Data Centers

Tech Tip: Guard against DoS attacks/Protect offline SAM

Windows 2000 Professional: Guard against DoS attacks

Denial of service (DoS) attacks are one of the most common methods hackers use to disable a system or, at the very least, to severely impact its performance. Computers that sit behind a firewall are generally protected from most DoS attacks, but computers connected directly to the Internet are much more susceptible to these attacks.

There are a handful of registry settings you can apply to a Windows 2000 computer in order to harden it against DoS attacks, including these:

  • SynAttackProtect: This setting protects against a SYN flood attack. Set to a value of 0, 1, or 2 for increasing levels of protection. The higher the value, the more delay Windows adds to connection attempts, causing TCP connection timeouts.
  • EnableDeadGWDetect: Set to 0 to prevent the computer from switching to a different gateway, which could otherwise occur if a DoS attack is in progress. A value of 1 allows the gateway switch.
  • EnablePMTUDiscovery: Set to 0 to prevent a hacker from forcing an MTU change to a small value and bogging down the TCP/IP protocol stack. Windows uses an MTU value of 576 bytes for all nonlocal connections with this setting at 0. Set to 1 to allow MTU discovery.
  • KeepAliveTime: Set this value (in milliseconds) to a relatively low number to decrease the length of time Windows sends a keep-alive packet to a remote computer to determine if the connection is still valid. Microsoft recommends a value of 300,000, or five minutes.

All of these DWORD values reside in registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters

Also, set the following registry key to a value of 1 to prevent the computer from releasing its NetBIOS name when it receives a name-release request:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\
Parameters\NoNameReleaseOnDemand

Note: Editing the registry can be risky, so be sure you have a verified backup before making any changes.

Windows 2000 Server: Protect offline SAM

Every Windows 2000 computer stores local users and their passwords in a special part of the registry commonly referred to as the Security Accounts Manager (SAM). When you promote a Windows 2000 server to a domain controller, SAM is no longer used. Instead, accounts are stored in Active Directory.

Domain controllers have a special offline SAM that stores the Administrator account used in the Directory Services Restore mode. This mode is used to recover Windows 2000 domain controllers. Since this account is very powerful, you must protect it. Here are some tips for protecting this account:

  • Use a different password for the offline SAM and the Active Directory Administrator account.
  • Use a strong password and change it regularly, in accordance with your password policy.
  • Enable auditing for the SAM file located in %systemroot%\System32\Config.
  • Physically secure the computer. Since the account isn't accessible when Active Directory is online, physical security is important.
  • Protect backups and don't let them get into the wrong hands.
  • If you want to change the offline Administrator password but don't want to restart the domain controller to boot to the Directory Services Restore mode, use the Setpwd.exe utility from Windows 2000 Service Pack 2.

If you used Server Wizard to set up your domain controller, make sure you read Microsoft Knowledge Base article Q271641. This article discusses security issues related to using the Server Wizard.

Editor's Picks