Registry Tweaks Related To Network

I havn't seen much on Registry Security so i took the time out to put something together: Important!
Learn the registry-settings, before enabling/disabling them. These registry tweaks are for Windows NT4, Windows 2000 and Windows XP. disabling IP Forwarding
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS] "IPENABLEROUTER"=DWORD:00000000
disallow fragmented IP
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS] "ENABLEFRAGMENTCHECKING"=DWORD:00000001
disabling ICMP-Redirect
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS] "ENABLEICMPREDIRECTS"=DWORD:00000000
enabling TCP/IP-Filtering
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS] "ENABLESECURITYFILTERS"=DWORD:00000001
disallow forward of fragmented IP-Pakets

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS] "DEFAULTFORWARDFRAGMENTS"=DWORD:00000000
restart if Evenlog fails

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA] "CRASHONAUDITFAIL"=DWORD:00000001
Winsock Protection
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\AFD\PARAMETERS] "ENABLEDYNAMICBACKLOG"=DWORD:00000020 "MAXIMUMDYNAMICBACKLOG"=DWORD:00020000 "DYNAMICBACKLOGGROWTHDELTA"=DWORD:00000010
Denial-of-Service Protection
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"SYNATTACKPROTECT"=DWORD:00000002 "TCPMAXDATARETRANSMISSIONS"=DWORD:00000003 "TCPMAXHALFOPEN"=DWORD:00000064 "TCPMAXHALFOPENRETRIED"=DWORD:00000050 "TCPMAXPORTSEXHAUSTED"=DWORD:00000001 "TCPMAXCONNECTRESPONERETRANSMISSIONS"=DWORD:00000002 "ENABLEDEADGWDETECT"=DWORD:00000000 "ENABLEPMTUDISCOVERY"=DWORD:00000000 "KEEPALIVETIME"=DWORD:00300000 "ALLOWUNQUALIFIEDQUERY"=DWORD:00000000 "DISABLEDYNAMICUPDATE"=DWORD:00000001
Disable Router-Discovery
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERF ACES] "PERFORMROUTERDISCOVERY"=DWORD:00000000
Disabling DomainMaster
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\BROWSER\PARAMETERS] "MAINTAINSERVERLIST"="No" "ISDOMAINMASTER"="False"
Disable Netbios-Name exposing

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NETBT\PARAMETERS] "NONAMERELEASEONDEMAND"=DWORD:00000001
Fix for MS DNS Compatibility with BIND versions earlier than 4.9.4
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DNS\PARAMETERS] "BINDSECONDARIES"=DWORD:00000001
disabling Caching of Logon-Credentials (possible also with USRMGR.EXE)

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON] "CACHEDLOGONCOUNT"=DWORD:00000001
disabling IP-Source-Routing
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS] "DISABLEIPSOURCEROUTING"=DWORD:0000001
allow only MS CHAP v2.0 for VPN connections
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP] "SECUREVPN"=DWORD:00000001
disabling caching of RAS-Passwords

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS] "DISABLESAVEPASSWORD"=DWORD:00000001
Printerinstallation only by Admins/Print Operators [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\PRINT\PROV IDERS\LANMAN PRINT SERVICES\SERVERS] "ADDPRINTDRIVERS"=DWORD:00000001 disabling Administrative Shares NT4.0 Server ($c, $d, $e etc)
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS ] "AUTOSHARESERVER"=DWORD:00000000
disabling Administrative Shares NT4.0 Workstation ($c, $d, $e etc)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS ] "AUTOSHAREWKS"=DWORD:00000000
allow only authenicated PPP Clients

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP] "FORCEENCRYPTEDPASSWORD"=DWORD:00000002
enabling RAS-Logging
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS] "LOGGING"=DWORD:00000001
disabling NTFS 8.3 Namegeneration

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\FILESYSTEM] "NTFSDISABLE8DOT3NAMEGENERATION"=DWORD:00000001
disallow anonymous IPC-Connections
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA] "RESTRICTANONYMOUS"=DWORD:00000001
enabling SMB Signatures (Server)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS ] "REQUIRESECURITYSIGNATURE"=DWORD:00000001
enabling SMB Signatures (Client)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RDR\PARAMETERS] "REQUIRESECURITYSIGNATURE"=DWORD:00000001
NT LSA DoS (Phantom) Vulnerability

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG] "AUTO"="0"
MDAC runs in secured [1] / unsecured [0] Mode

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DATAFACTORY\HANDLERINFO] "HANDLERREQUIRED"=DWORD:00000001
disable Lan Manager authentication

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA] "LMCOMPATIBILITYLEVEL"=DWORD:00000002 Level 0 - Send LM response and NTLM response; never use NTLMv2 Level 1 - Use NTLMv2 session security if negotiated Level 2 - Send NTLM response only Level 3 - Send NTLMv2 response only Level 4 - DC refuses LM responses Level 5 - DC refuses LM and NTLM responses (accepts only NTLMv2)
disabling DCOM (possible also with DCOMCNFG.EXE)

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\OLE] "ENABLEDCOM"="N"
restrict Null-User-/Guest-Access to Eventlog

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION] "RESTRICTGUESTACCESS=DWORD:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SECURITY]
"RESTRICTGUESTACCESS=DWORD:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SYSTEM] "RESTRICTGUESTACCESS=DWORD:00000001
disable displaying last logged in user

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON] "DONTDISPLAYLASTUERNAME"="0"
restrict Floppy-/CD-ROM-access to the current logged on user

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON] "ALLOCATEFLOPPIES"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON] "ALLOCATECDROMS"="1"
no Autorun for CD-Rom (1=enabled 0=disabled)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\CDROM] "AUTORUN"=DWORD:00000000
clear pagefile on shutdown

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\MEMORY MANAGEMENT] "CLEARPAGEFILEATSHUTDOWN"=DWORD:00000001
enabling Screensaver Lockout

[HKEY_USERS\.DEFAULT\CONTROLPANNEL\DESKTOP] "SCREENSAVEACTIVE"="1"
disabling OS/2 Subsystem (if not needed)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS] NAME: OS2
disabling POSIX Subsystem (if not needed)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS] NAME: POSIX
run IIS CGI with context of "IUSR_computername"

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS] "CreateProcessAsUser"=dword:00000001
Security Message (Logon)

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON] "Welcome"=" Unauthorized Access is prohibited "
Policies (1=enabled 0=disabled)

[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS] [HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS] [HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM]
enable logging of successful http requests

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS] "LogSuccessfulRequests"=dword:00000001
disable IIS FTP bounce attack (IIS 2/3)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\MSFTPSVC\PARAMETERS] "EnablePortAttack"=dword:00000000
enable logging of bad http requests

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS] "LogErrorRequests"=dword:00000001
After you make your registry tweaks do a Start/Run regedt32/Security/Permissions. Go to the hives you made the changes and set permissions to each key so they can't be changed. I took the time out to individually make these 43 registry tweaks seperatly with there titles into one zip file...Enjoy.. Feel free to add to this thread if you have others not listed here.

Registry Tweaks Related To Network

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Registry Tweaks Related To Network

Uploaded by

Copyright:

Available Formats

I havn't seen much on Registry Security so i took the time out to put something together: Important!

disallow forward of fragmented IP-Pakets

restart if Evenlog fails

Disable Netbios-Name exposing

disabling Caching of Logon-Credentials (possible also with USRMGR.EXE)

allow only MS CHAP v2.0 for VPN connections

disabling caching of RAS-Passwords

disabling Administrative Shares NT4.0 Workstation ($c, $d, $e etc)

allow only authenicated PPP Clients

disabling NTFS 8.3 Namegeneration

disallow anonymous IPC-Connections

enabling SMB Signatures (Server)

enabling SMB Signatures (Client)

NT LSA DoS (Phantom) Vulnerability

MDAC runs in secured [1] / unsecured [0] Mode

disable Lan Manager authentication

disabling DCOM (possible also with DCOMCNFG.EXE)

restrict Null-User-/Guest-Access to Eventlog

"RESTRICTGUESTACCESS=DWORD:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SYSTEM] "RESTRICTGUESTACCESS=DWORD:00000001

disable displaying last logged in user

restrict Floppy-/CD-ROM-access to the current logged on user

no Autorun for CD-Rom (1=enabled 0=disabled)

clear pagefile on shutdown

enabling Screensaver Lockout

disabling OS/2 Subsystem (if not needed)

disabling POSIX Subsystem (if not needed)

run IIS CGI with context of "IUSR_computername"

Security Message (Logon)

Policies (1=enabled 0=disabled)

enable logging of successful http requests

disable IIS FTP bounce attack (IIS 2/3)

enable logging of bad http requests

You might also like