Microsoft has developed a list of custom registry entries that extend the list of security policy settings dramatically. The list, provided here for your convenience, can be quickly implemented by including the following code in your Sceregvl.inf file and registering the Scecli.dll file, as described earlier.
MACHINESystemCurrentControlSetServicesTcpipParameters EnableICMPRedirect,4,%EnableICMPRedirect%,0 MACHINESystemCurrentControlSetServicesTcpipParameters SynAttackProtect,4,%SynAttackProtect%,3,0|%SynAttackProtect0%,1| %SynAttackProtect1% MACHINESystemCurrentControlSetServicesTcpipParameters EnableDeadGWDetect,4,%EnableDeadGWDetect%,0 MACHINESystemCurrentControlSetServicesTcpipParameters EnablePMTUDiscovery,4,%EnablePMTUDiscovery%,0 MACHINESystemCurrentControlSetServicesTcpipParameters KeepAliveTime,4,%KeepAliveTime%,3,150000|%KeepAliveTime0%,300000| %KeepAliveTime1%,600000|%KeepAliveTime2%,1200000|%KeepAliveTime3%, 2400000|%KeepAliveTime4%,3600000|%KeepAliveTime5%,7200000| %KeepAliveTime6% MACHINESystemCurrentControlSetServicesTcpipParameters DisableIPSourceRouting,4,%DisableIPSourceRouting%,3,0| %DisableIPSourceRouting0%,1|%DisableIPSourceRouting1%,2| %DisableIPSourceRouting2% MACHINESystemCurrentControlSetServicesTcpipParameters TcpMaxConnectResponseRetransmissions,4, %TcpMaxConnectResponseRetransmissions%,3,0| %TcpMaxConnectResponseRetransmissions0%,1| %TcpMaxConnectResponseRetransmissions1%,2| %TcpMaxConnectResponseRetransmissions2%,3| %TcpMaxConnectResponseRetransmissions3% MACHINESystemCurrentControlSetServicesTcpipParameters TcpMaxDataRetransmissions,4,%TcpMaxDataRetransmissions%,1 MACHINESystemCurrentControlSetServicesTcpipParameters PerformRouterDiscovery,4,%PerformRouterDiscovery%,0 MACHINESystemCurrentControlSetServicesTcpipParameters TCPMaxPortsExhausted,4,%TCPMaxPortsExhausted%,1 MACHINESystemCurrentControlSetServicesNetbtParameters NoNameReleaseOnDemand,4,%NoNameReleaseOnDemand%,0 MACHINESystemCurrentControlSetControlFileSystem NtfsDisable8dot3NameCreation,4,%NtfsDisable8dot3NameCreation%,0 MACHINESOFTWAREMicrosoftWindowsCurrentVersionPolicies ExplorerNoDriveTypeAutoRun,4,%NoDriveTypeAutoRun%,3,0| %NoDriveTypeAutoRun0%,255|%NoDriveTypeAutoRun1% MACHINESYSTEMCurrentControlSetServicesEventlogSecurity WarningLevel,4,%WarningLevel%,3,50|%WarningLevel0%,60| %WarningLevel1%,70|%WarningLevel2%,80|%WarningLevel3%,90| %WarningLevel4% MACHINESYSTEMSoftwareMicrosoftWindows NTCurrentVersionWinlogon ScreenSaverGracePeriod,4,%ScreenSaverGracePeriod%,1 MACHINESystemCurrentControlSetServicesAFDParameters DynamicBacklogGrowthDelta,4,%DynamicBacklogGrowthDelta%,1 MACHINESystemCurrentControlSetServicesAFDParameters EnableDynamicBacklog,4,%EnableDynamicBacklog%,0 MACHINESystemCurrentControlSetServicesAFDParameters MinimumDynamicBacklog,4,%MinimumDynamicBacklog%,1 MACHINESystemCurrentControlSetServicesAFDParameters MaximumDynamicBacklog,4,%MaximumDynamicBacklog%,3,10000| %MaximumDynamicBacklog0%,15000|%MaximumDynamicBacklog1%,20000| %MaximumDynamicBacklog2%,40000|%MaximumDynamicBacklog3%,80000| %MaximumDynamicBacklog4%,160000|%MaximumDynamicBacklog5% MACHINESYSTEMCurrentControlSetControl Session ManagerSafeDllSearchMode,4,%SafeDllSearchMode%,0 [Strings} section EnableICMPRedirect = "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" SynAttackProtect = "MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)" SynAttackProtect0 = "No additional protection, use default settings" SynAttackProtect1 = "Connections time out sooner if a SYN attack is detected" EnableDeadGWDetect = "MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)" EnablePMTUDiscovery = "MSS: (EnablePMTUDiscovery ) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU)" KeepAliveTime = "MSS: How often keep-alive packets are sent in milliseconds" KeepAliveTime0 ="150000 or 2.5 minutes" KeepAliveTime1 ="300000 or 5 minutes (recommended)" KeepAliveTime2 ="600000 or 10 minutes" KeepAliveTime3 ="1200000 or 20 minutes" KeepAliveTime4 ="2400000 or 40 minutes" KeepAliveTime5 ="3600000 or 1 hour" KeepAliveTime6 ="7200000 or 2 hours (default value)" DisableIPSourceRouting = "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" DisableIPSourceRouting0 = "No additional protection, source routed packets are allowed" DisableIPSourceRouting1 = "Medium, source routed packets ignored when IP forwarding is enabled" DisableIPSourceRouting2 = "Highest protection, source routing is completely disabled" TcpMaxConnectResponseRetransmissions = "MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged" TcpMaxConnectResponseRetransmissions0 = "No retransmission, half-open connections dropped after 3 seconds" TcpMaxConnectResponseRetransmissions1 = "3 seconds, half-open connections dropped after 9 seconds" TcpMaxConnectResponseRetransmissions2 = "3 & 6 seconds, half-open connections dropped after 21 seconds" TcpMaxConnectResponseRetransmissions3 = "3, 6, & 9 seconds, half-open connections dropped after 45 seconds" TcpMaxDataRetransmissions = "MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" PerformRouterDiscovery = "MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" TCPMaxPortsExhausted = "MSS: (TCPMaxPortsExhausted) How many dropped connect requests to initiate SYN attack protection (5 is recommended)" NoNameReleaseOnDemand = "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" NtfsDisable8dot3NameCreation = "MSS: Enable the computer to stop generating 8.3 style filenames" NoDriveTypeAutoRun = "MSS: Disable Autorun for all drives" NoDriveTypeAutoRun0 = "Null, allow Autorun" NoDriveTypeAutoRun1 = "255, disable Autorun for all drives" WarningLevel = "MSS: Percentage threshold for the security event log at which the system will generate a warning" WarningLevel0 = "50%" WarningLevel1 = "60%" WarningLevel2 = "70%" WarningLevel3 = "80%" WarningLevel4 = "90%" ScreenSaverGracePeriod = "MSS: The time in seconds before the screen saver grace period expires (0 recommended)" DynamicBacklogGrowthDelta = "MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended)" EnableDynamicBacklog = "MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended)" MinimumDynamicBacklog = "MSS: (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for systems under attack, 10 otherwise)" MaximumDynamicBacklog = "MSS: (AFD MaximumDynamicBacklog) Maximum number of 'quasi-free' connections for Winsock applications" MaximumDynamicBacklog0 = "10000" MaximumDynamicBacklog1 = "15000" MaximumDynamicBacklog2 = "20000 (recommended)" MaximumDynamicBacklog3 = "40000" MaximumDynamicBacklog4 = "80000" MaximumDynamicBacklog5 = "160000" SafeDllSearchMode = "MSS: Enable Safe DLL search mode (recommended)"
You can copy and paste this code from the file to the Sceregvl.inf file. To access the Microsoft document that this code originated from, go to http://www.microsoft.com/technet/security/guidance/secmod57.mspx.
After you have included the custom changes from the list above into your Sceregvl.inf file, you will have a large list of new policy settings in the security templates, as shown in Figure 15-19.