Government Security
Network Security Resources

Jump to content

Photo

Registry Security

- - - - -
  • Please log in to reply
32 replies to this topic

#1 RELiC

RELiC

    Corporal

  • Members
  • 163 posts

Posted 12 February 2004 - 12:06 AM

I havn't seen much on Registry Security so i took the time out to put something together:
Important! Learn the registry-settings, before enabling/disabling them.
These registry tweaks are for Windows NT4, Windows 2000 and Windows XP.

disabling IP Forwarding

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"IPENABLEROUTER"=DWORD:00000000

disallow fragmented IP

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]
"ENABLEFRAGMENTCHECKING"=DWORD:00000001

disabling ICMP-Redirect

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"ENABLEICMPREDIRECTS"=DWORD:00000000

enabling TCP/IP-Filtering

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"ENABLESECURITYFILTERS"=DWORD:00000001

disallow forward of fragmented IP-Pakets

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\IPFILTERDRIVER\PARAMETERS]
"DEFAULTFORWARDFRAGMENTS"=DWORD:00000000

restart if Evenlog fails

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"CRASHONAUDITFAIL"=DWORD:00000001

Winsock Protection

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\AFD\PARAMETERS]
"ENABLEDYNAMICBACKLOG"=DWORD:00000020
"MAXIMUMDYNAMICBACKLOG"=DWORD:00020000
"DYNAMICBACKLOGGROWTHDELTA"=DWORD:00000010

Denial-of-Service Protection

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"SYNATTACKPROTECT"=DWORD:00000002
"TCPMAXDATARETRANSMISSIONS"=DWORD:00000003
"TCPMAXHALFOPEN"=DWORD:00000064
"TCPMAXHALFOPENRETRIED"=DWORD:00000050
"TCPMAXPORTSEXHAUSTED"=DWORD:00000001
"TCPMAXCONNECTRESPONERETRANSMISSIONS"=DWORD:00000002
"ENABLEDEADGWDETECT"=DWORD:00000000
"ENABLEPMTUDISCOVERY"=DWORD:00000000
"KEEPALIVETIME"=DWORD:00300000
"ALLOWUNQUALIFIEDQUERY"=DWORD:00000000
"DISABLEDYNAMICUPDATE"=DWORD:00000001

Disable Router-Discovery

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES]
"PERFORMROUTERDISCOVERY"=DWORD:00000000

Disabling DomainMaster

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\BROWSER\PARAMETERS]
"MAINTAINSERVERLIST"="No"
"ISDOMAINMASTER"="False"

Disable Netbios-Name exposing

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NETBT\PARAMETERS]
"NONAMERELEASEONDEMAND"=DWORD:00000001

Fix for MS DNS Compatibility with BIND versions earlier than 4.9.4

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DNS\PARAMETERS]
"BINDSECONDARIES"=DWORD:00000001

disabling Caching of Logon-Credentials (possible also with USRMGR.EXE)

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"CACHEDLOGONCOUNT"=DWORD:00000001

disabling IP-Source-Routing

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS]
"DISABLEIPSOURCEROUTING"=DWORD:0000001

allow only MS CHAP v2.0 for VPN connections

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]
"SECUREVPN"=DWORD:00000001

disabling caching of RAS-Passwords

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS]
"DISABLESAVEPASSWORD"=DWORD:00000001

Printerinstallation only by Admins/Print Operators

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\PRINT\PROVIDERS\LANMAN
PRINT SERVICES\SERVERS]
"ADDPRINTDRIVERS"=DWORD:00000001

disabling Administrative Shares NT4.0 Server ($c, $d, $e etc)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"AUTOSHARESERVER"=DWORD:00000000

disabling Administrative Shares NT4.0 Workstation ($c, $d, $e etc)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"AUTOSHAREWKS"=DWORD:00000000

allow only authenicated PPP Clients

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PPP]
"FORCEENCRYPTEDPASSWORD"=DWORD:00000002

enabling RAS-Logging

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RASMAN\PARAMETERS]
"LOGGING"=DWORD:00000001

disabling NTFS 8.3 Namegeneration

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\FILESYSTEM]
"NTFSDISABLE8DOT3NAMEGENERATION"=DWORD:00000001

disallow anonymous IPC-Connections

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"RESTRICTANONYMOUS"=DWORD:00000001

enabling SMB Signatures (Server)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LANMANSERVER\PARAMETERS]
"REQUIRESECURITYSIGNATURE"=DWORD:00000001

enabling SMB Signatures (Client)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\RDR\PARAMETERS]
"REQUIRESECURITYSIGNATURE"=DWORD:00000001

NT LSA DoS (Phantom) Vulnerability

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG]
"AUTO"="0"

MDAC runs in secured [1] / unsecured [0] Mode

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\DATAFACTORY\HANDLERINFO]
"HANDLERREQUIRED"=DWORD:00000001

disable Lan Manager authentication

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA]
"LMCOMPATIBILITYLEVEL"=DWORD:00000002
Level 0 - Send LM response and NTLM response; never use NTLMv2
Level 1 - Use NTLMv2 session security if negotiated
Level 2 - Send NTLM response only
Level 3 - Send NTLMv2 response only
Level 4 - DC refuses LM responses
Level 5 - DC refuses LM and NTLM responses (accepts only NTLMv2)

disabling DCOM (possible also with DCOMCNFG.EXE)

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\OLE]
"ENABLEDCOM"="N"

restrict Null-User-/Guest-Access to Eventlog

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION]
"RESTRICTGUESTACCESS=DWORD:00000001
 [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SECURITY]
"RESTRICTGUESTACCESS=DWORD:00000001
 [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\SYSTEM]
"RESTRICTGUESTACCESS=DWORD:00000001

disable displaying last logged in user

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"DONTDISPLAYLASTUERNAME"="0"

restrict Floppy-/CD-ROM-access to the current logged on user

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"ALLOCATEFLOPPIES"="1"
 [HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"ALLOCATECDROMS"="1"

no Autorun for CD-Rom (1=enabled 0=disabled)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\CDROM]
"AUTORUN"=DWORD:00000000

clear pagefile on shutdown

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\MEMORY
 MANAGEMENT]
"CLEARPAGEFILEATSHUTDOWN"=DWORD:00000001

enabling Screensaver Lockout

[HKEY_USERS\.DEFAULT\CONTROLPANNEL\DESKTOP]
"SCREENSAVEACTIVE"="1"

disabling OS/2 Subsystem (if not needed)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS]
NAME: OS2

disabling POSIX Subsystem (if not needed)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\SUBSYSTEMS]
NAME: POSIX

run IIS CGI with context of "IUSR_computername"

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"CreateProcessAsUser"=dword:00000001

Security Message (Logon)

[HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON]
"Welcome"="   Unauthorized Access is prohibited "

Policies (1=enabled 0=disabled)

[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS]
[HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS NT\PROGRAM MANAGER\RESTRICTIONS]
[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM]

enable logging of successful http requests

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"LogSuccessfulRequests"=dword:00000001

disable IIS FTP bounce attack (IIS 2/3)

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\MSFTPSVC\PARAMETERS]
"EnablePortAttack"=dword:00000000

enable logging of bad http requests

[HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\W3SVC\PARAMETERS]
"LogErrorRequests"=dword:00000001

After you make your registry tweaks do a Start/Run regedt32/Security/Permissions.
Go to the hives you made the changes and set permissions to each key so they can't be changed.

I took the time out to individually make these 43 registry tweaks seperatly with there titles into one zip file...Enjoy..

Feel free to add to this thread if you have others not listed here.

../

Attached Files



#2 Guest_nmcog_*

Guest_nmcog_*
  • Guests

Posted 12 February 2004 - 12:09 AM

Great!

#3 barty32

barty32

    Private First Class

  • Members
  • 59 posts

Posted 12 February 2004 - 04:16 AM

great job man,

i searched such registry commands, thank you ;)

#4 oYost

oYost

    Private First Class

  • Members
  • 59 posts

Posted 12 February 2004 - 09:03 AM

Woww is the word, great :)

#5 ST.

ST.

    Private First Class

  • Members
  • 94 posts

Posted 12 February 2004 - 09:18 AM

yep, very nice.
it'd good to see a descriptions to many of options, because of some changes may affect the network connection

#6 Dr00py

Dr00py

    Private First Class

  • Members
  • 24 posts

Posted 12 February 2004 - 09:24 AM

Great job

#7 COM

COM

    Private First Class

  • Members
  • 78 posts

Posted 12 February 2004 - 09:46 AM

Lol, interesting reg strings ;)
Thx

#8 basthen

basthen

    Private First Class

  • Members
  • 44 posts

Posted 12 February 2004 - 10:06 AM

i really appreciate the infos about the reg change. not only the .reg

saved! ;)

tekhead

#9 UnDeRTaKeR

UnDeRTaKeR

    Specialist

  • Members
  • 143 posts

Posted 12 February 2004 - 11:41 AM

Fu***** Great !!! 10x a lot man!!! some of them are realy usefull!!! :P

#10 GhostCow

GhostCow

    Staff Sergeant

  • Members
  • 345 posts

Posted 12 February 2004 - 11:44 AM

great sh*t! thanks relic you helped me understand windows much better!

#11 Guest_Ash_*

Guest_Ash_*
  • Guests

Posted 14 February 2004 - 01:46 PM

Great job cheers!

#12 Guest_MrRobot_*

Guest_MrRobot_*
  • Guests

Posted 14 February 2004 - 08:32 PM

very nice!

#13 bli4

bli4

    Private

  • Members
  • 19 posts

Posted 15 February 2004 - 06:03 AM

nice job thx man :)

#14 Acid-Burn

Acid-Burn

    Private

  • Members
  • 12 posts

Posted 16 February 2004 - 10:32 AM

Nice info
Grt Job

#15 bitwild

bitwild

    Private First Class

  • Members
  • 55 posts

Posted 18 February 2004 - 12:29 PM

checkout John Jenkinson's GCWN pratical
( giac.org - practical/John_Jenkinson_GCWN.doc )

Appendix B - security template
gunhighsecdc.inf

simply owns :)