Networking / Beginners

TCP Hardening

The TCP stack in Windows 2000 and higher is quite solid actually. However, you should consider making at least one tweak on servers. SynAttackProtect makes the system considerably more resilient to TCP SYN-flood attacksan attack where the attacker simply attempts to make many concurrent connections to a system to exhaust its capability to service legitimate users. SynAttackProtect is a REG_DWORD under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters. Note that it may not be there by default, in which case you have to add it. It can take three values: 0, 1, and 2. 0, the default, is appropriate for clients and servers on slow links. We recommend that servers on the Internet or otherwise subject to SYN-floods have SynAttackProtect set to 2. Systems on slow links cannot have this value set because it would cause legitimate connections to be timed out. The Windows 2000 Hardening Guide will add this value to the Group Policy UI. The Windows Server 2003 guide contains information on how to manually add it.

There are several other TCP hardening settings, but the majority of them have a relatively low or specialized impact.

[Previous] [Contents] [Next]

In this tutorial:

  1. Protecting Hosts
  2. Security Configuration Myths
  3. Myth 1: Security Guides Make Your System Secure
  4. Myth 2: If We Hide It, they Not Find It
  5. Myth 3: The More Tweaks, the Better
  6. Myth 4: Tweaks Are Necessary
  7. Myth 5: All Environments Should At Least Use <Insert Favorite Guide Here>
  8. Myth 6: "High Security" Is an End Goal for All Environments
  9. Myth 7: Start Securing Your Environment by Applying a Security Guide
  10. Myth 8: Security Tweaks Can Fix Physical Security Problems
  11. Myth 9: Security Tweaks Will Stop Worms/Viruses
  12. Myth 10: An Expert Recommended This Tweak as Defense in Depth
  13. Server Security Tweaks
  14. Software Restriction Policies
  15. Do Not Store LAN Manager Hash Value
  16. Anonymous Restrictions
  17. Security Identifiers (SIDs)
  18. Password Policies
  19. SMB Message Signing
  20. Networking LAN Manager Authentication Level
  21. TCP Hardening
  22. Restricted Groups
  23. Audit Settings
  24. Client Security Tweaks
  25. Firewalls
  26. IPsec Filters
  27. SafeDllSearchMode
  28. Local Administrator Account Control
  29. Limit Local Account Use of Blank Passwords to Console Logon Only
  30. Logon Events
  31. Allowed to Format and Eject Removable Media
  32. The Caution ListChanges You Should Not Make
  33. Crash on Audit Failure
  34. Clear Virtual Memory Page File
  35. Security Configuration Tools