDiscovery
REG_DWORD
0
Key: Parameters Value Name: SynAttackProtect
REG_DWORD
2
Key: Parameters Value Name: TcpMaxConnectResponseRetransmissions
REG_DWORD
2
Key: Parameters Value Name: TcpMaxConnectRetransmissions
REG_DWORD
3
Key: Parameters Value Name: TcpMaxDataRetransmissions
REG_DWORD
3
Key: Parameters Value Name: TCPMaxPortsExhausted
REG_DWORD
5
September 20th, 2010 6:08am
I think this is what you are looking for:
How to harden the TCP/IP stack against denial of service attacks in Windows Server 2003
http://support.microsoft.com/kb/324270
Free Windows Admin Tool Kit Click here and download it now
September 20th, 2010 6:18am
Hi ,
Thanks for the reply. I am using Windows 2003 Standard Edition SP2. I have found "EnableDeadGWDetect " in my registry entry.
Do we need to add these entries manually or will come up with some windows patch?
September 20th, 2010 9:30am
When I checked my Win Server 2003 SP2 machine, in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters section I found "DeadGWDetectDefault". This should perform the same function as the "EnableDeadGWDetect"
entry.
According to Microsoft, you should set this to '0'.
Free Windows Admin Tool Kit Click here and download it now
September 20th, 2010 10:46am
Yes, you are correct. What I mean to say that I have found only EnableDeadGWDetect registry
Are you able to trace the other entries in your Windows 2003 say SynAttackProtect, EnablePMTUDiscovery, KeepAliveTime
and NoNameReleaseOnDemand
September 21st, 2010 2:48am
I checked my server and it is the same as yours, the values in the article are not there by default.
My suggestion would be to create a backup of your registry, add the values listed in the article, and perform testing to confirm your application is working correctly with the new changes. If you have problems, you can always rollback to your original configuration.
Free Windows Admin Tool Kit Click here and download it now
September 21st, 2010 9:45am
Hi,
Can you please let me know the exact path where I should place the remaining registry entries(As EnableDeadGWDetect is
present in 6 nodes of "Interfaces" TCPIP\Parameters\Interfaces)?
October 12th, 2010 10:31am