All of the keys and values in this section are located under the registry key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters .
Network Address Translation (NAT) is used to screen a network from incoming connections. An attacker can circumvent this screen to determine the network topology using IP source routing.
Value: DisableIPSourceRouting
Recommended value data: 1
Valid values: 0 (forward all packets), 1 (do not forward Source Routed packets), 2 (drop all incoming source routed packets).
Description: Disables IP source routing, which allows a sender to determine the route a datagram should take through the network.
Processing fragmented packets can be expensive. Although it is rare for a denial of service to originate from within the perimeter network, this setting prevents the processing of fragmented packets.
Value: EnableFragmentChecking
Recommended value data: 1
Valid values: 0 (disabled), 1 (enabled)
Description: Prevents the IP stack from accepting fragmented packets.
Multicast packets may be responded to by multiple hosts, resulting in responses that can flood a network.
Value: EnableMulticastForwarding
Recommended value data:
Valid range: 0 (false), 1 (true)
Description: The routing service uses this parameter to control whether or not IP multicasts are forwarded. This parameter is created by the Routing and Remote Access Service.
A multi- homed server must not forward packets between the networks it is connected to. The obvious exception is the firewall.
Value: IPEnableRouter
Recommended value data:
Valid range: 0 (false), 1 (true)
Description: Setting this parameter to 1 (true) causes the system to route IP packets between the networks to which it is connected.
The subnet mask of a host can be requested using ICMP packets. This disclosure of information by itself is harmless; however, the responses of multiple hosts can be used to build knowledge of the internal network.
Value: EnableAddrMaskReply
Recommended value data:
Valid range: 0 (false), 1 (true)
Description: This parameter controls whether the computer responds to an ICMP address mask request.
Use the values summarized in Table 5 for maximum protection
Value Name | Value (REG_DWORD) |
---|---|
DisableIPSourceRouting | 1 |
EnableFragmentChecking | 1 |
EnableMulticastForwarding |
|
IPEnableRouter |
|
EnableAddrMaskReply |
|