[RELiC]

I havn't seen much on Registry Security so i took the time out to put something together:
Important! Learn the registry-settings, before enabling/disabling them.
These registry tweaks are for Windows NT4, Windows 2000 and Windows XP.

disabling IP Forwarding

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"IPENABLEROUTER"=DWORD:00000000

disallow fragmented IP

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]
"ENABLEFRAGMENTCHECKING"=DWORD:00000001

disabling ICMP-Redirect

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"ENABLEICMPREDIRECTS"=DWORD:00000000

enabling TCP/IP-Filtering

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"ENABLESECURITYFILTERS"=DWORD:00000001

disallow forward of fragmented IP-Pakets

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]
"DEFAULTFORWARDFRAGMENTS"=DWORD:00000000

restart if Evenlog fails

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"CRASHONAUDITFAIL"=DWORD:00000001

Winsock Protection

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\AFD\PARAMETERS]
"ENABLEDYNAMICBACKLOG"=DWORD:00000020
"MAXIMUMDYNAMICBACKLOG"=DWORD:00020000
"DYNAMICBACKLOGGROWTHDELTA"=DWORD:00000010

Denial-of-Service Protection

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"SYNATTACKPROTECT"=DWORD:00000002
"TCPMAXDATARETRANSMISSIONS"=DWORD:00000003
"TCPMAXHALFOPEN"=DWORD:00000064
"TCPMAXHALFOPENRETRIED"=DWORD:00000050
"TCPMAXPORTSEXHAUSTED"=DWORD:00000001
"TCPMAXCONNECTRESPONERETRANSMISSIONS"=DWORD:00000002
"ENABLEDEADGWDETECT"=DWORD:00000000
"ENABLEPMTUDISCOVERY"=DWORD:00000000
"KEEPALIVETIME"=DWORD:00300000
"ALLOWUNQUALIFIEDQUERY"=DWORD:00000000
"DISABLEDYNAMICUPDATE"=DWORD:00000001

Disable Router-Discovery

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES]
"PERFORMROUTERDISCOVERY"=DWORD:00000000

Disabling DomainMaster

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\BROWSER\PARAMETERS]
"MAINTAINSERVERLIST"="No"
"ISDOMAINMASTER"="False"

Disable Netbios-Name exposing

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NETBT\PARAMETERS]
"NONAMERELEASEONDEMAND"=DWORD:00000001

Fix for MS DNS Compatibility with BIND versions earlier than 4.9.4

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DNS\PARAMETERS]
"BINDSECONDARIES"=DWORD:00000001

disabling Caching of Logon-Credentials (possible also with USRMGR.EXE)

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"CACHEDLOGONCOUNT"=DWORD:00000001

disabling IP-Source-Routing

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"DISABLEIPSOURCEROUTING"=DWORD:0000001

allow only MS CHAP v2.0 for VPN connections

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]
"SECUREVPN"=DWORD:00000001

disabling caching of RAS-Passwords

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS]
"DISABLESAVEPASSWORD"=DWORD:00000001

Printerinstallation only by Admins/Print Operators

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\PRINT\PROVIDERS\LANMAN
PRINT SERVICES\SERVERS]
"ADDPRINTDRIVERS"=DWORD:00000001

disabling Administrative Shares NT4.0 Server ($c, $d, $e etc)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"AUTOSHARESERVER"=DWORD:00000000

disabling Administrative Shares NT4.0 Workstation ($c, $d, $e etc)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"AUTOSHAREWKS"=DWORD:00000000

allow only authenicated PPP Clients

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]
"FORCEENCRYPTEDPASSWORD"=DWORD:00000002

enabling RAS-Logging

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS]
"LOGGING"=DWORD:00000001

disabling NTFS 8.3 Namegeneration

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\FILESYSTEM]
"NTFSDISABLE8DOT3NAMEGENERATION"=DWORD:00000001

disallow anonymous IPC-Connections

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"RESTRICTANONYMOUS"=DWORD:00000001

enabling SMB Signatures (Server)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"REQUIRESECURITYSIGNATURE"=DWORD:00000001

enabling SMB Signatures (Client)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RDR\PARAMETERS]
"REQUIRESECURITYSIGNATURE"=DWORD:00000001

NT LSA DoS (Phantom) Vulnerability

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG]
"AUTO"="0"

MDAC runs in secured [1] / unsecured [0] Mode

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DATAFACTORY\HANDLERINFO]
"HANDLERREQUIRED"=DWORD:00000001

disable Lan Manager authentication

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"LMCOMPATIBILITYLEVEL"=DWORD:00000002
Level 0 - Send LM response and NTLM response; never use NTLMv2
Level 1 - Use NTLMv2 session security if negotiated
Level 2 - Send NTLM response only
Level 3 - Send NTLMv2 response only
Level 4 - DC refuses LM responses
Level 5 - DC refuses LM and NTLM responses (accepts only NTLMv2)

disabling DCOM (possible also with DCOMCNFG.EXE)

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\OLE]
"ENABLEDCOM"="N"

restrict Null-User-/Guest-Access to Eventlog

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION]
"RESTRICTGUESTACCESS=DWORD:00000001
 [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SECURITY]
"RESTRICTGUESTACCESS=DWORD:00000001
 [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SYSTEM]
"RESTRICTGUESTACCESS=DWORD:00000001

disable displaying last logged in user

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"DONTDISPLAYLASTUERNAME"="0"

restrict Floppy-/CD-ROM-access to the current logged on user

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"ALLOCATEFLOPPIES"="1"
 [HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"ALLOCATECDROMS"="1"

no Autorun for CD-Rom (1=enabled 0=disabled)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\CDROM]
"AUTORUN"=DWORD:00000000

clear pagefile on shutdown

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\MEMORY
 MANAGEMENT]
"CLEARPAGEFILEATSHUTDOWN"=DWORD:00000001

enabling Screensaver Lockout

[HKEY_USERS\.DEFAULT\CONTROLPANNEL\DESKTOP]
"SCREENSAVEACTIVE"="1"

disabling OS/2 Subsystem (if not needed)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS]
NAME: OS2

disabling POSIX Subsystem (if not needed)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS]
NAME: POSIX

run IIS CGI with context of "IUSR_computername"

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"CreateProcessAsUser"=dword:00000001

Security Message (Logon)

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"Welcome"="   Unauthorized Access is prohibited "

Policies (1=enabled 0=disabled)

[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS]
[HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS]
[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM]

enable logging of successful http requests

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"LogSuccessfulRequests"=dword:00000001

disable IIS FTP bounce attack (IIS 2/3)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\MSFTPSVC\PARAMETERS]
"EnablePortAttack"=dword:00000000

enable logging of bad http requests

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"LogErrorRequests"=dword:00000001

After you make your registry tweaks do a Start/Run regedt32/Security/Permissions.
Go to the hives you made the changes and set permissions to each key so they can't be changed.

I took the time out to individually make these 43 registry tweaks seperatly with there titles into one zip file...Enjoy..

Feel free to add to this thread if you have others not listed here.

../

Attached File(s)

•  Registry.Security.zip (12.56K)
  Number of downloads: 571

[barty32]

great job man,

i searched such registry commands, thank you ;)

[oYost]

Woww is the word, great :)

[ST.]

yep, very nice.
it'd good to see a descriptions to many of options, because of some changes may affect the network connection

[Dr00py]

Great job

[COM]

Lol, interesting reg strings ;)
Thx

[basthen]

i really appreciate the infos about the reg change. not only the .reg

saved! ;)

tekhead

[UnDeRTaKeR]

Fu***** Great !!! 10x a lot man!!! some of them are realy usefull!!! :P

[GhostCow]

great sh*t! thanks relic you helped me understand windows much better!

[bli4]

nice job thx man :)

[Acid-Burn]

Nice info
Grt Job

[bitwild]

checkout John Jenkinson's GCWN pratical
( giac.org - practical/John_Jenkinson_GCWN.doc )

Appendix B - security template
gunhighsecdc.inf

simply owns :)