Professional Documents
Culture Documents
Learn the registry-settings, before enabling/disabling them. These registry tweaks are for Windows NT4, Windows 2000 and Windows XP. disabling IP Forwarding
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS] "IPENABLEROUTER"=DWORD:00000000
disallow fragmented IP
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS] "ENABLEFRAGMENTCHECKING"=DWORD:00000001
disabling ICMP-Redirect
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS] "ENABLEICMPREDIRECTS"=DWORD:00000000
enabling TCP/IP-Filtering
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS] "ENABLESECURITYFILTERS"=DWORD:00000001
Winsock Protection
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\AFD\PARAMETERS] "ENABLEDYNAMICBACKLOG"=DWORD:00000020 "MAXIMUMDYNAMICBACKLOG"=DWORD:00020000 "DYNAMICBACKLOGGROWTHDELTA"=DWORD:00000010
Denial-of-Service Protection
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"SYNATTACKPROTECT"=DWORD:00000002 "TCPMAXDATARETRANSMISSIONS"=DWORD:00000003 "TCPMAXHALFOPEN"=DWORD:00000064 "TCPMAXHALFOPENRETRIED"=DWORD:00000050 "TCPMAXPORTSEXHAUSTED"=DWORD:00000001 "TCPMAXCONNECTRESPONERETRANSMISSIONS"=DWORD:00000002 "ENABLEDEADGWDETECT"=DWORD:00000000 "ENABLEPMTUDISCOVERY"=DWORD:00000000 "KEEPALIVETIME"=DWORD:00300000 "ALLOWUNQUALIFIEDQUERY"=DWORD:00000000 "DISABLEDYNAMICUPDATE"=DWORD:00000001
Disable Router-Discovery
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERF ACES] "PERFORMROUTERDISCOVERY"=DWORD:00000000
Disabling DomainMaster
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\BROWSER\PARAMETERS] "MAINTAINSERVERLIST"="No" "ISDOMAINMASTER"="False"
Fix for MS DNS Compatibility with BIND versions earlier than 4.9.4
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DNS\PARAMETERS] "BINDSECONDARIES"=DWORD:00000001
disabling IP-Source-Routing
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS] "DISABLEIPSOURCEROUTING"=DWORD:0000001
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP] "SECUREVPN"=DWORD:00000001
Printerinstallation only by Admins/Print Operators [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\PRINT\PROV IDERS\LANMAN PRINT SERVICES\SERVERS] "ADDPRINTDRIVERS"=DWORD:00000001 disabling Administrative Shares NT4.0 Server ($c, $d, $e etc)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS ] "AUTOSHARESERVER"=DWORD:00000000
enabling RAS-Logging
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS] "LOGGING"=DWORD:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA] "RESTRICTANONYMOUS"=DWORD:00000001
After you make your registry tweaks do a Start/Run regedt32/Security/Permissions. Go to the hives you made the changes and set permissions to each key so they can't be changed. I took the time out to individually make these 43 registry tweaks seperatly with there titles into one zip file...Enjoy.. Feel free to add to this thread if you have others not listed here.