Server Security Settings (4)

2. Do not Display the Don't Display Last User Name string in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionwinlogon item to 1, so that the system will not automatically Display the Last User Name. Set the server registry HKEY_LOCAL _ MACHINESOFTWAREMicrosoft
Change the Dont Display Last User Name string in the WindowsNTCurrentVersionWinlogon item to 1 to hide the User Name of the Last logon console. This option also exists in the 2000 Local Security Policy.
Modify the Registry in Winnt4.0:
Add DontDisplayLastUserName to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrent VersionWinlogon and set the value to 1.

2. DoS prevention:

Modify the following values in the Registry HKLMSYSTEMCurrentControlSetServicesTcpipParameters to help you defend against DoS attacks of a certain intensity: SynAttackProtect REG_DWORD 2
EnablePMTUDiscovery REG_DWORD 0 NoNameReleaseOnDemand REG_DWORD 1
EnableDeadGWDetect REG_DWORD 0 KeepAliveTime REG_DWORD 300,000
Invalid mrouterdiscovery REG_DWORD 0 EnableICMPRedirects REG_DWORD 0

How To Disable ICMP (Ping) in Win2000)

3. ICMP attacks
The full name of ICMP is Internet Control and Message Protocal, that is, Internet Control Message/error Message protocol. This protocol is mainly used to transmit error information and Control information, for example, the well-known Ping and Tracert tools use the ECHO request packet in ICMP protocol (the icmp echo type 8 code 0 and the icmp echoreply Type 0 code 0 ).

The ICMP protocol has a characteristic that it is connectionless. That is to say, as long as the sender completes the encapsulation of the ICMP packet and passes it to the router, the packet will look for the destination address like a package, this feature makes the ICMP protocol flexible and fast, but it also brings a fatal defect-it is easy to forge (the mail address on the package can be written at will ), anyone can forge an ICMP packet and send it out. The spoofer can use SOCK_RAW programming to directly rewrite the ICMP and IP headers of the packet. The source address carried by such a packet is forged, it cannot be traced at the target end. (If attackers are not afraid of being caught, is there no fear ?) According to this principle, a lot of ICMP-based attack software appeared outside, and ICMP storms were caused by network architecture defects, and extremely large packets were used to block the network, some attacks use ICMP fragments to consume the server's CPU. If the ICMP protocol is used for communication, you can create a trojan that does not require any TCP/UDP ports. (For more information, see section 3. Unveil the secrets of a Trojan )...... since the ICMP protocol is so dangerous, why don't we turn it off?

We all know that Win2000 has a TCP/IP filter in the network attribute. Let's see if we can turn the ICMP protocol off here, right-click network neighbor on the desktop-> properties-> right-click the network adapter you want to configure-> properties-> TCP/IP-> advanced-> options-> TCP/IP filtering, here there are three filters: TCP port, UDP port, and IP protocol. We first allow TCP/IP filtering, and then configure them one by one. First, we start with TCP port, and click "only allow ", add the port you need to open below. Generally, the WEB server only needs to open 80 (www), the FTP server needs to open 20 (FTP Data), and 21 (FTP Control ), the email server may need to open 25 (SMTP), 110 (POP3), and so on ...... the next step is UDP. UDP and ICMP are based on no links and are also prone to forgery. Therefore, if it is not necessary (for example, to provide DNS services from UDP), you should choose not to allow all of them, avoid flooding or Fragment attacks. The rightmost editing box defines IP protocol filtering. We choose to allow only the TCP protocol to pass and add a 6 (6 is the TCP code in the IP protocol, IPPROTO_TCP = 6 ), in principle, UDP or ICMP cannot pass the TCP protocol only. Unfortunately, the IP protocol filtering here refers to the narrow IP protocol, in terms of architecture, although the ICMP protocol and IGMP protocol are both affiliated to the IP protocol, the ICMP/IGMP protocol and the IP Protocol share the same layer from the layer-7 structure, therefore, Microsoft's IP protocol filtering does not include ICMP. That is to say, even if you set "only allow TCP protocol to pass", ICMP packets can still pass normally, therefore, if we want to filter the ICMP protocol, we need to find another method.

When we were filtering TCP/IP, there was another option: IP Security. Our idea of filtering ICMP was about to fall into it.

Open the Local Security Policy and select the IP Security Policy. Here we can define our own IP Security Policy. An IP Security filter consists of two parts: the filter policy and the filter operation. The filter policy determines which packets should be concerned by the filter, the filtering operation determines whether the filter is "Allowed" or "REJECTED. To create an IP Security filter, you must create your own filter policy and filter operation: Right-click the local IP Security Policy and choose manage IP Filter, create a new filter rule in the IP Filter management list: ICMP_ANY_IN. Select any IP address from the source address, select the local IP address, and switch to the management filter when the protocol type is ICMP, add an operation named Deny. The operation type is Block ). In this way, we have a filtering policy that follows all incoming ICMP packets and discards all packets. Note that there is an image selection in the address option. If you select an image, a symmetric Filtering Policy will be created, that is, when you follow any IP-> my IP, because of the role of the image, you actually pay attention to my IP-> any IP at the same time, you can choose or discard the image as needed. Right-click the IP security policy of the Local Machine, select new IP Filter policy, and create a Filter named ICMP Filter. In the Add Filter rule wizard, we specify the ICMP_ANY_IN Filter policy that we just defined to ICMP Filter, select the Deny operation we just defined in the Operation box, exit the wizard window, right-click ICMP Filter, and enable it, the ICMP packets entered by any address are discarded.

Although IP sec can be used to filter ICMP packets, the operation is too troublesome. If you only need to filter specific ICMP packets, some common packets (such as inaccessible hosts and inaccessible networks) must be retained, so the IP sec policy cannot cope with the problem, we can use another powerful tool Routing and Remote Access Control (Routing & Remote Access) of Win2000 to complete these complex filtering operations.

Routing and Remote Access control is a tool used by Win2000 to manage route tables, configure VPN, control remote access, and filter IP packets. It is not installed by default, so you must first enable it, open "Administrative Tools"-> "Routing and Remote Access", right-click the server (if not, add the Local Machine), and select "configure and enable Routing and Remote Access ", in this case, the Configuration Wizard will let you select the type of server. Generally, if you do not need to configure the VPN Server, select "manual configuration". After the configuration is complete, an IP Route Option will appear under the host. In "General", select the NIC you want to configure (if you have multiple NICs, you can choose to disable an ICMP Nic ), click "input filter" in the NIC attribute to add a filter policy "from: ANY to: ANY Protocol: ICMP Type: 8: encoding discard (Type 8 encoding 0 is the ICMP_ECHO packet used by Ping. to filter all ICMP packets, you only need to set the type and encoding to 255)

A careful friend may have just discovered that there is a "fragment check" function under the input and output filters. This function is used to cope with IP Fragment attacks, this is beyond the scope discussed in this article. I will continue to discuss it with you in the following article about denial of service attacks. Win2000 Routing and Remote Access is a powerful tool set.

4. change some default values of windows (for example, TTL value of data packets). Different systems have different values, experienced users can determine the operating system used by the other party based on different TTL values (for example, the default value of windows 2000 is 128). I will change it to see how it works)

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

DefaultTTL REG_DWORD 0-0xff (0-255 decimal, default value: 128)

Description: Specifies the default TTL value set in outgoing IP packets. TTL determines the arrival of IP packets.
The maximum time for the target to survive in the network. It actually limits the routes that allow IP packets to pass before they are discarded.
Number of machines. This value is sometimes used to detect remote host operating systems.

5. Prevent ICMP redirection packet attacks
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

EnableICMPRedirects REG_DWORD 0x0 (default value: 0x1)

Note: This parameter controls whether Windows 2000 will change its route table to respond to ICMP redirection messages sent to a network device (such as a vro), which is sometimes exploited to do bad things. in Win2000, the default value is 1, indicating that the ICMP redirection packet is returned.

6. Disable response to ICMP route notification packets
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfacesinterface
Invalid mrouterdiscovery REG_DWORD 0x0 (default value: 0x2)

Note: The "ICMP route announcement" function can cause network connection exceptions, data eavesdropping, and traffic attacks on other computers. this problem has led to some large area networks on the campus network, resulting in a long network exception. therefore, we recommend that you disable the ICMP route notification message. the default value of Win2000 is 2, indicating that it is enabled when DHCP sends the router discovery option.

7. Prevent SYN flood attacks
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

SynAttackProtect REG_DWORD 0x2 (default value: 0x0)

(SYN Attack Protection includes reducing the number of SYN-ACK re-transmission, to reduce the allocation of resources reserved when)
. Route cache item Resource Allocation delay until connection is established. If synattackprotect = 2,
The AFD connection indication is delayed until the three-way handshake is completed. Note that only
When the TcpMaxHalfOpenRetried setting is out of the range, the protection mechanism takes measures.

8. Disable default sharing for category C $ and D $.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters

AutoShareServer, REG_DWORD, 0x0

9. Disable ADMIN $ default sharing
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters
Autoscaling wks, REG_DWORD, 0x0
10. Restrict IPC $ default sharing
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa

Restrictanonymous REG_DWORD 0x0 default
0x1 anonymous users cannot list local users
0x2 anonymous users cannot connect to the local IPC $ share
Note: 2 is not recommended; otherwise, some of your services may fail to start, such as SQL Server.

11. IGMP protocol not supported
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTc