Windows 2000/3 Registry Hacks - Security

Windows 2000/3 Registry Hacks - Security

A security hack may be a contradiction in terms!  However, several clients asked me to research registry changes so that they can tighten-up network security.

Sometimes you want to make Windows 2000/3 more secure but there is no icon to configure the feature you want.  So you need to go to the registry and change the setting.  The two built-in registry editors are Regedit and Regedt32.  The main difference is Regedt32 has a security tab so that you can set permissions.

Prevent Password Attacks

The purpose of this tip is to prevent machines saving the weak NTLM hash in their registry which could then be attacked.  You may ask 'How will logon work if you disable this feature?'  The answer is that XP, .NET and Windows 2000 use a separate kerberos security system, this NTLM hash is only there for backwards compatibility with SAM databases in NT.  Its purpose would be to enable users on Windows 2000 to logon to NT domains.

For Windows 2000, locate and click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

From the Edit menu, click Add Key, and then add the following registry key: NoLMHash. Set NoLMHash = 1

In XP Value name: NoLMHash, Data type: REG_DWORD Radix: Decimal Value data: 1

Preventing Denial of Service (DoS) Attacks

Denial of Service attacks are difficult to defend against.  One approach is to harden the TCP/IP stack on a Windows 2000 server or workstation to help prevent DoS attacks

By default, the TCP/IP stack is configured to handle normal traffic and to be robust under normal working conditions. If a Windows 2000 server or workstation is going to be exposed to the Internet, the TCP/IP stack should be reconfigured to handle the various TCP/IP protocol attacks.

All of the TCP/IP parameters are located under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

SynAttackProtect

Key: Tcpip\Parameters
Value Type: REG_DWORD—Boolean
Valid Range: 0, 1, 2
Default: 0
 

When enabled, this parameter causes TCP to adjust the retransmission of SYN-ACKS to cause connection responses to time out more quickly if it appears that there is a SYN-ATTACK in progress. This determination is based on the TcpMaxPortsExhausted parameter.
Parameters:

0: Default Value – Normal protection against SYN Attacks.
1: Better Protection - This parameter causes TCP to adjust the retransmission of SYN-ACKS to cause connection responses to time out more quickly if it appears that there is a SYN-ATTACK in progress. This determination is based on the TcpMaxPortsExhausted, TCPMaxHalfOpen, and TCPMaxHalfOpenRetried.
2: Best Protection – Adds in additional delays to connection indications to quickly timeout TCP connection requests when a SYN=Attack is in progress. This is the recommended setting. Note: When using this setting, the following socket options will no longer work: Scalable windows (RFC 1323) and per adapter configured TCP parameters (Initial RTT, window size).

ShowSecurityPage (Exchange 2000)

To enable the Security Tab to appear in Exchange 2000 you need to add this to the registry.

HKey_Current_User\Software\Microsoft\Exchange\ExAdmin\ShowSecurityPage=dword:00000001

Note:  Unusually, ShowSecurityPage is a DWORD not a string value.

Note for newcomers:  The values are not case sensitive.  HKey_Current_User is often abbreviated to HKCU

Tips

• Use the REGISTRY Export setting as a precaution
• If you are following advice check whether it says ADD or Change. 
• If you have to ADD a value double check what type is expected e.g. REG_SZ or DWORD.
• Practice remote registry editing to prepare for an emergency

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.