Three Easy Registry Hacks Armor Windows

Dampen SYN floods, crack down on anonymous connections and keep your data from wandering off with three simple hacks.

By Sonny Discini | Posted Jun 2, 2006
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Many people view the Windows registry as a place that is better left untouched. However, with the proper information, and a careful hand, registry hacks can significantly improve the security stance of your host.

Before making any of the registry changes below, be sure to make a backup of your registry in the event that something goes terribly wrong. You can back up the registry by clicking the "Start" menu, choosing "Run" then enter the program name: "regedit.exe". When the registry opens, highlight the "My Computer" field on the left-side pane, and then select "File" from the pull down menu, followed by "Export". Save it to a floppy.

Denying denial of service

One of the hardest attacks to defend against is the denial of service (DoS) attack. One such attack is the SYN flood attack, which sends TCP connection requests faster than a machine can process them.

The most important parameter in Windows 2000 and also in Windows Server 2003 to combat this attack is SynAttackProtect. Enabling this parameter allows the operating system to handle incoming connections more efficiently. Protection can be set by adding a SynAttackProtect DWORD value to the following registry key:

HKLMSYSTEMCurrentControlSetServicesTcpipParameters

In general, when a SYN attack is detected the SynAttackProtect parameter changes the behavior of the TCP/IP stack. This allows the operating system to handle more SYN requests. It works by disabling some socket options, adding additional delays to connection indications and changing the timeout for connection requests.

When the value of SynAttackProtect is set to 1, the number of retransmissions is reduced and according to Microsoft, the creation of a route cache entry is delayed until a connection is made.

The recommended value of SynAttackProtect is 2, which additionally delays the indication of a connection to the Windows Socket until the three-way handshake is completed.

By enabling the SynAttackProtect parameter the TCP/IP stack behavior does not change until under a SYN attack. But even then, when SynAttackProtect starts to operate, the operating system can handle legitimate incoming connections.

Removing data mobility from removable media

Everyone faces the risk of data loss through removable media such as flash drives. We've all heard stories of people disabling USB ports, sealing them with glue and resorting to other extreme measures to prevent data from walking out the door.

While these methods may be effective, they're certainly not practical. With some simple registry hacks, you can disable the use of USB flash drives while allowing USB devices like CD-ROMs, keyboards and mice to operate without issue.

If a USB storage device is not already installed on the computer, assign the user or the group Deny permissions to the following files:

  • %SystemRoot%InfUsbstor.pnf
  • %SystemRoot%InfUsbstor.inf

When you do so, users cannot install a USB storage device on the computer. To assign a user or group Deny permissions to the Usbstor.pnf and Usbstor.inf files, follow these steps:

  1. Start Windows Explorer, and then locate the %SystemRoot%Inf folder.
  2. Right-click the Usbstor.pnf file, and then click Properties.
  3. Click the Security tab.
  4. In the Group or user names list, click the user or group that you want to set Deny permissions for.
  5. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK. Note In addition, add the System account to the Deny list.
  6. Right-click the Usbstor.inf file, and then click Properties.
  7. Click the Security tab.
  8. In the Group or user names list, click the user or group that you want to set Deny permissions for.
  9. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.

If a USB storage device is already installed on the computer, set the Start value in the following registry key to 4:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUsbStor

When you do so, the USB storage device does not work when the user connects the device to the computer. To set the Start value, follow these steps:

  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Locate, and then click the following registry key:
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUsbStor
  4. In the right pane, double-click Start.
  5. In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK.
  6. Quit Registry Editor.

Again, when you complete this hack, the only things that will not work are flash drives. More specifically, this hack stops the USB storage drivers from loading when the OS boots up. If you return the value to its default of 3, the drivers will once again load during boot up. It's also important to note that this registry hack is done under local machine, which means that it will impact every user, not just the user currently logged in.

Anonymous connections no more

By design, the Null user can enumerate account names and shares on domain controllers, member servers, and workstations alike. Therefore this Null user, a user with no credentials, can be used to glean a tremendous amount of information from your network without raising any eyebrows. Needless to say, this is especially helpful to attackers.

To prevent this from happening, we perform the following registry hack:

  1. Run Registry Editor (Regedit.exe).
  2. Go to the following key in the registry:
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA
  3. On the Edit menu, click Add Value and use the following entry:

    Value Name: RestrictAnonymous
    Data Type: REG_DWORD
    Value: 1
  4. Exit the Registry Editor and restart the computer for the change to take effect.

There are three values you can set for this. They are:

0 - Allow anonymous users
1 - Restrict anonymous users
2 - Allow users with explicit anonymous permissions

The setting of "RestrictAnonymous" has since become standard practice for administrators. It is recommended for securing Web servers. It is also a common setting on sensitive domain controllers. It is even a required setting if you want your systems to meet the requirements of what used to be the highest government rating for business computing products known as "C2."

NOTE: For more information on DoD rating systems such as TCSEC, see this site: http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD

Many people will tell you to set this value to 1 and life will be swell. Unfortunately not.

While that will restrict some actions, it will not restrict them all. Since null user functionality is required for core NT domain functions, the decision was made to limit some of the things this guy could do when "RestrictAnonymous" was set rather than completely killing him off. So while certain API calls had some ACLs assigned to prevent them from being called by the null user, some were left alone.

Enumeration tool writers also know this and hence many of them, along with legitimate vulnerability assessment tools, can still get information using the null user account.

I will just set it to the highest level and that's that, right?

While setting "RestrictAnonymous" to 2 will indeed keep a null user from talking to your server, it will also keep any NT 4.0 box from doing so as well. So, before you rush out and set your Domain Controller Policy to use "No access without explicit anonymous permissions" (RestrictAnonymous=2), make sure that you understand that doing so will keep all of your NT member servers and workstations from finding any domain controller using this setting.

It will also keep down-level servers in trusted domains from talking to you, and any browser service out there that tries to get a domain or server list from a RestrictAnonymous=2 box will fail miserably. Due to these different "results", you are not advised to utilize this setting in mixed-mode environments unless you have done more testing than any of us ever has the time to do.

These are just three of many registry hacks out there that can significantly improve security on your hosts. As with any registry hack, be extremely careful when applying them, be sure you fully understand the implications, test your configs and always make a backup of the registry before you make changes.

Resources:

How to harden the TCP/IP stack against denial of service attacks in Win 2000

How to harden the TCP/IP stack against denial of service attacks in W2K3 Server

Hardening the TCP/IP stack to SYN attacks

Restrict Anonymous: Enumeration and the Null User

How to disable the use of USB storage devices

Restricting information available to anonymous logon users

Article courtesy of Enterprise IT Planet

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter