Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Unclassified ITSG for <strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
4.7.1.12 TCPMaxHalfOpenRetired<br />
machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxhalfopenretired=4, 80<br />
The ‘tcpmaxhalfopenretired’ value determines how many connections the server can maintain in<br />
the half-open state. The setting ‘80’ initiates SYN attack protection when the state table reaches<br />
eighty connections.<br />
4.7.1.13 NoNameReleaseOnDemand (TCP/IP)<br />
machine\system\currentcontrolset\services\tcpip\parameters\nonamereleaseondemand=4, 1<br />
The ‘nonamereleaseondemand’ registry determines if a system will release its NetBIOS name to<br />
another computer on request. The setting ‘1’ prevents disclosure of NetBIOS information.<br />
4.7.2 AFD.SYS Settings<br />
4.7.2.1 DynamicBacklogGrowthDelta<br />
machine\system\currentcontrolset\services\afd\parameters\dynamicbackloggrowthdelta=4, 10<br />
The ‘dynamicbackloggrowthdelta’ value defines the number of free connections to create when<br />
deemed necessary. The setting ‘10’ creates ten additional free connections. This setting ensures<br />
additional resources are not applied too quickly, avoiding a potential DoS condition.<br />
4.7.2.2 EnableDynamicBacklog<br />
machine\system\currentcontrolset\services\afd\parameters\enabledynamicbacklog=4, 1<br />
The ‘enabledynamicbacklog’ value enables dynamic backlog. The setting ‘1’ enables the<br />
backlog. This ensures the system manages port resources in a manner that mitigates DoS attacks.<br />
4.7.2.3 MinimumDynamicBacklog<br />
machine\system\currentcontrolset\services\afd\parameters\minimumdynamicbacklog=4, 20<br />
The ‘minimumdynamicbacklog’ value controls the minimum number of free ports on a listening<br />
end point. The setting ‘20’ allows a system to create more if there is less than twenty available.<br />
The setting is intended to ensure resources are available and limit the threat of DoS conditions.<br />
4.7.2.4 MaximumDynamicBacklog<br />
machine\system\currentcontrolset\services\afd\parameters\maximumdynamicbacklog=4,<br />
20000<br />
The ‘maximumdynamicbacklog’ value controls the number of ‘quasi-free’ connections allowed<br />
on a listening end point. The setting ‘20,000’ is recommended to mitigate a DoS attack. The<br />
setting reduces the resources allocated to incomplete connections. If creating additional free<br />
ports exceeds the value, a system will not be able to maintain additional sessions.<br />
100 March 2004 <strong>Server</strong> Policy Files