Customizing a Network Using the Registry

It's impossible to provide a complete reference for all of Windows NT, Windows 2000, Windows XP, and Windows Server 2003 networking in a single chapter (for example, the Resource Kits usually include a comprehensive volume entitled "Windows NT Networking"). This topic certainly deserves a separate book. However, I hope that this chapter helps you to understand how network settings are stored in the registry, and how these settings are related to the data displayed by Control Panel applets. This topic is one of the most interesting ones, and if you explore it, you'll make many discoveries and invent many new ways of customizing network settings.

The remaining sections of this chapter will describe various methods of customizing network settings using the registry.

Securing DNS Servers against DoS Attacks

During the last few years, Denial of Service (DoS) and, especially, Distributed Denial of Service (DDoS) attacks have become the most serious threats to corporate networks. The number of such attacks is growing steadily with time, and currently no one can feel safe and absolutely secure from encountering this threat. Of course, the tips provided here also won't guarantee absolute security against attacks on DNS servers. However, they will serve as good add-ons to your security policy.

Note

Before introducing the registry modifications described below into the configuration of your production servers, it is recommended that you test them in your lab environment.

All registry settings described in this section are located under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key (Fig. 8.28). Notice that if specific parameters are missing from your registry, this means that the system considers them to be set to default values.

click to expand
Figure 8.28: The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key

Brief descriptions of these parameters and their recommended values are provided below:

EnableDeadGWDetect (REG_DWORD data type). The default value (1) enables TCP/IP to switch to a secondary gateway if many connections experience problems. However, in cases when you are under a DoS attack, such behavior is undesirable, since all traffic can be redirected to a gateway that is not constantly monitored. Because of this reason, set this parameter to 0.
EnablePMTUDiscovery (REG_DWORD data type). The default value of this parameter enables TCP/IP to determine Maximum Transmission Unit (MTU) that can be transmitted to the system. This feature is potentially dangerous, since it enables the attacker to bypass your security system or cause it to fail by means of transmitting fragmented traffic. For example, many Intrusion Detection Systems (IDS) are still unable to correctly assemble fragmented IP packets. If you set this parameter to 0, the MTU value will always be equal to 576 bytes.
KeepAlive (REG_DWORD data type). This parameter specifies how frequently an idle connection on a remote system should be verified. Set the value for 300000.
SynAttackProtect (REG_DWORD data type). Creating this value will enable you to provide minimum protection against a specific type of DoS attack known as SYN Flood. SYN Flood attacks interfere with the normal acknowledgement handshake between a client and a server. Under normal conditions, this process comprises three stages:
- The client sends the request to establish a connection to the server (SYN message).
- The server responds by sending an acknowledgement (SYN-ACK message).
- The client confirms the reception of the SYN-ACK message by sending an acknowledgement (ACK message).

If your server became a target for a SYN Flood attack, it will receive a flood of connection requests, which will gradually prevent it from receiving acknowledgements from clients. Thus, legitimate users will be unable to establish connections. The recommended value for this parameter is 2 (you can also set this value to 1, but this configuration is less efficient).

Securing Terminal Services Connections

Materials provided in this section will certainly prove useful for those who want to improve security when using Remote Desktop for Administration in Windows Server 2003. As was already mentioned earlier in this chapter, this facility is automatically installed on all servers running Windows Server 2003. However, remote administration with this tool is not enabled by default. After it is enabled (see Fig. 8.22), you can use Group Policy or the Terminal Services Configuration tool to further configure Terminal Services. By default, only members of the Administrators group have permission to connect in administrative mode (but they can only connect two at a time). This default security setting is useful. However, there are several additional settings and tools that can be used to improve security, including Group Policy, the local Terminal Server configuration tool, local client settings and, of course, registry editing.

Note

In addition to advice and tips provided here, don't forget about regular system hardening practices and security policies adopted by your company. More detailed information on this topic will be provided in Chapter 9. Furthermore, carefully weigh the benefits provided by enabling remote access for administrative purposes to potential dangers of exposing the system to additional risks.

To modify the default settings for Remote Desktop, proceed as follows:

Open the Control Panel, start Administrative Tools, then select the Terminal Services Configuration option. The Terminal Services Configuration console will open (Fig. 8.29).

Figure 8.29: Configuring a RDP-Tcp connection
Right-click the RDP-Tcp connection, then choose the Properties command from the right-click menu.
The RDP-Tcp Properties window will open. On the General tab (Fig. 8.30), change the default encryption level to High (the default value is Client compatible). All data that transfers between the client and server will be at the server's highest encryption level. Currently, that is set to 128 bits. The client must be able to use 128 bits or it will not be able to connect.

Figure 8.30: The General tab of the RDP-Tcp Properties window
Next, go to the Logon Settings tab (Fig. 8.31) and set the Always prompt for password checkbox. The Remote Desktop connection has a setting that allows the user to save his or her password for the connection. This setting would allow anyone who was able to log on to the local computer to access the remote system through the console. This feature is potentially dangerous, since it might provide an attacker with easy access to remote systems. Setting the Always prompt for password option ensures that the user logs on each time, regardless of the client setting.

Figure 8.31: The Logon Settings tab of the RDP-Tcp Properties window
On the Sessions tab (Fig. 8.32), note that by default, user accounts are set to Disconnect from session if a session limit is reached or a connection is broken (the option is grayed out in the figure). This setting is a good idea if system administration tasks are running and a connection is broken as a result of network problems. The task will continue to run while the session is in a disconnected state, and the administrator can reconnect. The alternative, End session, would stop the running process with unpredictable results. Figure the values for Active session limit and Idle session limit parameters according to the usage of these sessions. Limiting active sessions is probably not a good idea, as it will prevent some administrative chores from getting done. Limiting an idle session is useful. If you are engaged in a session and leave your computer, anyone could use the open session to the server — a session open with administrative privileges. Setting an idle time-out may prevent such an occurrence; at least it will limit exposure. This setting will also help in situations where multiple administrators want to connect. If two administrators are connected yet not using the session, the third administrator cannot connect.

Figure 8.32: The Sessions tab of the RDP-Tcp Properties window

Remote Desktop Port Settings

In contrast to the steps described above, the tweak described in this section can only be accomplished by direct editing of the system registry. In order to allow the Remote Desktop use over the Internet, TCP port 3389 must be open on the firewall or an alternative port must be assigned to the service. If possible, configure the firewall to allow the 3389 port connection only to an authenticated user. If you will be limiting the number of computers in use, limit the connections to the port on those specific computers. To block connections to that port on sensitive systems, use IPSec.

To change the port used by Remote Desktop, do the following:

Open the registry and locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp key.
Under this key, find the PortNumber value entry, which by default is set to 3389 (Fig. 8.33). Change this value as appropriate (for example, to 8098).

Figure 8.33: The PortNumber value entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
Now, to access the server using the new setting, type the new port number after the IP address of the computer to which you want to connect. If the new port is 8098, and the IP address of the server is 192.168.1.8, the new IP address and port combination will be 192.168.1.8:8098.

Client Settings

To configure client settings for Remote Desktop, you need to open the Properties window for specific user accounts. To do so, proceed as follows:

Open Control Panel, select the Administrative tools option, and then start Users and Computers or Active Directory Users and Computers MMC snap-ins (depending on the role of your computer and whether it participates in a domain).
Right-click the user account that will be used for administrative access, and select the Properties command from the context menu to open the properties window. Go to the Sessions tab (Fig. 8.34). Notice that the settings on the Sessions tab are similar to those found in Terminal Services Configuration. However, the settings specified using the Terminal Services Configuration tool override those set for the individual user.

Figure 8.34: The Sessions tab of the user account properties window
The Remote control tab (Fig. 8.35) settings establish whether or not this account can be remotely controlled. Administrative accounts and user accounts that are used by administrators for Remote Desktop should not be configured to allow remote control. Therefore, in order to strengthen security, it is recommended that the user clear the Enable remote control checkbox, as shown in this illustration.

Figure 8.35: The Remote control tab of the user account properties window

Note

In addition to settings that enhance security, strong policies and procedures will increase security as well. More detailed information on this topic will be provided in Chapter 9.

Registry Entries for the W32Time Service

One of the most confusing elements in Windows 2000 and Windows Server 2003 domains is the W32Time service, which is integrated into the operating system in order to ensure that date and time are properly synchronized throughout your organization.

Unfortunately, installation instructions don't explain the reliance of user authentication on time, and, therefore, many organizations run into logon problems.

The W32Time service settings are stored in the registry under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters key (Fig. 8.36).

click to expand
Figure 8.36: The W32Time service settings in the system registry

The value entries that you can specify here to tune the W32Time service are outlined in Table 8.3.

Table 8.3: W32Time Service Registry Values
Value name	Data type	Description	Values

`AvoidTimeSyncOnWan`	`REG_DWORD`	Synchronize with a computer that is at a different site.	`0` = Site is ignored [default]. `1` = Do not synchronize with a time source that is at a different site.
`GetDcBackofMaxTimes`	`REG_DWORD`	The maximum number of times to double the back off interval when successive attempts to find a domain controller fail. An event is logged every time a full wait occurs.	`0` = The wait between attempts is at a minimum and no event is logged. `7` = [default]
`GetDcBackofMinutes`	`REG_DWORD`	The starting number of minutes to wait before looking for a domain controller, if the last attempt failed.	`15` =[default]
`LocalNTP`	`REG_DWORD`	Start the SNTP server.	`0` = Don't start the SNTP server, unless this computer is a domain controller [default]. `1` = Always start the SNTP server.
`NtpServer`	`REG_SZ`	Stores the value from `NET TIME/SETSNTP`.	Blank by defaut. Sample data value: `192.4.41.40`
`Period`	`REG_DWORD`	Control how often the time service synchronizes.	`0` = once a day `65535`, every 2 days `65534`, every 3 days `65533`, every week (7 days) `65532`, every 45 minutes until 3 good synchronizations occur, then once every 8 hours (3 per day) [default] `65531`, every 45 minutes until 1 good synchronization occurs, then once every day
`ReliableTimeSource`	`REG_DWORD`	Does this computer have a reliable time source?	`0` = No [default] `1` = This computer has a reliable time source (this is only useful on a domain controller).
`Type`	`REG_SZ`	How does this computer synchronize	`Nt5DS` = synchronize to domain hierarchy or manually configured source [default] `NTP` = synchronize to manually configured source `NoSync` = do not synchronize time
`Adj`	`REG_DWORD`	Maintains computer clock information between reboots	Change not recommended
`msSkewPerDay`	`REG_DWORD`	Maintains computer clock information between reboots	Change not recommended

Note

Period can be a type REG_SZ with special values: Bidaily, every 2 days; Tridaily, every 3 days; Weekly, every week (7 days); SpecialSkew, every 45 minutes until 3 good synchronizations occur, then once every 8 hours (3 per day) [default]; DailySpecialSkew, every 45 minutes until 1 good synchronization occurs, then once every day.

Disabling Dynamic DNS Registration

By default, all computers running Windows 2000, Windows XP, or Windows Server 2003 attempt to dynamically register on the DNS servers specified on the General tab of the TCP/IP properties window. To disable this feature, click the Advanced button on the General tab of the Internet Protocol (TCP/IP) Properties window. The Advanced TCP/IP Settings window will open. Go to the DNS tab and clear the Register this connection's addresses in DNS checkbox.

In case you want to perform the same operation using the registry, open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces key, and set the DisableDynamicUpdate value (of REG_DWORD data type) to 1.

Disabling Persistent Network Connections

To disable the option for restoring persistent network connections, start the registry editor, open the HKEY_USERS\.DEFAULT\Software\Microsoft\WindowsNT\CurrentVersion\Network\Persistent Connections key, and locate the SaveConnections setting. The default value for this setting is yes (Fig. 8.37). To disable persistent network connections, set this value to no.

click to expand
Figure 8.37: The HKEY_USERS\.DEFAULT\Software\Microsoft\WindowsNT\CurrentVersion\Network\Persistent Connections registry key

Note

To disable persistent network connections for users, set the SaveConnections value to no in all existing user profiles. This information is stored in the registry under the following keys: HKEY_\USERS\<User_SID>\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Network\Persistent Connections.