Customizing a Network Using the Registry It's impossible to provide a complete reference for all of Windows NT, Windows 2000, Windows XP, and Windows Server 2003 networking in a single c
Trang 1Customizing a Network Using the Registry
It's impossible to provide a complete reference for all of Windows NT, Windows 2000, Windows XP, and Windows Server 2003 networking in a single chapter (for example, the Resource Kits usually include a comprehensive volume entitled "Windows NT
Networking") This topic certainly deserves a separate book However, I hope that this chapter helps you to understand how network settings are stored in the registry, and how these settings are related to the data displayed by Control Panel applets This topic is one
of the most interesting ones, and if you explore it, you'll make many discoveries and invent many new ways of customizing network settings
The remaining sections of this chapter will describe various methods of customizing network settings using the registry
Securing DNS Servers against DoS Attacks
During the last few years, Denial of Service (DoS) and, especially, Distributed Denial of Service (DDoS) attacks have become the most serious threats to corporate networks The number of such attacks is growing steadily with time, and currently no one can feel safe and absolutely secure from encountering this threat Of course, the tips provided here also won't guarantee absolute security against attacks on DNS servers However, they will serve as good add-ons to your security policy
Note Before introducing the registry modifications described below into the
configuration of your production servers, it is recommended that you test them in your lab environment
All registry settings described in this section are located under the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key (Fig 8.28) Notice that if specific parameters are missing from your registry, this means that the system considers them to be set to default values
Trang 2Figure 8.28: The
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key
Brief descriptions of these parameters and their recommended values are provided below:
EnableDeadGWDetect (REG_DWORD data type) The default value (1) enables TCP/IP to switch to a secondary gateway if many connections experience
problems However, in cases when you are under a DoS attack, such behavior is undesirable, since all traffic can be redirected to a gateway that is not constantly monitored Because of this reason, set this parameter to 0
EnablePMTUDiscovery (REG_DWORD data type) The default value of this parameter enables TCP/IP to determine Maximum Transmission Unit (MTU) that can be transmitted to the system This feature is potentially dangerous, since it enables the attacker to bypass your security system or cause it to fail by means of transmitting fragmented traffic For example, many Intrusion Detection Systems (IDS) are still unable to correctly assemble fragmented IP packets If you set this parameter to 0, the MTU value will always be equal to 576 bytes
KeepAlive (REG_DWORD data type) This parameter specifies how frequently an idle connection on a remote system should be verified Set the value for 300000
SynAttackProtect (REG_DWORD data type) Creating this value will enable you
to provide minimum protection against a specific type of DoS attack known as SYN Flood SYN Flood attacks interfere with the normal acknowledgement
handshake between a client and a server Under normal conditions, this process comprises three stages:
The client sends the request to establish a connection to the server (SYN message)
The server responds by sending an acknowledgement (SYN-ACK
message)
Trang 3 The client confirms the reception of the SYN-ACK message by sending an acknowledgement (ACK message)
If your server became a target for a SYN Flood attack, it will receive a flood of
connection requests, which will gradually prevent it from receiving acknowledgements from clients Thus, legitimate users will be unable to establish connections The
recommended value for this parameter is 2 (you can also set this value to 1, but this configuration is less efficient)
Securing Terminal Services Connections
Materials provided in this section will certainly prove useful for those who want to
improve security when using Remote Desktop for Administration in Windows Server
2003 As was already mentioned earlier in this chapter, this facility is automatically installed on all servers running Windows Server 2003 However, remote administration with this tool is not enabled by default After it is enabled (see Fig 8.22), you can use Group Policy or the Terminal Services Configuration tool to further configure Terminal Services By default, only members of the Administrators group have permission to connect in administrative mode (but they can only connect two at a time) This default security setting is useful However, there are several additional settings and tools that can
be used to improve security, including Group Policy, the local Terminal Server
configuration tool, local client settings and, of course, registry editing
Note In addition to advice and tips provided here, don't forget about regular system hardening practices and security policies adopted by your company More detailed information on this topic will be provided in Chapter 9 Furthermore, carefully weigh the benefits provided by enabling remote access for administrative purposes
to potential dangers of exposing the system to additional risks
To modify the default settings for Remote Desktop, proceed as follows:
1 Open the Control Panel, start Administrative Tools, then select the Terminal Services Configuration option The Terminal Services Configuration console
will open (Fig 8.29)
Figure 8.29: Configuring a RDP-Tcp connection
Trang 42 Right-click the RDP-Tcp connection, then choose the Properties command from
the right-click menu
3 The RDP-Tcp Properties window will open On the General tab (Fig 8.30), change the default encryption level to High (the default value is Client
compatible) All data that transfers between the client and server will be at the
server's highest encryption level Currently, that is set to 128 bits The client must
be able to use 128 bits or it will not be able to connect
Figure 8.30: The General tab of the RDP-Tcp Properties window
4 Next, go to the Logon Settings tab (Fig 8.31) and set the Always prompt for password checkbox The Remote Desktop connection has a setting that allows the
user to save his or her password for the connection This setting would allow anyone who was able to log on to the local computer to access the remote system through the console This feature is potentially dangerous, since it might provide
an attacker with easy access to remote systems Setting the Always prompt for password option ensures that the user logs on each time, regardless of the client
setting
Trang 5Figure 8.31: The Logon Settings tab of the RDP-Tcp Properties window
5 On the Sessions tab (Fig 8.32), note that by default, user accounts are set to
Disconnect from session if a session limit is reached or a connection is broken
(the option is grayed out in the figure) This setting is a good idea if system
administration tasks are running and a connection is broken as a result of network problems The task will continue to run while the session is in a disconnected
state, and the administrator can reconnect The alternative, End session, would stop the running process with unpredictable results Figure the values for Active session limit and Idle session limit parameters according to the usage of these
sessions Limiting active sessions is probably not a good idea, as it will prevent some administrative chores from getting done Limiting an idle session is useful If you are engaged in a session and leave your computer, anyone could use the open session to the server — a session open with administrative privileges Setting an idle time-out may prevent such an occurrence; at least it will limit exposure This setting will also help in situations where multiple administrators want to connect
If two administrators are connected yet not using the session, the third
administrator cannot connect
Trang 6Figure 8.32: The Sessions tab of the RDP-Tcp Properties window
Remote Desktop Port Settings
In contrast to the steps described above, the tweak described in this section can only be accomplished by direct editing of the system registry In order to allow the Remote Desktop use over the Internet, TCP port 3389 must be open on the firewall or an
alternative port must be assigned to the service If possible, configure the firewall to allow the 3389 port connection only to an authenticated user If you will be limiting the number of computers in use, limit the connections to the port on those specific
computers To block connections to that port on sensitive systems, use IPSec
To change the port used by Remote Desktop, do the following:
1 Open the registry and locate the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServe r\WinStations\RDP-Tcp key
2 Under this key, find the PortNumber value entry, which by default is set to 3389 (Fig 8.33) Change this value as appropriate (for example, to 8098)