Registry Security

GovernmentSecurity.org > The Archives > Microsoft Security Questions and Papers

RELiC

Feb 12 2004, 08:06 AM

I havn't seen much on Registry Security so i took the time out to put something together:
Important! Learn the registry-settings, before enabling/disabling them.
These registry tweaks are for Windows NT4, Windows 2000 and Windows XP.

disabling IP Forwarding

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"IPENABLEROUTER"=DWORD:00000000

disallow fragmented IP

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]
"ENABLEFRAGMENTCHECKING"=DWORD:00000001

disabling ICMP-Redirect

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"ENABLEICMPREDIRECTS"=DWORD:00000000

enabling TCP/IP-Filtering

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"ENABLESECURITYFILTERS"=DWORD:00000001

disallow forward of fragmented IP-Pakets

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]
"DEFAULTFORWARDFRAGMENTS"=DWORD:00000000

restart if Evenlog fails

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"CRASHONAUDITFAIL"=DWORD:00000001

Winsock Protection

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\AFD\PARAMETERS]
"ENABLEDYNAMICBACKLOG"=DWORD:00000020
"MAXIMUMDYNAMICBACKLOG"=DWORD:00020000
"DYNAMICBACKLOGGROWTHDELTA"=DWORD:00000010

Denial-of-Service Protection

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"SYNATTACKPROTECT"=DWORD:00000002
"TCPMAXDATARETRANSMISSIONS"=DWORD:00000003
"TCPMAXHALFOPEN"=DWORD:00000064
"TCPMAXHALFOPENRETRIED"=DWORD:00000050
"TCPMAXPORTSEXHAUSTED"=DWORD:00000001
"TCPMAXCONNECTRESPONERETRANSMISSIONS"=DWORD:00000002
"ENABLEDEADGWDETECT"=DWORD:00000000
"ENABLEPMTUDISCOVERY"=DWORD:00000000
"KEEPALIVETIME"=DWORD:00300000
"ALLOWUNQUALIFIEDQUERY"=DWORD:00000000
"DISABLEDYNAMICUPDATE"=DWORD:00000001

Disable Router-Discovery

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES]
"PERFORMROUTERDISCOVERY"=DWORD:00000000

Disabling DomainMaster

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\BROWSER\PARAMETERS]
"MAINTAINSERVERLIST"="No"
"ISDOMAINMASTER"="False"

Disable Netbios-Name exposing

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NETBT\PARAMETERS]
"NONAMERELEASEONDEMAND"=DWORD:00000001

Fix for MS DNS Compatibility with BIND versions earlier than 4.9.4

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DNS\PARAMETERS]
"BINDSECONDARIES"=DWORD:00000001

disabling Caching of Logon-Credentials (possible also with USRMGR.EXE)

CODE

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"CACHEDLOGONCOUNT"=DWORD:00000001

disabling IP-Source-Routing

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"DISABLEIPSOURCEROUTING"=DWORD:0000001

allow only MS CHAP v2.0 for VPN connections

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]
"SECUREVPN"=DWORD:00000001

disabling caching of RAS-Passwords

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS]
"DISABLESAVEPASSWORD"=DWORD:00000001

Printerinstallation only by Admins/Print Operators

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\PRINT\PROVIDERS\LANMAN
PRINT SERVICES\SERVERS]
"ADDPRINTDRIVERS"=DWORD:00000001

disabling Administrative Shares NT4.0 Server ($c, $d, $e etc)

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"AUTOSHARESERVER"=DWORD:00000000

disabling Administrative Shares NT4.0 Workstation ($c, $d, $e etc)

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"AUTOSHAREWKS"=DWORD:00000000

allow only authenicated PPP Clients

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]
"FORCEENCRYPTEDPASSWORD"=DWORD:00000002

enabling RAS-Logging

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS]
"LOGGING"=DWORD:00000001

disabling NTFS 8.3 Namegeneration

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\FILESYSTEM]
"NTFSDISABLE8DOT3NAMEGENERATION"=DWORD:00000001

disallow anonymous IPC-Connections

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"RESTRICTANONYMOUS"=DWORD:00000001

enabling SMB Signatures (Server)

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"REQUIRESECURITYSIGNATURE"=DWORD:00000001

enabling SMB Signatures (Client)

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RDR\PARAMETERS]
"REQUIRESECURITYSIGNATURE"=DWORD:00000001

NT LSA DoS (Phantom) Vulnerability

CODE

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG]
"AUTO"="0"

MDAC runs in secured [1] / unsecured [0] Mode

CODE

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DATAFACTORY\HANDLERINFO]
"HANDLERREQUIRED"=DWORD:00000001

disable Lan Manager authentication

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"LMCOMPATIBILITYLEVEL"=DWORD:00000002
Level 0 - Send LM response and NTLM response; never use NTLMv2
Level 1 - Use NTLMv2 session security if negotiated
Level 2 - Send NTLM response only
Level 3 - Send NTLMv2 response only
Level 4 - DC refuses LM responses
Level 5 - DC refuses LM and NTLM responses (accepts only NTLMv2)

disabling DCOM (possible also with DCOMCNFG.EXE)

CODE

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\OLE]
"ENABLEDCOM"="N"

restrict Null-User-/Guest-Access to Eventlog

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION]
"RESTRICTGUESTACCESS=DWORD:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SECURITY]
"RESTRICTGUESTACCESS=DWORD:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SYSTEM]
"RESTRICTGUESTACCESS=DWORD:00000001

disable displaying last logged in user

CODE

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"DONTDISPLAYLASTUERNAME"="0"

restrict Floppy-/CD-ROM-access to the current logged on user

CODE

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"ALLOCATEFLOPPIES"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"ALLOCATECDROMS"="1"

no Autorun for CD-Rom (1=enabled 0=disabled)

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\CDROM]
"AUTORUN"=DWORD:00000000

clear pagefile on shutdown

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\MEMORY
MANAGEMENT]
"CLEARPAGEFILEATSHUTDOWN"=DWORD:00000001

enabling Screensaver Lockout

CODE

[HKEY_USERS\.DEFAULT\CONTROLPANNEL\DESKTOP]
"SCREENSAVEACTIVE"="1"

disabling OS/2 Subsystem (if not needed)

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS]
NAME: OS2

disabling POSIX Subsystem (if not needed)

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS]
NAME: POSIX

run IIS CGI with context of "IUSR_computername"

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"CreateProcessAsUser"=dword:00000001

Security Message (Logon)

CODE

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"Welcome"=" Unauthorized Access is prohibited "

Policies (1=enabled 0=disabled)

CODE

[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS]
[HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS]
[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM]

enable logging of successful http requests

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"LogSuccessfulRequests"=dword:00000001

disable IIS FTP bounce attack (IIS 2/3)

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\MSFTPSVC\PARAMETERS]
"EnablePortAttack"=dword:00000000

enable logging of bad http requests

CODE

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"LogErrorRequests"=dword:00000001

After you make your registry tweaks do a Start/Run regedt32/Security/Permissions.
Go to the hives you made the changes and set permissions to each key so they can't be changed.

I took the time out to individually make these 43 registry tweaks seperatly with there titles into one zip file...Enjoy..

Feel free to add to this thread if you have others not listed here.

../

nmcog

Feb 12 2004, 08:09 AM

Great!

barty32

Feb 12 2004, 12:16 PM

great job man,

i searched such registry commands, thank you

oYost

Feb 12 2004, 05:03 PM

Woww is the word, great

ST.

Feb 12 2004, 05:18 PM

yep, very nice.
it'd good to see a descriptions to many of options, because of some changes may affect the network connection

Dr00py

Feb 12 2004, 05:24 PM

Great job

COM

Feb 12 2004, 05:46 PM

Lol, interesting reg strings

Thx

basthen

Feb 12 2004, 06:06 PM

i really appreciate the infos about the reg change. not only the .reg

saved!

tekhead

UnDeRTaKeR

Feb 12 2004, 07:41 PM

Fu***** Great !!! 10x a lot man!!! some of them are realy usefull!!!

GhostCow

Feb 12 2004, 07:44 PM

great sh*t! thanks relic you helped me understand windows much better!

Ash

Feb 14 2004, 09:46 PM

Great job cheers!

MrRobot

Feb 15 2004, 04:32 AM

very nice!

bli4

Feb 15 2004, 02:03 PM

nice job thx man

Acid-Burn

Feb 16 2004, 06:32 PM

Nice info
Grt Job

bitwild

Feb 18 2004, 08:29 PM

checkout John Jenkinson's GCWN pratical
( giac.org - practical/John_Jenkinson_GCWN.doc )

Appendix B - security template
gunhighsecdc.inf

simply owns :)

pdf

Feb 19 2004, 04:43 AM

tnx man

I wonder if there's a registery code that allow to set the ip address as sticky

it will helps so much

x303

Feb 23 2004, 03:06 PM

this really helped

Tnx!

cecrex

Feb 26 2004, 11:15 PM

nice man
thanks

Joc00

Feb 27 2004, 02:12 AM

very helpful. been looking for something like this for quite awhile

Silent Bob

Feb 27 2004, 11:55 AM

sweet dude, very nice... will save me alot of time

Blade

Apr 16 2004, 10:25 AM

it looks nix i will test it

TRi

Apr 17 2004, 04:22 PM

Indeed very useful. Will try some of them

godhack3r

Apr 17 2004, 05:17 PM

Hello Man!
I wonder if I can find some registery methods to enable Terminal Services (Remote Desktop Connection)

SickO

Apr 18 2004, 01:35 AM

txs, 2 bad that most of them arent in w2k3.

tweakz20

Apr 18 2004, 01:54 AM

NICE LIST!!! going in my favorites folder (the great honor!

)

usch

Apr 18 2004, 09:24 AM

very useful sounding things there great job.but the only thing is that i don't understand most of the functions.grr gotta lern more

so long

usch

Apr 18 2004, 09:24 AM

very useful sounding things there great job.but the only thing is that i don't understand most of the functions.grr gotta lern more

so long

hellraiza

Apr 28 2004, 04:33 PM

thx a lot mate!

SyN/AcK

Aug 9 2004, 04:39 PM

Don't know if anyone mentioned it already, but the NSA has some great papers put together on how to secure windows, including things that will make changes to the registry.

[R]

Aug 28 2004, 12:04 PM

Great

Thx

virus

Aug 31 2004, 10:25 AM

Very nice ... May I ask if this your own research ?

guinn3ss

Sep 1 2004, 11:59 PM

oulalala Thx man
Great and and beautifull work, i'll take it to my usefull doc.

Good job

havent' seen the download attach file
ça déchire coco merci

marco_maison@hotmail.com

Sep 2 2004, 06:13 AM

Good jobs

very thx

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.