Customizing a Network Using the Registry phần 1

Customizing a Network Using the Registry Its impossible to provide a complete reference for all of Windows NT, Windows 2000, Windows XP, and Windows Server 2003 networking in a single chapter (for example
Nội dung trích xuất từ tài liệu:
Customizing a Network Using the Registry phần 1Customizing a Network Using the RegistryIts impossible to provide a complete reference for all of Windows NT, Windows 2000,Windows XP, and Windows Server 2003 networking in a single chapter (for example, theResource Kits usually include a comprehensive volume entitled Windows NTNetworking). This topic certainly deserves a separate book. However, I hope that thischapter helps you to understand how network settings are stored in the registry, and howthese settings are related to the data displayed by Control Panel applets. This topic is oneof the most interesting ones, and if you explore it, youll make many discoveries andinvent many new ways of customizing network settings.The remaining sections of this chapter will describe various methods of customizingnetwork settings using the registry.Securing DNS Servers against DoS AttacksDuring the last few years, Denial of Service (DoS) and, especially, Distributed Denial ofService (DDoS) attacks have become the most serious threats to corporate networks. Thenumber of such attacks is growing steadily with time, and currently no one can feel safeand absolutely secure from encountering this threat. Of course, the tips provided here alsowont guarantee absolute security against attacks on DNS servers. However, they willserve as good add-ons to your security policy.Note Before introducing the registry modifications described below into the configuration of your production servers, it is recommended that you test them in your lab environment.All registry settings described in this section are located under theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parametersregistry key (Fig. 8.28). Notice that if specific parameters are missing from your registry,this means that the system considers them to be set to default values.Figure 8.28: TheHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parametersregistry keyBrief descriptions of these parameters and their recommended values are provided below: EnableDeadGWDetect (REG_DWORD data type). The default value (1) enables TCP/IP to switch to a secondary gateway if many connections experience problems. However, in cases when you are under a DoS attack, such behavior is undesirable, since all traffic can be redirected to a gateway that is not constantly monitored. Because of this reason, set this parameter to 0. EnablePMTUDiscovery (REG_DWORD data type). The default value of this parameter enables TCP/IP to determine Maximum Transmission Unit (MTU) that can be transmitted to the system. This feature is potentially dangerous, since it enables the attacker to bypass your security system or cause it to fail by means of transmitting fragmented traffic. For example, many Intrusion Detection Systems (IDS) are still unable to correctly assemble fragmented IP packets. If you set this parameter to 0, the MTU value will always be equal to 576 bytes. KeepAlive (REG_DWORD data type). This parameter specifies how frequently an idle connection on a remote system should be verified. Set the value for 300000. SynAttackProtect (REG_DWORD data type). Creating this value will enable you to provide minimum protection against a specific type of DoS attack known as SYN Flood. SYN Flood attacks interfere with the normal acknowledgement handshake between a client and a server. Under normal conditions, this process comprises three stages: The client sends the request to establish a connection to the server (SYN message). The server responds by sending an acknowledgement (SYN-ACK message). The client confirms the reception of the SYN-ACK message by sending an acknowledgement (ACK message).If your server became a target for a SYN Flood attack, it will receive a flood ofconnection requests, which will gradually prevent it from receiving acknowledgementsfrom clients. Thus, legitimate users will be unable to establish connections. Therecommended value for this parameter is 2 (you can also set this value to 1, but thisconfiguration is less efficient).Securing Terminal Services ConnectionsMaterials provided in this section will certainly prove useful for those who want toimprove security when using Remote Desktop for Administration in Windows Server2003. As was already mentioned earlier in this chapter, this facility is automaticallyinstalled on all servers running Windows Server 2003. However, remote administrationwith this tool is not enabled by default. After it is enabled (see Fig. 8.22), you can useGroup Policy or the Terminal Services Configuration tool to further configure TerminalServices. By default, only members of the Administrators group have permission toconnect in administrative mode (but they can only connect two at a time). This defaultsecurity setting is useful. However, there are several additional settings and tools that canbe used to improve security, including Group Policy, the local Terminal Serverconfiguration tool, local client settings and, of course, registry editing.Note In addition to advice and tips provided here, dont forget about regular system hardening practices and security policies adopted by your company. More detailed information on this topic will be provided in Chapter 9. Furthermore, carefully weigh the benefits provided by enabling remote access for administrative purposes to potential dangers of exposing the system to additional risks.To modify the default settings for Remote Desktop, proceed as follows: 1. Open the Control Panel, start Administrative Tools, then select the Terminal Services Configuration option. The Terminal Services Configuration console will open (Fig. 8.29). Figure ...