Customizing a Network Using the Registry It's impossible to provide a complete reference for all of Windows NT, Windows 2000, Windows XP, and Windows Server 2003 networking in a single chapter (for example, the Resource Kits usually include a comprehensive volume entitled "Windows NT Networking"). This topic certainly deserves a separate book. However, I hope that this chapter helps you to understand how network settings are stored in the registry, and how these settings are related to the data displayed by Control Panel applets. This topic is one of the most interesting ones, and if you explore it, you'll make many discoveries and invent many new ways of customizing network settings. The remaining sections of this chapter will describe various methods of customizing network settings using the registry. Securing DNS Servers against DoS Attacks During the last few years, Denial of Service (DoS) and, especially, Distributed Denial of Service (DDoS) attacks have become the most serious threats to corporate networks. The number of such attacks is growing steadily with time, and currently no one can feel safe and absolutely secure from encountering this threat. Of course, the tips provided here also won't guarantee absolute security against attacks on DNS servers. However, they will serve as good add-ons to your security policy. Note Before introducing the registry modifications described below into the configuration of your production servers, it is recommended that you test them in your lab environment. All registry settings described in this section are located under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key (Fig. 8.28 ). Notice that if specific parameters are missing from your registry, this means that the system considers them to be set to default values. Figure 8.28: The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key Brief descriptions of these parameters and their recommended values are provided below:  EnableDeadGWDetect (REG_DWORD data type). The default value (1) enables TCP/IP to switch to a secondary gateway if many connections experience problems. However, in cases when you are under a DoS attack, such behavior is undesirable, since all traffic can be redirected to a gateway that is not constantly monitored. Because of this reason, set this parameter to 0.  EnablePMTUDiscovery (REG_DWORD data type). The default value of this parameter enables TCP/IP to determine Maximum Transmission Unit (MTU) that can be transmitted to the system. This feature is potentially dangerous, since it enables the attacker to bypass your security system or cause it to fail by means of transmitting fragmented traffic. For example, many Intrusion Detection Systems (IDS) are still unable to correctly assemble fragmented IP packets. If you set this parameter to 0, the MTU value will always be equal to 576 bytes.  KeepAlive (REG_DWORD data type). This parameter specifies how frequently an idle connection on a remote system should be verified. Set the value for 300000.  SynAttackProtect (REG_DWORD data type). Creating this value will enable you to provide minimum protection against a specific type of DoS attack known as SYN Flood. SYN Flood attacks interfere with the normal acknowledgement handshake between a client and a server. Under normal conditions, this process comprises three stages:  The client sends the request to establish a connection to the server (SYN message).  The server responds by sending an acknowledgement (SYN-ACK message).  The client confirms the reception of the SYN-ACK message by sending an acknowledgement (ACK message). If your server became a target for a SYN Flood attack, it will receive a flood of connection requests, which will gradually prevent it from receiving acknowledgements from clients. Thus, legitimate users will be unable to establish connections. The recommended value for this parameter is 2 (you can also set this value to 1, but this configuration is less efficient). Securing Terminal Services Connections Materials provided in this section will certainly prove useful for those who want to improve security when using Remote Desktop for Administration in Windows Server 2003. As was already mentioned earlier in this chapter, this facility is automatically installed on all servers running Windows Server 2003. However, remote administration with this tool is not enabled by default. After it is enabled (see Fig. 8.22 ), you can use Group Policy or the Terminal Services Configuration tool to further configure Terminal Services. By default, only members of the Administrators group have permission to connect in administrative mode (but they can only connect two at a time). This default security setting is useful. However, there are several additional settings and tools that can be used to improve security, including Group Policy, the local Terminal Server configuration tool, local client settings and, of course, registry editing. Note In addition to advice and tips provided here, don't forget about regular system hardening practices and security policies adopted by your company. More detailed information on this topic will be provided in Chapter 9 . Furthermore, carefully weigh the benefits provided by enabling remote access for administrative purposes to potential dangers of exposing the system to additional risks. To modify the default settings for Remote Desktop, proceed as follows: 1. Open the Control Panel, start Administrative Tools, then select the Terminal Services Configuration option. The Terminal Services Configuration console will open (Fig. 8.29 ). Figure 8.29: Configuring a RDP-Tcp connection 2. Right-click the RDP-Tcp connection, then choose the Properties command from the right-click menu. 3. The RDP-Tcp Properties window will open. On the General tab (Fig. 8.30 ), change the default encryption level to High (the default value is Client compatible). All data that transfers between the client and server will be at the server's highest encryption level. Currently, that is set to 128 bits. The client must be able to use 128 bits or it will not be able to connect. Figure 8.30: The General tab of the RDP-Tcp Properties window 4. Next, go to the Logon Settings tab (Fig. 8.31 ) and set the Always prompt for password checkbox. The Remote Desktop connection has a setting that allows the user to save his or her password for the connection. This setting would allow anyone who was able to log on to the local computer to access the remote system through the console. This feature is potentially dangerous, since it might provide an attacker with easy access to remote systems. Setting the Always prompt for password option ensures that the user logs on each time, regardless of the client setting. Figure 8.31: The Logon Settings tab of the RDP-Tcp Properties window 5. On the Sessions tab (Fig. 8.32 ), note that by default, user accounts are set to Disconnect from session if a session limit is reached or a connection is broken (the option is grayed out in the figure). This setting is a good idea if system administration tasks are running and a connection is broken as a result of network problems. The task will continue to run while the session is in a disconnected state, and the administrator can reconnect. The alternative, End session, would stop the running process with unpredictable results. Figure the values for Active session limit and Idle session limit parameters according to the usage of these sessions. Limiting active sessions is probably not a good idea, as it will prevent some administrative chores from getting done. Limiting an idle session is useful. If you are engaged in a session and leave your computer, anyone could use the open session to the server — a session open with administrative privileges. Setting an idle time-out may prevent such an occurrence; at least it will limit exposure. This setting will also help in situations where multiple administrators want to connect. If two administrators are connected yet not using the session, the third administrator cannot connect. Figure 8.32: The Sessions tab of the RDP-Tcp Properties window Remote Desktop Port Settings In contrast to the steps described above, the tweak described in this section can only be accomplished by direct editing of the system registry. In order to allow the Remote Desktop use over the Internet, TCP port 3389 must be open on the firewall or an alternative port must be assigned to the service. If possible, configure the firewall to allow the 3389 port connection only to an authenticated user. If you will be limiting the number of computers in use, limit the connections to the port on those specific computers. To block connections to that port on sensitive systems, use IPSec. To change the port used by Remote Desktop, do the following: 1. Open the registry and locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServe r\WinStations\RDP-Tcp key. 2. Under this key, find the PortNumber value entry, which by default is set to 3389 (Fig. 8.33 ). Change this value as appropriate (for example, to 8098). . change the default encryption level to High (the default value is Client compatible). All data that transfers between the client and server will be at the. as a result of network problems. The task will continue to run while the session is in a disconnected state, and the administrator can reconnect. The alternative,