WINDOWS 2000 PROFESSIONAL

PROTECT AGAINST DoS ATTACKS

Denial of service (DoS) attacks are one of the most common methods hackers use to disable a system or, at the very least, to severely impact its performance. Computers that sit behind a firewall are generally safe from most DoS attacks, but computers connected directly to the Internet are much more susceptible to these attacks.

There are a handful of registry settings you can apply to a Windows 2000 computer in order to harden it against DoS attacks. These include:

* SynAttackProtect: This setting protects against a SYN flood attack. Set to a value of 0, 1, or 2 for increasing levels of protection. The higher the value, the more delay Windows adds to connection attempts, causing TCP connection timeouts.

* EnableDeadGWDetect: Set to 0 to prevent the computer from switching to a different gateway, which could otherwise occur if a DoS attack is in progress. A value of 1 allows the gateway switch.

* EnablePMTUDiscovery: Set to 0 to prevent a hacker from forcing an MTU change to a small value and bogging down the TCP/IP protocol stack. Windows uses an MTU value of 576 bytes for all nonlocal connections with this setting at 0. Set to 1 to allow MTU discovery.

* KeepAliveTime: Set this value (in milliseconds) to a relatively low number to decrease the length of time Windows sends a keep-alive packet to a remote computer to determine if the connection is still valid. Microsoft recommends a value of 300,000 (five minutes).

All of these DWORD values reside in this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Also, set the following registry key to a value of 1 to prevent the computer from releasing its NetBIOS name when it receives a name-release request:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\ NoNameReleaseOnDemand

NOTE: Editing the registry can be risky, so be sure you have a verified backup before making any changes.