NT Security Settings

TCP/IP Settings:
1. TCP/IP security policy

Features: Simple and Convenient. The system has been integrated. You can set a single network card;
Disadvantages: not flexible; only allowed, not prohibited;
The allow and deny settings are different from those of Firewall and IDS.
If the port is not within the permitted range, it indicates that the Service (Bingding or listener) cannot be bound to the corresponding port ),
However, communication is acceptable, which is not allowed in Firewall and IDS.

In the preceding example, (see the corresponding port of the service/Application)
TCP: 2433,5631 (pcAnywhere );
UDP allows: 5632 (pcAnywhere );
IP protocol: 6 (TCP), 17 (UDP );

2. Delete unnecessary Network Services

3. NetBIOS protocol not bound to TCP/IP

4. Cancel IP Forwarding

 

5. TCP/IP Registry Settings
SynAttackProtect
Location: TcpipParameters
Type: REG_DWORD
Value Range: 0, 1, and 2.
0 no protection
1. When the TcpMaxHalfOpen and TcpMaxHalfOpenRetried conditions are met, resend attempts and delays are reduced.
RCE (route cache entry) is created.
2 in addition to 1 a delayed indication to Winsock is made .)

Note: When the system detects an attack, the following socket parameter will be invalid: Scalable windows (RFC 1323
And the TCP Parameters (Initial RTT, window size) of each network interface ). This is because when the system is protected
The route cache entry and Winsock parameters are not queried until the SYN-ACK is successfully sent.

Default Value: 0 (False)
Recommended Value: 2
(Synattack protection will reduce the number of SYN-ACKS, re-release, so that the accelerated resource is re-time; r)
Oute cache entry is delayed until the connection is established. If synattackprotect is set to 2, AFD is also extended.
Until the three handshakes are completed. Note that this protection mechanism only applies to TcpMaxHalfOpen and TcpMaxHalfOpe.
The value of nRetried takes effect only when it is exceeded.

TcpMaxHalfOpen
Location: TcpipParameters
Type: REG_DWORD
Range: 100-0xFFFF
Default Value: 100 (Professional, Server), 500 (advanced server)
Recommended Value: default setting
(This parameter control in the SYN-ATTACK protection before the connection in the SYN-RCVD State allows the maximum number. For example
If SynAttackProtect is set to 1, make sure the value is smaller than the value of the AFD Backlog parameter (see AFD Backlog parameters ).
).

TcpMaxHalfOpenRetried
Location: TcpipParameters
Type: REG_DWORD
Value Range: 80-0xFFFF
Default Value: 80 (Professional, Server), 400 (Advanced Server)
Recommended Value: default setting
(This Parameter Control in the SYN-ATTACK protection before, In the SYN-RCVD state and has attempted to resend the connection allowed)
The maximum number.

EnablePMTUDiscovery
Location: TcpipParameters
Type: REG_DWORD-Boolean
Value Range: 0, 1 (False, True)
Default Value: 1 (True)
Recommended Value: 0
Note: when it is set to 1, the system will try to find the maximum MTU value on the target path. When it is set to 0, the system will
Use a fixed MTU value (576 bytes) on Non-internal networks ).

NoNameReleaseOnDemand
Location: NetbtParameters
Type: REG_DWORD
Value Range: 0, 1 (False, True)
Default Value: 0 (False)
Recommended Value: 1
Note: This parameter determines whether the system will perform a name explanation when receiving a NetBIOS name explanation request. The administrator can
To set this value to prevent the system from being attacked by malicious users.

EnableDeadGWDetect
Location: TcpipParameters
Type: REG_DWORD
Value Range: 0, 1 (False, True)
Default Value: 1 (True)
Recommended Value: 0
Note: When set to 1, TCP allows invalid gateway check. When the default gateway is invalid, the backup gateway replaces the default gateway.
, The backup gateway sets "advanced" in the TCP/IP protocol attribute.

KeepAliveTime
Location: TcpipParameters
Type: REG_DWORD (MS)
Range: 1-0xFFFFFFFF
Default: 7,200,000 (two hours)
Recommended Value: 300,000
Note: This parameter controls how long the TCP interval will take to send a keep-alive packet to verify an idle connection.
Whether the connection is alive. If the remote system is still alive, it will respond to this keep-alive. By default, Keep-al
Ive data packets are not sent. You need to enable this function.

PerformRouterDiscovery
Location: TcpipParametersInterfaces
Type: REG_DWORD
Value Range: 0, 1, 2
0 (invalid)
1 (valid)
2 (the DHCP route is valid)
Default Value: 2.
Recommended Value: 0
Description: determines whether route discovery is performed.

EnableICMPRedirects
Location: TcpipParameters
Type: REG_DWORD
Value Range: 0, 1 (False, True)
Default Value: 1 (True)
Recommended Value: 0 (False)
Note: The control system determines whether to modify its route table when it receives an ICMP redirection message from a network device.

System settings
1. Use NTFS Disk File Format
Use the CONVERT command to CONVERT to the NTFS Disk File Format
CONVERT volume name/FS: NTFS [/V]

2. Disable NTFS 8.3 file format support
NtfsDisable8dot3NameCreation
Location: HKEY_LOCAL_MACHINESYSTEM
Type: REG_DWORD
Value Range: 0, 1 (False, True)
Default Value: 0 (False)
Recommended Value: 1 (True)

3. Delete OS/2 and POSIX sub-systems
Location: HKEY_LOCAL_MACHINESOFTWARE
Key Value: MicrosoftOS/2 Subsystem for NT
Operation: delete all subkeys

Location: HKEY_LOCAL_MACHINESYSTEM
Key Value: CurrentControlSetControlSession ManagerEnvironment
Name: Os2LibPath
Operation: delete Os2LibPath

Location: HKEY_LOCAL_MACHINESYSTEM
Key Value: CurrentControlSetControlSession ManagerSubSystems
Operation: delete Optional, Posix, and OS/2.

4. Disable LanManager Authentication
Windows NT Servers Service Pack 4 and later versions both support three different authentication methods:

L LanManager (LM) authentication;
L Windows NT (also called NTLM) authentication;
L Windows NT Version 2.0 (also called NTLM2) identity authentication;

By default, when a client attempts to connect a server that supports both LM and NTLM authentication methods
M authentication takes priority. For security reasons, we recommend that you disable LM authentication.

1. Open the Registry Editor;
2. Locate HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa;
3. Select "edit" and "add value" from the menu ";
4. Enter LMCompatibilityLevel in the Value Name and the value type is DWORD. Click OK;
5. Double-click the new data and set the following values as needed:
0-Send LM and NTLM responses;
1-Send LM and NTLM responses;
2-only send NTLM response;
3-only send NTLMv2 response; (effective for Windows 2000)
4-only send NTLMv2 response and reject LM; (Windows 2000 is valid)
5-only send NTLMv2 response, deny LM and NTLM; (valid for Windows 2000)
6. Close the Registry Editor;
7. Restart the machine;

For more information, see: http://support.microsoft.com/support/kb/articles/q1
47/7/06.asp

5. Access event logs from guest users are denied.
Important information may be stored in Event Logs. By default, Guests and anonymous users can
To view event logs, We must disable Guests and anonymous users from accessing Event Logs:

1. Open the Registry Editor;
2. Locate HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLog.
3. Select the Application subdirectory;
4. Select "edit" and "add value" from the menu ";
5. Enter RestrictGuestAccess in the value name. The value type is DWORD. Click OK;
6. Double-click the new data and set its value to 1;
7. Repeat steps 4-6 on the Security and System subdirectories;

6. Delete all default shares
Location: HKEY_LOCAL_MACHINESYSTEM
Key Value: CurrentControlSetServicesLanmanServerParameters
Name: AutoShareServer
Type: REG_DWORD
Value: 0

7. Cancel displaying the last logged-on user
Location: HKEY_LOCAL_MACHINESOFTWARE
Key Value: MicrosoftWindows NTCurrent VersionWinlogon
Name: DontDisplayLastUserName
Type: REG_SZ
Value: 1

8. Set the password length.

9. Password Complexity Requirements
Windows NT 4.0 Service Pack 2 and later versions contain a password filter DLL file (Passfilt.
Dll) to enhance the user's stronger password requirements. Passfilt. dll provides enhanced security to prevent external intrusion
Or dictionary attack ".

L The password must not be less than 6 characters long. (Setting a greater value in the "password policy" of the domain can further increase the minimum password length.
Degree ).
L The password must contain at least three of the following four types of characters:
-English capital letters A-Z
-Lowercase English letter a-z
-Arabic numerals 0-9
-Non-literal numbers ("special characters"), such as punctuation marks
L The password cannot contain any part of the user name and full name.

To use Passfilt. Dll, the Administrator must configure the password filtering DLL in the system registry of all domain controllers.

1. Open Registry Editor (regedt32.exe, do not use regedit.exe );
2. Locate HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa;
3. Double-click "Notification Packages ";
4. Add PASSFILT to the new row (which may contain other values such as FPNWCLNT ). Click OK;
5. Close the Registry Editor;
6. Restart the machine;

Domain user manager is not affected by this setting;

10. Run the SYSKEY tool to enable account data.
Run the command: syskey

11. Rename the Administrator account
12. Enable network locking for the Administrator account
Passprop/complex/adminlockout

13. Refuse unauthorized users (anonymous) to access the Registry
Location: HKEY_LOCAL_MACHINESYSTEM
Key Value: CurrentControlSetControlSecurePipeServers
Name: winreg

14. denied access to the Anonymous account (NULL Session)
Users and shared names cannot be listed anonymously. Service Pack 3 starts to provide this setting.

Location: HKEY_LOCAL_MACHINESYSTEM
Key Value: CurrentCon