Harden the TCP/IP Stack for Denial of Service Attacks (Windows 2000/XP)
Denial of service attacks are network attacks that are aimed at making a computer or a particular service unavailable to network users. These settings can be used to increase the ability for Windows to defend against these attacks when connected directly to the Internet.
Protect Against SYN Flood Attacks (Windows NT/2000/XP)
Windows includes protection that allows it to detect and adjust when the system is being targeted with a SYN flood attack (a type of denial of service attack). When enabled the connection responses time out more quickly in the event of an attack.
Disable Web Printing (Windows 2000/XP)
This restriction enables and disables server support for Internet printing. Internet printing lets you display printers on Web pages so they can be viewed, managed, and used across the Internet or an intranet.
Offload IP Security Task Processing (Windows 2000/XP)
This setting is used to control whether IP Security (IPSEC) tasks should be offloaded to a network card with IP security capabilities.
Hide the Active Directory Folder in My Network Places (Windows 2000)
This restriction is used to remove the Active Directory folder from My Network Places. This still allows users to search but not browse the Active Directory.
Network Connection Restrictions (Windows 2000/XP)
These restrictions control access to the features and properties of LAN, RAS and other network connections.
Disable Recent Shares in Network Places (Windows 2000/XP)
This restriction stops remote shared folders from being added to Network Places whenever you open a document in the shared folder.
Specify Users to Receive Administrative Alerts (Windows NT/2000/XP)
This setting is used to specify a list of users and/or computers that should receive administrative alerts.
Disable the Ability to Remotely Shutdown the Computer Browser Service (Windows NT/2000/XP)
It is possible for a malicious user to shut down a computer browser, or all computer browsers, on the same subnet. If all of the computers on the same subnet are shut down, they can then declare their own computer the new master browser.
Disables DHCP Router Discovery (All Windows)
The ICMP Router Discovery Protocol (IRDP) comes enabled by default for Windows clients using DHCP. This can be a security issue because by spoofing IRDP Router Advertisements, an attacker can remotely add default route entries on a remote system.
Hide Computers Near Me in Network Places (Windows 2000/Me/XP)
This setting allows you to show or hide the computers listed Near Me in My Network Places.
Disable the Automatic Creation of a Default Network Route (Windows NT)
This tweak controls the default behavior of Windows to add a network route to 0.0.0.0 on multi-homed machines (e.g. proxy or firewall).
Disable TCP/IP Source Routing (Windows NT 4.0)
Normally, on a computer running Windows NT 4.0, you cannot disable the source routing feature for the TCP/IP protocol. By using this tweak it is possible to disable it.
Changing LAN Manager Authentication on Windows NT (Windows NT)
Windows NT supports two kinds of challenge/response authentication: LanManager (LM) and Windows NT (NTLM). LM authentication is not as strong as Windows NT authentication so some customers may want to disable its use, because an attacker sniffing the network traffic could possibly attack the weaker protocol.
Changing the Password Expiry Warning Period (Windows NT/2000/XP)
This entry specifies the number of days before a user's password expires that a warning message is displayed.
Hide Share Passwords with Asterisks (All Windows)
This setting controls whether the password typed when accessing a file share is shown in clear text or as asterisks.
Require Validation by Network for Windows Access (Windows 95/98/Me)
By default Windows 9x doesn't require a valid network username and password combination for a user to bypass the logon and gain access to the local machine. This functionality can be changed to require validation by the network before allowing access.
Disable File and Printer Sharing (Windows 95/98/Me)
When file and printer sharing is installed it allows users to make services available to other users on a network, this functionality can be disabled by changing this setting.
Disable Caching of Domain Password (Windows 95/98/Me)
Enabling this setting disables the caching of the domain passwords, and therefore passwords are required to be re-entered to access any additional domain resources.
Remove the Map and Disconnect Network Drive Options (Windows NT/2000/XP)
Prevents users from making additional network connections by removing the Map Network Drive and Disconnect Network Drive buttons from the toolbar in Explorer and also removing them from the Context menu of My Computer and the Tools menu of Explorer.
Hide Entire Network in Network Neighborhood (All Windows)
Entire Network is an option under Network Neighborhood that allows users to see all the Workgroups and Domains on the network. Entire Network can be disabled, so users are confined to their own Workgroup or Domain.
Hide Workgroup Content from Network Neighborhood (All Windows)
Enabling this option hides all Workgroup contents from being displayed in Network Neighborhood.
Restrict Anonymous User Access (Windows NT/2000/XP)
Windows has a feature where anonymous users can list domain user names and enumerate share names. Users who want enhanced security may optionally restrict this functionality.
Send Plain Text Passwords (All Windows)
When connecting to some SMB servers, such as Samba and LAN Manager for UNIX, you may be required to send unencypted password. This setting enables that functionality.
Hide Computer from the Browser List (Windows NT/2000/XP)
If you have a secure server or workstation you wish to hide from the general browser list, then enable this setting.
Automatic Hidden Shares (Windows NT/2000/XP)
When networking has been installed on a Windows machine, it will automatically create hidden shares to the local disk drives. It is possible to disable the sharing at run-time, but this tweak will stop the automatic sharing altogether.
Remove Log Off from the Start Menu (All Windows)
This tweak allows you to remove the Log Off [Username] option from the Start menu.
Disable Save Password Option in Dial-Up Networking (Windows NT/2000)
When you dial a phonebook entry in Dial-Up Networking (DUN), you can use the 'Save Password' option so that your DUN password is cached and you will not need to enter it on successive dial attempts. This key disables that option.
|More Guides »||Security Guide||Support Forums||Software Guide||Scripting Guide||Search|