Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Unclassified ITSG for <strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
4.7 Additional <strong>Security</strong> Settings<br />
The following settings are in the policy file and organized similarily with the <strong>Windows</strong> <strong>Server</strong><br />
<strong>2003</strong> <strong>Security</strong> Guide. While the settings affect the Registry, they do not appear in the Registry<br />
section of the Policy GUI.<br />
4.7.1 <strong>Security</strong> Consideration for Network Attacks<br />
4.7.1.1 EnableICMPRedirect<br />
machine\system\currentcontrolset\services\tcpip\parameters\enableicmpredirect=4, 0<br />
The ‘enableicmpredirect’ registry value causes TCP to find host routes. This overrides OSPF<br />
generated routes. The setting ‘0’ disables this capability. If enabled, a ten-minute timeout makes<br />
the system unavailable to the network. Disabling causes the system to rely on OSPF routing.<br />
4.7.1.2 SynAttackProtect<br />
machine\system\currentcontrolset\services\tcpip\parameters\synattackprotect=4, 1<br />
The ‘synattackprotect’ registry value adjusts retransmissions of SYN-ACK. The setting ‘1’<br />
causes connection timeouts faster when a SYN-ATTACK is detected. The setting reduces effort<br />
expended on unresponsive connections.<br />
4.7.1.3 EnableDeadGWDetect<br />
machine\system\currentcontrolset\services\tcpip\parameters\enabledeadgwdetect=4, 0<br />
The ‘enabledeadgwdetect’ value allows TCP re-direction to a backup gateway. The setting ‘0’<br />
disables this capability. If a system detects difficulties on a network, it will automatically switch<br />
to a different gateway. This may cause undesireable packet traversal over un-trusted networks.<br />
4.7.1.4 EnablePMTUDiscovery<br />
machine\system\currentcontrolset\services\tcpip\parameters\enablepmtudiscovery=4, 0<br />
The ‘enablepmtudiscovery’ registry value determines if TCP automatically finds the maximum<br />
transmission unit (MTU) or the largest packet size to a remote host. The setting ‘0’ causes a<br />
fixed size packet be used for all connections to remote hosts. If enabled, an attacker could force a<br />
very small packet size. This results in a significant increase of network workload. This may also<br />
lead to a DoS condition.<br />
4.7.1.5 KeepAliveTime<br />
machine\system\currentcontrolset\services\tcpip\parameters\keepalivetime=4, 300000<br />
The ‘keepalivetime’ registry value determines how often TCP verifes an idle connection is intact.<br />
The setting ‘300,000’ (5 minutes) is short enough to provide some defense against DoS<br />
conditions. This setting provides the ability to recover resources from unresponsive connections.<br />
98 March 2004 <strong>Server</strong> Policy Files