.reg files from XP

[Kirce]

Hey there!

Here's the thing, long ago I got two .reg files from a friend, they have to do with tcp/ip and winsock thingies (I'm awful with this kind of stuff) and when I double clicked on them the changes were all automatically applied.

But... now I'm in Windows 7 and the files refuse to work! So... is it possible to convert these two files so that they work in Windows 7 the same way the did in the past with XP?

Help!

[Vekseid]

They almost certainly aren't necessary in Windows 7/Vista, if they are what I think they are. A lot of XP's silly defaults were corrected in Vista, and I think some things aren't even possible to set anymore because some values are handled dynamically by your system.

[Kirce]

Aw.. a pity, I asked my friend and (I'm writing now what she told me, which I don't understand) "Those were a number of measures that reinforced the tcp/ip and winsock protocols for increased security against DoS (?) and DDoS (?) attacks".

So that's what they were for! Unfortunately she had no idea on if they worked or not in Windows 7 so, meh!

[Vekseid]

Aw.. a pity, I asked my friend and (I'm writing now what she told me, which I don't understand) "Those were a number of measures that reinforced the tcp/ip and winsock protocols for increased security against DoS (?) and DDoS (?) attacks".

So that's what they were for! Unfortunately she had no idea on if they worked or not in Windows 7 so, meh!

*blinks*

No, they weren't. -_-

Some people passed around RWIN (receive window) tweaks as .reg files, and this could slightly increase your download speeds in Windows XP, however, it is not needed as of Vista (And thus 7). There were also a few other minor tweaks, but none of these were necessary as of Vista.

Attacks against the network stack itself were generally not valid after Windows 2000 came out, and a registry patch isn't going to be sufficient to take care the vulnerabilities that did exist - that took an actual firewall, or more frequently, a fix from Microsoft. And unless you are running a server of some sort, just having a router is about as good as you are generally going to get against denial-of-service attacks. If you are running a server, your best solution is an actual firewall and good server code/configuration.

Regardless, they're text files - open them up in Notepad and post them here if you want, and we can see what they are actually doing. : )

[Kirce]

Sure! But I need translation! :)

Code Select Expand


' VBScript source code
' Created with Visual Studio.Net
' Ben Smith - Microsoft Corporation
' Microsoft Windows Security Resource Kit
' Registry script - TCP/IP Security Options for Windows 2000/Windows XP
' Version 1.1

'require variable declaration

option explicit

' declare variables

dim oShell

' main

set oShell = createobject("Wscript.shell")

'set TCP/IP security registry entries

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect",0,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect",2,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions",2,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxHalfOpen",500,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxHalfOpenRetired",400,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhausted",5,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions",3,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect",0,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery",0,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime",300000,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting",2,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\NoNameReleaseOnDemand",1,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery",0,"REG_DWORD"

wscript.echo ("TCP/IP Security Options Set")

set oShell = nothing

Code Select Expand


' VBScript source code
' Created with Visual Studio.Net
' Ben Smith - Microsoft Corporation
' Microsoft Windows Security Resource Kit
' Registry script - Winsock Security Options for Windows 2000/Windows XP
' Version 1.1

'require variable declaration

option explicit

' declare varaibles

dim oShell

' main

set oShell = createobject("Wscript.shell")

'set winsock security registry entries

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBacklog",1,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrowthDelta",10,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBacklog",20,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBacklog",20000,"REG_DWORD"


wscript.echo ("Winsock Security Options Set")

set oShell = nothing


[Vekseid]

Ahh, I guess some of these were valid for some versions of Windows XP.

All of these require that you have exposed incoming ports. If you don't (i.e. you're a typical person with a router) then

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect",0,"REG_DWORD"

This disables ICMP redirects. Apparently already defaulted to disabled in Windows XP

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect",2,"REG_DWORD"

This attempts to correct for a common form of DOS attack known as 'SYN flooding'. A value of 2 isn't even valid for Windows XP, and 1 was the default eventually.

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions",2,"REG_DWORD"

Number of attempts to retry an unanswered SYN-ACK response, for preventing SYN flooding. 2 has been the default for some time.

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxHalfOpen",500,"REG_DWORD"

How many half open connections to allow before SYN flood protection is turned on.

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxHalfOpenRetired",400,"REG_DWORD"

How many retired """""

According to Microsoft:

The SynAttackProtect, TcpMaxHalfOpen, and TcpMaxHalfOpenRetried registry entries are no longer used with Windows Vista and Windows Server 2008. The TCP/IP protocol suite implementation in Windows Vista and Windows Server 2008 was redesigned to provide improved performance and does not require manual modification of these registry entries.

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhausted",5,"REG_DWORD"

If the system is somehow forced to refuse connection requests, how many before it turns on Syn attack protection. This should probably be included in the above as 'no longer applying at all'.

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions",3,"REG_DWORD"

This just makes your computer more aggressively terminate connections that might be dead. 3 is okay. But again, assuming you're behind a router and you probably are, lowering this hurts you more than it helps you.

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect",0,"REG_DWORD"

This is only relevant if you have multiple gateways configured. Turning it off as you are trying to do here would mean that if one of your networks failed, it wouldn't automatically try to switch to another. I'm not sure why disabling this explicitly is supposed to be a 'good idea'.

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery",0,"REG_DWORD"

Whether or not Windows should attempt to discover the maximum packet size along a given path. It's no longer possible to trick Windows into setting this below 576 so this is pointless.

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime",300000,"REG_DWORD"

By default, TCP connections have a rather ridiculous time-to-live, roughly five days according to spec, or three hours by MS's default - this sets it to five minutes (300,000 milliseconds). I actually set this lower for E's server, but again, it's my server - it's directly accessible by the rest of the world and it has to be. For most people, who are behind a hardware router of some sort, this hurts more than it helps, as it may drop potentially good connections.

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting",2,"REG_DWORD"

Disables tolerating packet source spoofing... apparently this is still actually relevant in windows 7. WTF. No harm in adding this manually, but again, your router will generally intercept this, not your pc.

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\NoNameReleaseOnDemand",1,"REG_DWORD"

Only relevant if you're using WINS and NetBIOS, and running a network as such where you'd fear to be subjected to such attacks. I don't think I've seen WINS in over a decade, even in Microsoft shops. Microsoft itself suggests against this.

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery",0,"REG_DWORD"

If you're really this paranoid, rather than ganking an important function of DHCP you should really just set your own static IP address.



oShell.RegWrite "HKLM\System\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBacklog",1,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrowthDelta",10,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBacklog",20,"REG_DWORD"
oShell.RegWrite "HKLM\System\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBacklog",20000,"REG_DWORD"

Dynamic SYN backlog settings for dealing with SYN flood attacks. Again, as of Vista, this gets managed automagically, these settings no longer do anything.

[Kirce]

I'm sorry for the delayed reply but real life is keeping me too busy. Anyway, Vekseid I'm afraid that I'm barely understanding anything, it looks like it's too outdated in general? I'm using Windows 7 so as far as I understand by all that you explained... it's either fixed, outdated or irrelevant because it's done automagically in Windows 7, right? Well except for the one where you say... um... this one!

oShell.RegWrite "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting",2,"REG_DWORD"

Disables tolerating packet source spoofing... apparently this is still actually relevant in windows 7. WTF. No harm in adding this manually, but again, your router will generally intercept this, not your pc.

And that's it? Although again, I have no idea on what it really means, I'm sorry!

[Psi]

I'm sorry for the delayed reply but real life is keeping me too busy. Anyway, Vekseid I'm afraid that I'm barely understanding anything, it looks like it's too outdated in general? I'm using Windows 7 so as far as I understand by all that you explained... it's either fixed, outdated or irrelevant because it's done automagically in Windows 7, right? Well except for the one where you say... um... this one!

And that's it? Although again, I have no idea on what it really means, I'm sorry!

Do you connect with an adsl, or cable modem?  Or do you connect via a dial up modem.  If you connect via a modem, then this is still relevant.  If you connect via the first two, then it doesn't matter :)

[Kirce]

Usually through my phone or laptop if I'm at home but yeah, I think that it's adsl in most, if not all, cases. But thanks! I guess that I can forget about those files now, I might just keep them around for the memories anyway, you never know! ;)