This tip was originally published in TechRepublic's Windows 2000 e-newsletter.
Denial of service (DoS) attacks are one of the most common methods hackers use to disable a system or, at the very least, severely impact its performance. Computers that sit behind a firewall are generally protected from most DoS attacks, but computers connected directly to the Internet are much more susceptible to these attacks.
There are a handful of registry settings you can apply to a Windows 2000 computer in order to harden it against DoS attacks. The options listed below are all DWORD values that reside in the following registry key:
- SynAttackProtect: This setting protects against a SYN flood attack. Set to a value of 0, 1, or 2 for increasing levels of protection. The higher the value, the more delay Windows adds to connection attempts, causing TCP connection timeouts.
- EnableDeadGWDetect: Set to 0 to prevent the computer from switching to a different gateway, which could otherwise occur if a DoS attack is in progress. A value of 1 allows the gateway switch.
- EnablePMTUDiscovery: Set to 0 to prevent a hacker from forcing an MTU change to a small value and bogging down the TCP/IP protocol stack. Windows uses an MTU value of 576 bytes for all non-local connections with this setting at 0. Set to 1 to allow MTU discovery.
- KeepAliveTime: Set this value (in milliseconds) to a relatively low number to decrease the length of time Windows sends a keep-alive packet to a remote computer to determine if the connection is still valid. Microsoft recommends a value of 300,000, or five minutes.
Also, set the following registry key to a value of 1 to prevent the computer from releasing its NetBIOS name when it receives a name-release request:
Editing the registry can be risky, so be sure you have a verified backup before making any changes.