OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Rafi babler (RbablerEXENT.COM)
Date: Mon Feb 26 2001 - 01:18:50 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    does this concern IIS 4.0 or 5 ?

    -----Original Message-----
    From: Focus on Microsoft Mailing List
    [mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Lars Tønnesen
    Sent: Saturday, February 24, 2001 1:57 PM
    To: FOCUS-MSSECURITYFOCUS.COM
    Subject: TO WHOM IT MAY CONSERN Registry entrys regarding Denial of
    Service Attacks

    Hi

    I have been following the discussion regarding securing of iis servers. To
    tightly secure a server you do need to edit registry settings, but don't
    accept anything you read. Use registry configuration from IIS hardening
    guide and Security Fokus article hardening NT server.
    I have for some time tried to use registry entries from an article at
    securtiy focus with registry settings for Withstanding Denial Of Service
    attacks written by Mark Burnett.
    The problem I notised that under heavy loads the server reboots without any
    warning. This has been kind of confusing, first I thought it had to do with
    multiple ip adresses, but it has shown that the registry settings are the
    problem. I have tested these registry settings with one and multiple ip
    adresses and after some time with heavy loads it reboots.
    Following keys are tabu in my opinion:

    HKLM/CurrentControlSet\Services\TCPIP\Parameters\SynAttackProtect
    TYPE
    regdword VALUE 2
    HKLM/CurrentControlSet\Services\TCPIP\Parameters\EnablePMTUDiscovery TYPE
    regdword VALUE 0
    HKLM/CurrentControlSet\Services\TCPIP\Parameters\NoNameReleaseOnDemant TYPE
    regdword VALUE 1
    HKLM/CurrentControlSet\Services\TCPIP\Parameters\EnableDeadGWDetect TYPE
    regdword VALUE 0
    HKLM/CurrentControlSet\Services\TCPIP\Parameters\KeepAliveTime TYPE
    regdword VALUE 300,000
    HKLM/CurrentControlSet\Services\TCPIP\Parameters\PerformRouterDiscovery TYPE
    regdword VALUE 0
    HKLM/CurrentControlSet\Services\TCPIP\Parameters\EnableICMPRedirects TYPE
    regdword VALUE 0

    This is just my opinion based on experience. I will try to contact Mark
    Burnett and see what experince he has with these settings.
    If anyone else has some experince with these settings I would be happy to
    hear from you.

    Best regards

    Lars G Tønnesen
    Over worked consultant
    Dir: +47 66769394
    Fax: +47 66769393
    Norway
    larsastrofarm.com