Additional Protections

Previous page
Table of content
Next page

All of the keys and values in this section are located under the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters .

Protect Screened Network Details

Network Address Translation (NAT) is used to screen a network from incoming connections. An attacker can circumvent this screen to determine the network topology using IP source routing.

Value: DisableIPSourceRouting

Recommended value data: 1

Valid values: 0 (forward all packets), 1 (do not forward Source Routed packets), 2 (drop all incoming source routed packets).

Description: Disables IP source routing, which allows a sender to determine the route a datagram should take through the network.

Avoid Accepting Fragmented Packets

Processing fragmented packets can be expensive. Although it is rare for a denial of service to originate from within the perimeter network, this setting prevents the processing of fragmented packets.

Value: EnableFragmentChecking

Recommended value data: 1

Valid values: 0 (disabled), 1 (enabled)

Description: Prevents the IP stack from accepting fragmented packets.

Do Not Forward Packets Destined for Multiple Hosts

Multicast packets may be responded to by multiple hosts, resulting in responses that can flood a network.

Value: EnableMulticastForwarding

Recommended value data:

Valid range: 0 (false), 1 (true)

Description: The routing service uses this parameter to control whether or not IP multicasts are forwarded. This parameter is created by the Routing and Remote Access Service.

Only Firewalls Forward Packets Between Networks

A multi- homed server must not forward packets between the networks it is connected to. The obvious exception is the firewall.

Value: IPEnableRouter

Recommended value data:

Valid range: 0 (false), 1 (true)

Description: Setting this parameter to 1 (true) causes the system to route IP packets between the networks to which it is connected.

Mask Network Topology Details

The subnet mask of a host can be requested using ICMP packets. This disclosure of information by itself is harmless; however, the responses of multiple hosts can be used to build knowledge of the internal network.

Value: EnableAddrMaskReply

Recommended value data:

Valid range: 0 (false), 1 (true)

Description: This parameter controls whether the computer responds to an ICMP address mask request.

Use the values summarized in Table 5 for maximum protection

Table 5: Recommended Values

Value Name

Value (REG_DWORD)

DisableIPSourceRouting

1

EnableFragmentChecking

1

EnableMulticastForwarding

IPEnableRouter

EnableAddrMaskReply



Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
Project Management JumpStart
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
C++ How to Program (5th Edition)
Ruby Cookbook (Cookbooks (OReilly))
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy