Home · Compatibility Lists · Support Forums · FAQ · News Archive · Articles · Submit News/Upcoming News
NT Compatible
advertisement


Forum overview » Customization & Tweaking » Completely documented Tcp/IP, AFD, NetBT, DNS, and more for security + speed (1/2)

Reply New Poll

2 pages 1 2

Completely documented Tcp/IP, AFD, NetBT, DNS, and more for security + speed
Author Message
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 15:16:59

Starting with the Tcp/IP one I said I would have done for you all a week or 2 ago, because it IS the longest of them all, I will post each as I go thru this thread for your reference for tuning/tweaking your systems for BOTH added security and speed in various registry sections.

All entries are FULLY documented per specs for ONLINE control & tuning @ Microsoft for each area I tweaked:

Tcp/IP
AFD
NetBT
DNSCache
LanManServer
LanManWorkstation
LSA
RpcSs
MUP
DCom
Ole
NetTrans
MrXSmb
RDR
MTU/MaxMTU - MaxMSS/MSS - RWIN

* Each setting and in each section of each .reg files tuned are listed on these pages @ Microsoft for each area of the registry covered, used here, & documented in the .reg files templates I am putting out here in this thread:

=================================================================
USEFUL GENERIC URLS LIST FROM MICROSOFT FOR SECURITY PURPOSES USED IN THIS PREBUILT .REG FILE DOCUMENT SET (this varies by document .reg file for section of registry tuned, but this was the BULK of the ones I used):

Microsoft Windows Server 2003 TCP/IP Implementation Details MAIN PAGE:


http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx

Microsoft Windows Server 2003 TCP/IP Implementation Details Parameters:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA

SECURITY CONSIDERATIONS FOR NETWORK ATTACKS:

http://www.microsoft.com/technet/archive/security/prodtech/windows/iis/dosrv.mspx

TCP Transport Entries (all esoteric/unusual settings found here):

http://support.microsoft.com/kb/q102973/

TCP/IP Exploits and Countermeasures for Windows 2000 Server:

http://www.microsoft.com/technet/security/guidance/secmod150.mspx

Network Hardening and Security - Packet filtering Udp/Tcp - PortsAllowed + EnableSecurityFilters:

http://www.microsoft.com/technet/security/guidance/legsgch3.mspx

Prevent Session Hijacking

http://www.microsoft.com/technet/technetmag/issues/2005/01/sessionhijacking/default.aspx

ADDITIONAL REGISTRY SETTINGS - FOR AFD SETTINGS (ESPECIALLY):

http://www.microsoft.com/technet/security/guidance/secmod57.mspx

FOR TUNING PARAMETERS FOR SPEED FOR CABLEMODEM/DSL vs. 57.6k/33.6k/28.8k/14.4k DIALUP MODEMS:

http://www.speedguide.net

APK Security & Online Speed Tuning Guide:

http://www.avatar.demon.nl/APK.html

APK Local System Performance Tuning Guide:

http://www.avatar.demon.nl/APKTuneup.html

Winsock 2 parameters explanations:

http://www.sockets.com/winsock.htm

Documentation for WinSock2 by Microsoft (i.e.-> API for Microsoft reimplementation of the FreeBSD IP Stack):

ftp://ftp.microsoft.com/bussys/winsock/winsock2/

=================================================================



(Took me ALOT longer than I thought it would, but here they are... I told you it would take me a few days, but turned out to be a week or so when I could find time for it!)

APK

P.S.=> ANY that are tweaked, (vs. those I left @ their defaults)? Are/Is noted in each .reg file template!

(As each section uses a std. method of documentation for each entry listed in each .reg file pretty much)...

So, that all said? Well, here we go below next, enjoy & hope you find them useful! apk

Post #156110
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 15:23:15

TCP/IP PARAMETERS TUNED and DOCUMENTED, Part #1 of 3 total:

(Again, copy between the FIRST & LAST ASTERISKED ( " * " ) LINES AND PASTE INTO NOTEPAD.EXE, AND USE FILE MENU, SAVE AS SUBMENU, TYPE ALL FILES & name like APKAFD.reg (vs. .txt) TO CREATE THIS AFD TEMPLATE & THEN DOUBLECLICK THE FILENAME IN EXPLORER.EXE TO MERGE IT INTO YOUR REGISTRY & REBOOT FOR IT TO BE EFFECTIVE! )

NOTE -> This Tcp/IP one? Takes up 3 posts or so, so pay attention to when I switch to AFD, NetBT, etc., so here goes ->

*****************************************************************

;BRAND NEW SETTINGS FOR WINDOWS SERVER 2003...apk
============================================================================================================
"UdpNumConnections"=dword:00000040
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;Specifies the maximum number of UDP endpoints.
;
;DEFAULT 64
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 00000040 hex value (64 decimal) above - default
;
;============================================================================================================
"BroadcastType"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;Determines whether broadcast packets contain all 0's or all 1's as the broadcast address. The most common
;broadcast type is all 1's. The all-0's setting is provided for compatibility with BSD 4.2 systems.
;
;DEFAULT 0
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: default
;
;============================================================================================================
"RouterMTU"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;Specifies the maximum transmission unit size that should be used when the destination IP address is on a
;different subnet. Each interface used by TCP/IP may have a different RouterMTU value specified.
;In many implementations, the value of RouterMTU is set to 576 octets. This is the minimum size that must
;be supported by any IP node. Because modern routers can usually handle MTUs larger than 576 octets, the
;default value for this parameter is the same value as that used by MTU.
;
;DEFAULT 0
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: default
;
;============================================================================================================
"Trailers"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;Specifies whether the trailer format is used. This feature provides compatibility with BSD 4.2 systems.
;When this feature is enabled, TCP/IP header information follows the data area of IP packets.
;
;DEFAULT 0
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: default
;
;============================================================================================================
;************************************************************************************************************
;START NORMAL ENTRIES SECTION PER MICROSOFT WINDOWS SERVER 2003 STANDARD TCP/IP PARAMETERS ENTRIES...apk
;************************************************************************************************************
;============================================================================================================
"DeadGWDetectDefault"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/techref/en-us/w2k3tr_r_ms_tcpipparameters.asp
;
;Specifies whether the computer detects nonfunctional gateways.
;
;DEFAULT 1 (on/true) on Windows 2003 Server
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;
;============================================================================================================
"DontAddDefaultGatewayDefault"=dword:00000000
;-----------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;Specifies whether the computer uses the default gateway.
;
;DEFAULT 0 (off/false) on Windows 2003 Server
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;
;============================================================================================================
"EnableDeadGWDetect"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;When this parameter is set to 1, TCP is allowed to perform dead-gateway detection. With this feature enabled
;TCP may ask IP to change to a backup gateway if a number of connections are experiencing difficulty.
;Backup gateways may be defined in the advanced properties of the TCP/IP protocol. See the
;“Dead Gateway Detection” section in this paper for details.
;
;DEFAULT = 0 (off/false boolean switch)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;
;============================================================================================================
"EnableICMPRedirect"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/242667.asp
;http://www.microsoft.com/technet/security/guidance/secmod57.mspx
;http://www.microsoft.com/technet/security/guidance/secmod150.mspx
;
;This parameter controls whether Windows Server 2003 alters its routing table in response to Internet
;Control Message Protocol (ICMP) messages that instruct it to direct datagrams for the recipient along a
;different route
;
;ICMP provides a means by which a host sending IP datagrams can be informed about delivery
;issues. ICMP does not guarantee delivery of IP datagrams (that kind of error correction is left to
;higher level protocols, like TCP), but rather, it allows network devices, like a router, to tell a
;sending computer about delivery errors, to suggest shorter routes to a destination, and to assist
;in probing the network. For more information about ICMP, see RFC 792 Internet Control Message
;Protocol, and RFC 1122 Requirements for Internet Hosts—Communication Layers.
;
;Windows Server 2003 accepts redirection messages from any host in the route between this
;computer and the destination computer, and not just first-hop routers. Accepting redirection from
;only first-hop routers causes problems in some scenarios involving Routing & Remote Access Server (RAS)
;
;DEFAULT = 0 (off/false) on Windows 2003 Server
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Turn off for security against routed packets... apk
;
;============================================================================================================
"EnablePMTUDiscovery"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58752.asp
;
;MTU Tuning reference(s) see below comments section for description:
;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58792.asp
;
;EnablePMTUDiscovery Determines whether TCP uses a fixed, default maximum transmission unit (MTU) or
;attempts to detect the actual MTU.
;
;By discovering the Path MTU and limiting TCP segments to this size, TCP can eliminate fragmentation
;at routers connecting networks with different MTUs. Fragmentation reduces TCP throughput and
;increases network congestion.
;
;By default, this entry applies to all interfaces. However, the MTU can be reduced for any particular
;interface by changing the default value of the MTU entry in the subkey for that interface.
;
;When this parameter is set to 1 (true) TCP attempts to discover the Maximum Transmission Unit (MTU), or
;largest packet size, over the path to a remote host. By discovering the Path MTU (PMTU) and limiting TCP
;segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks
;with different MTUs. Fragmentation adversely affects TCP throughput and network congestion. Setting this
;parameter to 0 (not recommended) causes an MTU of 576 bytes to be used for all connections that are not
;to destinations on a locally attached subnet.
;
;EXPLANATIONS & EXAMPLES
;
;AUTOMATED CHANGE METHODS VIA GUI IN OPERATING SYSTEM TIPS
;
;DEFAULT = 1 (on/true) Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by
;using a program that edits the registry.
;No visible value present in registry @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;0 = TCP uses an MTU of 576 bytes for all connections to computers outside the local subnet.
;1 = TCP attempts to discover the MTU of the path to a remote host.
;
;MTU explained:
;
;Reduces the size of the maximum transmission unit (MTU) that TCP/IP uses for the network interface
;The value of this entry takes precedence over the MTU that the network adapter detects dynamically.
;The MTU is the size of the largest packet that can be transmitted over the underlying network,
;including the size of the transport header. The MTU is configured separately for each interface.
;To prevent fragmentation, the MTU should be large enough to hold any IP datagram in a single frame.
;IP datagrams larger than the MTU are divided into fragments whose size is a multiple of eight octets.
;The fragments travel separately to the destination computer, where they are reassembled before the
;datagram is processed.
;
;MTU detection is determined for all interfaces by the value of the EnablePMTUDiscovery entry. By
;default, the network adapter for each interface detects the largest MTU that the interface can transmit,
;and it uses that MTU for its transmissions. However, if MTU detection is disabled (that is, the value of
;EnablePMTUDiscovery is 0), the system uses a fixed MTU of 576 bytes. If you change the default
;value of the MTU entry, you override either setting as it pertains to the interface represented by this
;subkey.
;
;0x44 (68 bytes) - dynamically determined MTU. Specifies the MTU used for the network interface.
;This value overrides the MTU that the network adapter dynamically determines.
;
;0xFFFFFFFF (or any value greater than the dynamically-determined MTU) - Use the dynamically-determined MTU.
;
;If you enter a value greater than the dynamically-determined MTU, the system uses the value of the
;dynamically-determined MTU instead. You can use this entry to reduce, but not to increase, the size
;of the MTU.
;
;In general, replacing a dynamically-determined value with a fixed value degrades the performance of
;the operating system. Do not change the value of this entry unless the detected MTU is not
;compatible with the network media.
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left it dynamic & might remove interface MaxMTU,
; MTU, & RWIN calculated for 56k dialup modems even
;AGAIN PER MICROSOFT RECOMMENDATIONS: Setting this parameter to 0 (not recommended) causes an MTU of 576
;bytes to be used for all connections that are not to destinations on a locally attached subnet.
;
;E.G.-> They look like this in the registry FOR ADDING ACTUAL MaxMTU, MTU, MSS, & RWIN #'s manually:
;
;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
;{09EC4F91-EABC-419C-BEF4-433971144FE5}]
;
;Under each of them, add in the MTU as a DWORD value with your best non-fragmented packet size after doing
;the ping test I showed above!
;
; (And in the above tip I wrote on the Parameters section? Make that equal to your EXACT
;TcpRecvSegmentSize & TcpSendSegmentSize so you take in the BIGGEST chunks per packet you
;can at once & do not fragment!)
;
;Then, get your RWIN:
;
;On cablemodems, the generic network MTU/MaxMTU is usually 1472 (largest non fragmented value) a.k.a
;1500. -40 would be 1460 MSS.
;
;56K modems use 576 MTU and 536MSS.
;
;The generic PPOE (dsl) mtu is 1492. -48 (40bytes for the default TCP OPTIONS + 8 bytes for the ppoe
;header involved) 1444 MSS.
;
;The -40 amount is TCP HEADER size. Which can be affected by certain RFC options like Timestampings from
;Tcp1323Opts setting in this file.
;
;The RWIN amount needs to be an even multiple of MSS x even number the forumla I use is:
;
;Download Rate in Kb (kilobits) x 1024 = n
;n * .5 (.5 is the latency of the line or 500ms) = n
;n / 8 = n
;
;1472 is my MTU/MaxMTU derived from ping -l 1472 -f to my ISP gateway & website also...
;largest I could be before fragmenting packets!
;
;1472 - 48 = 1424 + 12 packets gained by using Tcp1230pts TimeStamps removed on packet headers = 1436
;
;Now you've got a number you can utilize for the next step!
;
;Use this calculation, using the average TTL in ms you had in your pings (mine was 29.55 so 30 by
;rounding), follow the algebraic order of operations in this equation:
;
; (((30 x 1.5) x 1436)/8) = my RWIN FINAL VALUE FOR ALL INTERFACES & ADAPTERS UNDER TCP parameters
;area = 8078
;
;This RWIN value is added right alongside MTU in your registry interface keys, add it as an DECIMAL
;VALUE, NOT HEXADECIMAL TYPE!
;
;My MaxMTU = 1492 (per ping -l -f test), MTU = 576 per dialup connection, MSS = 536 (576-40), & RWIN = 8190
;
;************************************************************************************************************
;EXTRA-SETTINGS LIKE MSS, MTU, MAXMTU, & RWIN... apk
;From ->
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
; (for tuning, refer to APK Speedguide in URL @ top of this page &/or www.speedguide.net ... apk
;************************************************************************************************************
;============================================================================================================
;MTU
;
;Key: Tcpip\Parameters\Interfaces\interfaceGUID
;
;Value Type: REG_DWORD—number
;
;ValidRange: 88–the MTU of the underlying network
;
;Default: 0xFFFFFFFF
;Description: This parameter overrides the default Maximum Transmission Unit (MTU) for a network interface.
;The MTU is the maximum IP packet size, in bytes, that can be transmitted over the underlying network.
;For values larger than the default for the underlying network, the network default MTU is used.
;For values smaller than 88, the MTU of 88 is used.
;Note: Windows Server 2003 TCP/IP uses PMTU detection by default and queries the NIC driver to find out
;what local MTU is supported. Altering the MTU parameter is generally not necessary and may result in
;reduced performance. See the "Path Maximum Transmission Unit (PMTU) Discovery" section of this paper
;for more details.
;============================================================================================================
;************************************************************************************************************
;============================================================================================================
"TcpWindowSize"=dword:0000FFFF
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;Determines the largest TCP receive window that the system offers. The receive window is the number
;of bytes a sender can transmit without receiving an acknowledgment.
;In general, larger receive windows improve performance over high-delay, high-bandwidth networks.
;For greatest efficiency, the receive window should be an even multiple of the TCP Maximum Segment Size (MSS)
;This parameter is both a per-interface parameter and a global parameter, depending upon where the registry
;key is located.
;
;If there is a value for a specific interface, that value overrides the system-wide value.
;See also GlobalMaxTcpWindowSize.
;
;This entry overrides TCP's negotiated maximum receive window size and replaces it with the value of this entry.
;
;TCP uses a receive window that is four times the size of the maximum TCP segment size (MSS)
;negotiated during connection setup, up to a maximum size of 64 KB. TCP for Windows 2000 also
;supports windows scaling, as detailed in RFC 1323, TCP Extensions for High Performance. Scaling
;enables TCP to provide a receive window of up to 1 GB.
;
;0–0x3FFFFFFF (1073741823 decimal). In practice the TCP/IP stack will round the number set to
;the nearest multiple of maximum segment size (MSS). Values greater than 64 KB can be achieved
;only when connecting to other systems that support RFC 1323 Window Scaling, which is discussed
;in the “Transmission Control Protocol (TCP)” section of this document.
;
;Default: The smaller of the following values:
; 0xFFFF
; GlobalMaxTcpWindowSize (another registry parameter)
; The larger of four times the MSS
; 16384 rounded up to an even multiple of the MSS
;
;The stack also tunes itself based on the media speed:
; Below 1 Mbps: 8 KB
; 1 Mbps – 100 Mbps: 17 KB
; Greater than 100 Mbps: 64 KB
;
;The default can start at 17520 for Ethernet, but may shrink slightly when the connection is established
;to another computer that supports extended TCP header options, such as Selective Acknowledgements (SACK)
;and TCP Timestamps, because these options increase the size of the TCP header beyond the usual 20 bytes,
;leaving slightly less room for data.
;
;For Ethernet networks, the default value of this entry is 0x4470 (17,520, or 12 segments of 1,460 bytes
;each). For other networks, the default value is 0xFFFF (65,535) unless 0xFFFF is larger than:
;
; Four times the maximum TCP data size on the network; and
; 0x2000 (8,192) rounded up to an even multiple of the network TCP data size.
;
;This entry determines the maximum receive window size for this interface. When configuring this
;interface, this entry takes precedence over the GlobalMaxTcpWindowSize entry, which establishes
;a maximum window size for all interfaces.
;
;Windows 2000 automatically uses windows scaling if the value of this entry is greater than 64 KB.
;To disable windows scaling, set the value of the Tcp1323Opts entry to 0 or 2.
;
;DEFAULT = no value present in registry @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;but 0xFFFF is for dialup default & Ethernet = 0x4470 even if not visible
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Went with 56k default since I use dialup... apk
;
;============================================================================================================
"GlobalMaxTcpWindowSize"=dword:0000FFFF
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58760.asp
;
;DESCRIPTION
;
;Determines the largest TCP receive window that the system offers. The receive window is the number
;of bytes a sender can transmit without receiving an acknowledgment. This entry takes precedence over
;TCP's negotiated maximum receive window size.
;
;TCP uses a receive window that is four times the size of the maximum TCP segment size (MSS)
;negotiated during connection setup, up to a maximum size of 64 KB. TCP for Windows 2000 also
;supports windows scaling, as detailed in RFC 1323, TCP Extensions for High Performance. Scaling
;enables TCP to provide a receive window of up to 1 GB.
;
;For Ethernet networks, the default value of this entry is 0x4470 (17,520, or 12 segments of 1,460 bytes
;each). For other networks, the default value is 0xFFFF (65,535), unless 0xFFFF is larger than each of
;the following:
;
; Four times the maximum TCP data size on the network.
; 0x2000 (8,192), rounded up to an even multiple of the network TCP data size.
;
;This entry determines the default maximum receive window size for all interfaces. When configuring
;any particular interface, the value of the TcpWindowSize entry for that interface takes precedence
;over the value of this entry.
;
;Range = 0x0–0x3FFFFFFF (1073741823 decimal; however, values greater than 64 KB can only be achieved
; when connecting to other systems that support RFC 1323 window scaling, which
; is discussed in the TCP section of this document.)
;
;DEFAULT = NONE really see description above in conjunction w/ TcpWindowSize & Tcp1323Opts
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Went with 56k default since I use dialup... apk
;
;============================================================================================================
"TcpSendDownMax"=dword:00004000
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/kb/q102973/
;
;Specifies the maximum number of bytes queued by TCP/IP.
;
;DEFAULT = 16384
;Windows 2000 does not add this entry to the registry. You can add it by editing the registry
;Is used, but no visible value present @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default for dialup connection...
;00008000hex is double to 32768 decimal... apk
;
;============================================================================================================
"TcpSendSegmentSize"=dword:000005d4
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/kb/q102973/
;
;Specifies the maximum send segment size.
;
;DEFAULT = 1460
;Windows 2000 does not add this entry to the registry. You can add it by editing the registry
;Is used, but no visible value present @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 1492 per my ping -l -f tests to ISP gateway on dialup
;
;============================================================================================================
"TcpRecvSegmentSize"=dword:000005d4
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/kb/q102973/
;
;Specifies the maximum receive segment size.
;
;DEFAULT = 1460
;Windows 2000 does not add this entry to the registry. You can add it by editing the registry
;Is used, but no visible value present @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 1492 per my ping -l -f tests to ISP gateway on dialup
;
;============================================================================================================
"EnablePMTUBHDetect"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58751.asp
;
;Setting this parameter to 1 (true) causes TCP to try to detect PMTU black hole routers while doing Path MTU
;Discovery. A PMTU black hole router does not return ICMP Destination Unreachable messages when it needs to
;fragment an IP datagram with the Don’t Fragment bit set. TCP depends on receiving these messages to perform
;Path MTU Discovery. With this feature enabled, TCP tries to send segments without the Don’t Fragment bit set
;if several retransmissions of a segment go unacknowledged. If the segment is acknowledged as a result, the
;MSS is decreased and the Don’t Fragment bit is set in future packets on the connection. Enabling PMTU black
;hole detection increases the maximum number of retransmissions that are performed for a given segment.
;
;Enabling black hole detection increases the maximum number of times TCP retransmits a given segment.
;
;Windows 2000 does not add this entry to the registry. You can add it by editing the registry
;Is used, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;DEFAULT = 0 (off/false boolean switch)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 1 slows you down if some go unanswered... apk
;
;============================================================================================================
"EnableSecurityFilters"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;Determines whether TCP/IP filters datagrams and TCP sync characters (SYNs).
;
;If the value of this entry is 1, TCP/IP filters all incoming User Datagram Protocol (UDP)
;datagrams, raw IP datagrams, and TCP SYNs. You can customize the filtering for each interface
;by using the UdpAllowedPorts, TcpAllowedPorts, and RawIpAllowedProtocols entries.
;
;UdpAllowedPorts, TcpAllowedPorts, & RawIPAllowedProtocols only appear IF this is turned on via GUI &
;default 0 (off)
;
;To change the value of this entry, use Network and Dial-up Connections. Right-click Local Area
;Connection, click Properties, click Internet Protocol (TCP/IP), and then click the Properties
;button. On the Internet Protocol (TCP/IP) Properties page, click the Advanced button, click
;the Options tab, click TCP/IP filtering, and then click Properties. This entry is associated with
;the Enable TCP/IP Filtering (All adapters) check box.
;
;BUT IS VISIBLE BY DEFAULT @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;but its working parameters of TcpAllowedPorts and UdpAllowedPorts are what make it actually work specific
;to ports you allow in on for:
;UDPAllowedPorts (IP port 17, default 0/off/false all Udp Datagrams accepted)
;or
;TCPAllowedPorts (IP port 6, default 0/off/false accepts ALL Syn for Ack by local system (ack)
;acknowledge receipt).
;
; (See each below next because I put them next to this, to understand better what is meant!... apk)
;
;DEFAULT = 0 (off/false) on Windows 2003 Server
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Great for packet filtering @ IPStack level, & works
; w/ hardware NAT "firewalling" routers & also software
; based firewalls as well as a 3 layer defense system.
;
;============================================================================================================
;UdpAllowedPorts (multi_sz/multi-string value table edited by regedit.exe or regedt32.exe)
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58849.asp
;
;Specifies the UDP ports on which incoming IP datagrams are accepted on this interface when
;security filtering is enabled. Security filtering is enabled when the value of the
;EnableSecurityFilters entry is 1 (see above)
;
;Blank, but present= no multi-string (multi_sz) data present
;0 (DEFAULT false/off (or not in the registry)) = ALL Udp datagrams accepted
;Specific IP protocol numbers table via multi-string_sz values editor in regedit.exe/regedt32.exe to allow
;
;To change the value of this entry, use Network and Dial-up Connections. Right-click Local Area
;Connection, click Properties, click Internet Protocol (TCP/IP), and then click the Properties
;button. On the Internet Protocol (TCP/IP) Properties page, click the Advanced button, click
;the Options tab, click TCP/IP filtering, click Properties and then, just above the UDP Ports
;box, click Permit Only. This entry is associated with the values added to the UDP Ports list on
;this page.
;
;IP PROTOCOL VALUE = 17
;
;There is no defined or predictable response when the value of this entry includes a zero
;together with IP protocol numbers. Do not combine these values in this entry.
;
;NOT PRESENT FOR DIALUP NETWORK CONNECTIONS EITHER UNLESS "HACKED IN" via regedit OR regedt32 Multi_SZ capable editor... apk
;
;MAY AFFECT SOME GAMES IF THIS IS TURNED OFF AS MANY GAMES UTILIZE IT FOR ONLINE PLAY SINCE IT DOES NOT VALIDATE PACKETS
;FOR SPEED WHEREAS TCP/IP DOES AND IS NOT NECESSARY FOR GAMES AND IS A "SLOWER" BUT MORE SECURE/RELIABLE PROTOCOL... apk
;
;DEFAULT = 0 (off/false) & not typically present unless EnableSecurityFilters present 1st on Windows 2003 Server
;& not typically visible by default @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;& EnableSecurityFilters which turns this on is typically 0, off by default as well
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;ADD PORTS AS NEEDED HERE TO BLOCKOUT/FILTER TO SUPPLEMENT NAT "firewalling" routers (before IP stack)
;and SOFTWARE FIREWALL PROGRAMS (after IP stack) & this sits right @ the IP Stack level... apk
;============================================================================================================
;TcpAllowedPorts (multi_sz/multi-string value table edited by regedit.exe or regedt32.exe)
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58849.asp
;
;Specifies the TCP ports on which incoming connection requests (SYNs) are accepted on this interface when
;security filtering is enabled. Security filtering is enabled when the value of the
;EnableSecurityFilters entry is 1 (see above)
;
;Blank, but present= no multi-string (multi_sz) data present No SYNs are accepted
;0 (DEFAULT false/off (or not in the registry)) = All SYNs are accepted
;Specific IP protocol numbers table via multi-string_sz values editor in regedit.exe/regedt32.exe to allow
; (Only SYNs arriving on these ports are accepted from that table)
;
;To change the value of this entry, use Network and Dial-up Connections. Right-click Local Area
;Connection, click Properties, click Internet Protocol (TCP/IP), and then click the Properties
;button. On the Internet Protocol (TCP/IP) Properties page, click the Advanced button, click
;the Options tab, click TCP/IP filtering, click Properties and then, just above the TCP Ports
;box, click Permit Only. This entry is associated with the values added to the TCP Ports list on
;this page.
;
;IP PROTOCOL VALUE = 6
;
;There is no defined or predictable response when the value of this entry includes a zero
;together with IP protocol numbers. Do not combine these values in this entry.
;
;NOT PRESENT FOR DIALUP NETWORK CONNECTIONS EITHER UNLESS "HACKED IN" via regedit OR regedt32 Multi_SZ capable editor... apk
;
;DEFAULT = 0 (off/false) & not typically present unless EnableSecurityFilters present 1st on Windows 2003 Server
;not typically visible by default @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;& EnableSecurityFilters which turns this on is typically 0, off by default as well
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;ADD PORTS AS NEEDED HERE TO BLOCKOUT/FILTER TO SUPPLEMENT NAT "firewalling" routers (before IP stack)
;and SOFTWARE FIREWALL PROGRAMS (after IP stack) & this sits right @ the IP Stack level... apk
;
;============================================================================================================
"IPEnableRouter"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/33571.asp
;
;When the value of this entry is 1 system routes IP packets to all networks to which it is connected.... apk
;
;THIS ENABLES IP FORWARDING... apk
;
;DEFAULT = 0 (off/false) on Windows Server 2003
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Always off, no need for forwarding packets! Routed
; ones especially here since standalone, non-LAN setup
; here @ home with single system only on dialup... apk
;
;============================================================================================================
"UseDomainNameDevolution"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/deployguide/en-us/264151.asp
;
;Stores configuration data for the policy setting Primary DNS Suffix Devolution
;
;Determines whether the DNS client performs name devolution.
;
;By default, when a query fails for a name to which a primary DNS suffix has been attached,
;the DNS client drops the left-most label of the primary DNS suffix on each successive attempt,
;making the query more general. This is known as name devolution.
;
;For example, if the primary DNS suffix ooo.aaa.reskit.com is attached to the name reskituser
;and if the query for reskituser.ooo.aaa.reskit.com fails, the DNS client devolves
; (drops the left-most label) the primary DNS suffix and submits a query for reskituser.aaa.reskit.com.
;The DNS client devolves the primary DNS suffix on each attempt until the name is successfully
;resolved or the name to be submitted has fewer than two labels.
;
;To change the value of this entry, use the Group Policy Object Editor (Gpedit.msc). The corresponding
;policy is located in Administrative Templates\Network\DNS Client.
;
; (Same as Tcp/IP Properties, Advanced, DNS Tab, Clearing of Append parent suffixes of the primary DNS suffix)
;
;DEFAULT = 1 (on/true) on Windows Server 2003
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default... apk
;
;============================================================================================================
"KeepAliveTime"=dword:00023280
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58768.asp
;
;The parameter controls how often TCP attempts to verify that an idle connection is still intact by sending
;a keep-alive packet. If the remote system is still reachable and functioning, it acknowledges the keep-alive
;transmission. Keep-alive packets are not sent by default. This feature may be enabled on a connection by
;an application.
;
;This entry is used when the remote system is responding to TCP. Otherwise, the interval between
;transmissions is determined by the value of the KeepAliveInterval entry.
;
;By default, keep-alive transmissions are not sent. The TCP keep-alive feature must be enabled by a program
;such as Telnet, or by an Internet browser, such as Internet Explorer.
;
;DEFAULT = 7,200,000 (two hours)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 300,000 hours per Microsoft URL above...apk
;
;============================================================================================================
"PerformRouterDiscovery"=dword:00000002
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/33574.asp
;
;This parameter controls whether Windows Server 2003 attempts to perform router discovery per RFC 1256 on
;a per-interface basis. See also SolicitationAddressBcast.
;
;Router discovery solicits router information from the network. The system adds the information retrieved to
;the route table.
;The router discovery method is specified in RFC 1256, ICMP Router Discovery Messages.
;
;Acceptable Ranges -> 0, 1, 2
;
;0 (disabled)
;1 (enabled)
;2 (enable only if DHCP sends the router discover option)
;
;DEFAULT = 2, DHCP-controlled but off by default. (for Windows 2000 it is 1 default & does not visibly add
;it, but it is in use... apk)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 2 because only uses it IF DHCP sends this option
;
;============================================================================================================
"TcpMaxDataRetransmissions"=dword:00000003
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58805.asp
;
;Determines how many times TCP retransmits an unacknowledged data segment on an existing
;connection. TCP retransmits data segments until they are acknowledged or until this value expires.
;
;TCP/IP adjusts the frequency of retransmissions over time. TCP establishes an initial retransmission
;interval by measuring the round trip time on the connection. The interval doubles with each successive
;retransmission on a connection, and it is reset to the initial value when responses resume.
;
;This entry is also used in the Windows algorithm for defining non-operational (dead) gateways.
;A given connection defines a gateway as dead (and switches to the next gateway in the list in stored
;in the value of the DefaultGateway or DhcpDefaultGateway entries) when a packet sent to the
;gateway must be retransmitted more than half of the number of times specified in the value of this
;entry. The system defines a gateway as dead when more than 25 percent of its connections have
;switched to the next default gateway in the list.
;
;This entry determines how many times TCP retransmits data segments. The maximum number of
;retransmissions of requests for new connections is determined by the value of the
;TcpMaxConnectRetransmissions entry.
;
;Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by
;using a program that edits the registry.
;
;Range 0x0–0xFFFFFFFF
;
;DEFAULT = 5
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Cut it down to 3 (1/2 approx.) so less is done on
; SYN-ACK (DOS/DDOS) attacks on my systems... apk
;
;============================================================================================================
"SynAckProtect"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;DOS/DDOS protection method
;A value of 2 will disable Windows Scaling(Tcp1323Opts=3) and it is not supported by WinXP/2003
;
;DEFAULT = 0 (off/False boolean switch) Recommend 1 or 2
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Would do 2, but Tcp1323Opts is harmed by it & that
; gets you 12 extra bytes per-packet send/recv by not
; timestamping each packet sent/received... apk
;
;============================================================================================================
"TCPMaxPortsExhausted"=dword:00000005
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58804.asp
;
;Determines how many connection requests the system can refuse before TCP/IP initiates SYN flooding attack
;protection. The system must refuse all connection requests when its reserve of open connection ports
;runs out.
;
;This entry is used only when SYN flooding attack protection is enabled on this server, that is, the value
;of the SynAttackProtect entry is 1 and the value of the TcpMaxConnectResponseRetransmissions entry is
;at least 2).
;
;This entry establishes one of three configurable thresholds that, if exceeded, trigger TCP's SYN attack
;flooding protection feature. Because SYN flooding often consumes all reserved connection ports, TCP
;interprets an elevated number connection refusals and a depleted port reserve as a symptom of SYN flooding.
;
;The other two thresholds are:
;
; 1.) The total number of connections in the half-open (SYN-RCVD) state exceeds the value of the
; TcpMaxHalfOpen entry.
;
; 2.) The number of connections that remain in the half-open (SYN-RCVD) state even after a connection
; request has been retransmitted exceeds the value of the TcpMaxHalfOpenRetried entry.
;
;Note - If the value of this entry is 0, SYN flooding protection is triggered as soon as the backlog of
;connection ports is consumed.
;
;RELATED ENTRIES - SynAttackProtect (above & default), TcpMaxConnectResponseRetransmissions
; (next one below), TCPMaxHalfOpen, & TCPMaxHalfOpenRetried ( below, non-std. )
;
;Acceptable Ranges -> 0x0–0xFFFF
;
;DEFAULT = 0x5
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Went with defaults for now, this is TOO new... apk
;
;============================================================================================================
"TcpMaxConnectResponseRetransmissions"=dword:00000002
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58803.asp
;
;This parameter controls the number of times that a SYN-ACK is retransmitted in response to a connection
;request if the SYN is not acknowledged. If this value is greater than or equal to 2, the stack employs
;SYN attack protection internally. If this value is less than 2, the stack does not read the registry
;values at all for SYN attack protection.
;
;TCP/IP adjusts the frequency of retransmissions over time. The delay between the first and second
;retransmission is three seconds. This delay doubles after each attempt. After the final attempt,
;TCP/IP waits for an interval equal to double the last delay, and then it closes the connection request.
;
;See also SynAttackProtect, TCPMaxPortsExhausted (above), TCPMaxHalfOpen, + TCPMaxHalfOpenRetried
below, non-std.)
;
;Acceptable Ranges -> 0-255
;
;DEFAULT = At least 2 for SynAckProtect & SynAttackProtect to work + TcpMaxPortsExhausted above
;@ TOP to work right & defend the system against DOS/DDOS attacks...apk
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Lessened this to minimum
; (to help against SYN/DOS/DDOS attacks... apk)
;
;============================================================================================================
"DisableIPSourceRouting"=dword:00000002
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/94174.asp;
;
;IP source routing is a mechanism allowing the sender to determine the IP route that a datagram should take
;through the network, used primarily by tools such as tracert.exe and ping.exe. IP source routing is
;disabled by default.
;
;Valid Range: 0, 1, 2
;
;0 - forward all packets
;1 - do not forward Source Routed packets
;2 - drop all incoming Source Routed packets
;
;DEFAULT = 1 (on/true boolean switch), 2 recommended
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Set 2 to stall routed packets attacks thru NAT
; "firewalling" type hardware routers... apk
;
;============================================================================================================
"ReservedPorts"=hex(7):33,00,33,00,34,00,33,00,2d,00,33,00,33,00,34,00,33,00,\
00,00,00,00
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58804.asp
;
;Allows ports to be reserved so that they are not used as part of the 1024 or greater range. This is useful
;for applications that want a specific port range (like ephemerals, the short-lived ports usage in apps over
;ports 5000-65535).
;
;Acceptable Ranges -> xxxx-yyyy The string uses the format xxxx-yyyy. (port range)
;
;DEFAULT= 3343 - 3343 decimal
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: TOO NEW & UNIQUE TO WINDOWS 2003... apk
;
;I can see using this to set ephemeral ports usage ranges WAY UP HIGH, nearer to 65535 than usual
;5,000-9,000 range iirc, that I have seen scanning ports used local ones via netstat -ano tests! apk
;
;============================================================================================================
;************************************************************************************************************
;START NON-STD. ENTRIES SECTION WINDOWS SERVER 2003 TCP/IP PARAMETERS ENTRIES YOU MUST ADD IN YOURSELF...apk
;************************************************************************************************************
;============================================================================================================
"AllowUnqualifiedQuery"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/33564.asp
;
;Determines whether the Domain Name System (DNS) permits unqualified queries.
;
;This parameter controls whether or not the Domain Name Resolver queries the Domain Name Server(s) with
;the host name,followed by a dot (.) only (an unqualified query). For example, if your computer is in
;mydomain.com and you ping 'target' (mydomain. ) no .org/.com/.gov/.pl/.ca etc. (country, business,
;government, or organization UNC/URL names) by default the DNS is queried for target.mydomain.com only.
;
;When this parameter is set to 1, target is also queried.
;
;EXPLANATIONS & EXAMPLES
;
;AUTOMATED CHANGE METHODS VIA GUI IN OPERATING SYSTEM TIPS
;
;DEFAULT = 0 (off/false) DO NOT PERMIT UNQUALIFIED QUERIES vs. 1 (on/true) PERMIT THEM
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;
;============================================================================================================
"PrioritizeRecordData"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prjj_ipa_vitx.asp
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cncf_imp_tibv.asp
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/prork/prcc_tcp_dacz.asp
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cnbc_imp_fuzn.asp
;http://www.microsoft.com/technet/itsolutions/network/deploy/depovg/tcpip2k.mspx
;http://www.microsoft.com/resources/documentation/windows/2000/professional/reskit/en-us/part4/proch22.mspx
;
;This parameter controls whether or not the Domain Name Resolver sorts the addresses that are returned in
;response to a query for a ;multihomed host. By default, the DNR sorts addresses that are on the same subnet
;as one of the interfaces in the querying computer to the top of the list.
;
;This is done to give preference to a common-subnet (non-routed) IP address, when possible.
;
;DEFAULT = 1 (on/true) BUT, not typically visible by default @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Set default so it sorts the list to aid seeks thru it
;
;============================================================================================================
"Tcp1323Opts"=dword:00000003
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58800.asp
;
;This parameter controls the use of RFC 1323 Timestamp and Window Scale TCP options. Explicit settings for timestamps
;and window scaling are manipulated with flag bits. Bit 0 controls window scaling, and bit 1 controls timestamps.
;
;The default behavior is as follows: do not use the Timestamp and Window Scale options when initiating TCP connections but
;use them if the TCP peer that is initiating communication includes them in the SYN segment.
;
;Window scaling permits TCP to negotiate a scaling factor for the TCP receive window size, allowing for
;a very large TCP receive window of up to 1 GB. The TCP receive window is the amount of data the
;sending host can send at one time on a connection.
;
;Timestamps help TCP measure round trip time (RTT) accurately in order to adjust retransmission
;timeouts. The Timestamps option provides two timestamp fields of 4 bytes each in the TCP header
;one to record the time the initial transmission is sent and one to record the time on the remote host.
;
;This entry is a 2-bit bitmask. The lower bit determines whether scaling is enabled; the higher bit
;determines whether timestamps are enabled. To enable a feature, set the bit representing the feature
;to 1. To disable a feature, set its bit to 0.
;
;Valid ranges = 0, 1, 2, 3
;
;0 (disable RFC 1323 options/Timestamps and window scaling are disabled.)
;1 (window scaling enabled only)
;2 (timestamps enabled only)
;3 (both options enabled)
;
;DEFAULT = no value present in registry @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;but 3 is the default even if not visible
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Gains extra 12 bytes per packets sent/received... apk
;
;============================================================================================================
"TcpMaxDupAcks"=dword:00000002
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58806.asp
;
;Specifies how many duplicate ACKs (ACKs for the same sequence numbers) constitute a signal to
;retransmit a segment. If you set the value of this entry to 1, the system retransmits a segment when
;it receives an ACK for a segment with a sequence number that is less than the number of the segment
;currently being sent.
;
;This parameter determines the number of duplicate ACKs that must be received for the same sequence number
;of sent data before fast retransmit is triggered to resend the segment that has been dropped in transit.
;
;This mechanism is described in more detail in the “Transmission Control Protocol (TCP)” section.
;
;When data arrives with a sequence number that is greater than expected, the receiver assumes that
;data with the expected number was dropped, and it immediately sends an ACK with the ACK number
;set to the expected sequence number. The receiver sends ACKs set to the same missing number each
;time it receives a TCP segment that has a sequence number greater than expected. The sender
;recognizes the duplicate ACKs and sends the missing segment.
;
;This entry is used only when the receiver supports the fast retransmit feature. Fast retransmit lets
;TCP retransmit data before the retransmission timer (as set by the value of the TcpInitialRtt entry)
;expires.
;
;Range 1-3
;
;DEFAULT = 2 but no visible value present in registry
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default (for now)... apk
;
;============================================================================================================
"TcpInitialRTT"=dword:00000003
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58802.asp
;
;Determines how long TCP waits to retransmit a connection request if it does not receive a response to
;the original request for a new connection.
;
;This value initializes the retransmission timer. It specifies the time that must elapse between the
;original transmission and the first retransmission. On each subsequent retransmission, the previous
;interval is doubled. This strategy assumes that the response is delayed because the connection is slow.
;
;By default, the retransmission timer is initialized to three seconds, and the request (SYN) is sent
;twice, as specified in the value of the TcpMaxConnectRetransmissions entry.
;
;Because the delay between retransmissions grows exponentially, the initial value stored in the value
;of this entry should be very small. A value greater than 3 (seconds) prevents the server from
;expeditiously disposing unacknowledgeable connection requests.
;
;DEFAULT = 3
;no visible value present in registry @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default (for now)... apk
;
;============================================================================================================
"EnableFastRouteLookup"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58749.asp
;
;Determines whether the fast route lookup feature is enabled. Fast route lookups make route searches
;faster, but they use a significant amount of non-pageable memory.
;
;Fast route look-up is enabled if this flag is set. This can make route lookups faster at the expense of
;non-paged pool memory.
;
;This flag is used only if the computer runs Windows Server 2003 and falls into the medium or large class
; (in other words, contains at least 64 MB of memory).
;
;This parameter is created by the Routing and Remote Access service.
;
;AUTOMATED CHANGE METHODS VIA GUI IN OPERATING SYSTEM TIPS
;
;DEFAULT = 0 & Windows 2000 does not add this entry to the registry.
;Default NO visible value present in registry
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;This entry is used only on Windows 2000 Server computers that have at least 64 MB of physical memory.
;This entry applies only when Routing and Remote Access Service is enabled on the system.
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Turned on for speed gain, no security loss... apk
;
;============================================================================================================
"FFPControlFlags"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58850.asp
;
;Determines whether Fast Forwarding Path for Offload (FFP) is enabled.
;
;If this parameter is set to 1, Fast Forwarding Path (FFP) is enabled.
;
;If it is set to 0, TCP/IP instructs all FFP-capable adapters not to do any fast forwarding on this computer.
;
;FFP-capable network adapters can receive routing information from the stack and forward subsequent packets
;in hardware without passing them up to the stack.
;
;FFP parameters are located in the TCP/IP registry key, but are actually placed there by the Routing and
;Remote Access service.
;
;DEFAULT = 1 (on/true)
;0 = Determines whether Fast Forwarding Path for Offload (FFP) is enabled.
;1 = FFP is enabled. TCP/IP provides for fast forwarding on this system.
;
;Windows 2000 does not add this entry to the registry.
;
;This entry is used only when Routing and Remote Access Service is enabled on this system.
;Is used, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: I have it "ON" but not using RAS/RRAS currently
;
;============================================================================================================
"FFPFastForwardingCacheSize"=dword:00019000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58755.asp
;
;Specifies the maximum amount of system memory that a device driver can allocate to its fast
;forwarding cache. The fast forwarding cache is a section of reserved memory used to support TCP/IP
;fast forwarding.
;
;This entry is used only when fast forwarding is enabled (that is, when the value of the
;FFPControlFlags entry is 1) and the driver uses system memory for its cache. This value does not
;apply when the driver uses memory on the device for its cache.
;
;This is the maximum amount of memory that a driver that supports fast forwarding path (FFP) can allocate
;for its fast-forwarding cache if it uses system memory for its cache.
;
;If the device has its own memory for fast-forwarding cache, this value is ignored.
;
;Acceptable parameter range 0x0–0xFFFFFFFF (bytes)
;
;DEFAULT = 0x19000 (102,400)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Upped it to DOUBLE the default... apk
;
;============================================================================================================
"MaxNumForwardPackets"=dword:00002440
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter limits the total number of IP packet headers that can be allocated for the router packet
;queue.
;
;NOTE - This value must be greater than or equal to the value of the NumForwardPackets parameter. See the
;description of NumForwardPackets for more details below next... apk
;
;Acceptable Parameter Ranges -> 1–0xFFFFFFFF
;
;DEFAULT = 0xFFFFFFFF
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left Default per ForwardBufferMemory value... apk
;

**************
[Edited by Alec§taar on 2005-01-27 16:42:53]

Post #156111
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 15:28:15

(Tcp/IP tuned & documented parameters lists continued part #2 of 3 total for APKTcpIP.reg file)

*****************************************************************
;============================================================================================================
"NumForwardPackets"=dword:00002440
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter determines the number of IP packet headers that are allocated for the router packet queue.
;When all headers are in use, the system attempts to allocate more, up to the value configured for
;MaxNumForwardPackets (above).
;
;This value should be at least as large as the ForwardBufferMemory value divided by the maximum IP data size
;of the networks that are connected to the router.
;
;It should be no larger than the ForwardBufferMemory value divided by 256 because at least 256 bytes of
;forward buffer memory is used for each packet.
;
;The optimal number of forward packets for a given ForwardBufferMemory size depends on the type of traffic
;that is carried on the network and is somewhere between these two values.
;
;This parameter is ignored and no headers are allocated if routing is not enabled.
;
;Determines how many IP packet headers TCP allocates to the router packet queue when the system starts.
;The value of this entry is used only when routing is enabled and headers are allocated.
;
;When all of the IP packet headers allocated at startup are in use, the router begins to randomly
;discard packets from the queue.
;
;DEFAULT = see description next and ForwardBufferMemory setting next below also... apk
;
;This value should be at least as large as the ForwardBufferMemory value divided by the maximum IP data size
;of the networks that are connected to the router.
;
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left Default per ForwardBufferMemory value... apk
;
;============================================================================================================
"ForwardBufferMemory"=dword:000244000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58759.asp
;
;Determines the size of the buffer that IP allocates for storing packet data in the router packet queue.
;Because packet queue data buffers are 256 bytes long, the value of this entry must be a multiple of 256
;
;The default value of 74,240 bytes is enough for 50 packets of 1480 bytes each, rounded to a multiple pf 256
;
;When the buffer space is full, the router begins discarding packets at random from its queue. If packets
;are too large for the buffer, multiple buffers are chained together. If no buffers are allocated or if the
;IP router is not enabled, this entry is ignored.
;
;Because packet headers are stored separately, buffer size is not affected by the IP header for a packet.
;
;Acceptable Ranges - 0x0–0xFFFFFFFF (bytes, in 256-byte increments)
;
;DEFAULT = 0x12200 (74,240 bytes)
;Windows 2000 does not add this entry to the registry. You can add it by editing the registry
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Doubled default amount... apk
;
;============================================================================================================
"MaxForwardBufferMemory"=dword:00595B0
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58787.asp
;
;Establishes the maximum amount of memory that IP can allocate to store packet data in the router
;packet queue. The value of this entry must be greater than or equal to the value of the
;ForwardBufferMemory entry.
;
;This parameter limits the total amount of memory that IP can allocate to store packet data in the router
;packet queue.
;
;This value MUST BE GREATER THAN or EQUAL TO the value of the ForwardBufferMemory parameter.
;
; (See the description of ForwardBufferMemory below for more details.)
;
;Acceptable Ranges - Network MTU–0xFFFFFFFF
;
;DEFAULT = 0x200000 (2 MB) 2097152 decimal
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 1.5 times the ForwardBufferMemory Value above... apk
;
;============================================================================================================
"TcpTimedWaitDelay"=dword:0000001e
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;When a TCP connection is closed, the socket-pair is placed into a state known as TIME-WAIT. This is done so
;that a new connection does not use the same protocol, source IP address, destination IP address, source port
;and destination port until enough time has passed to ensure that any segments that may have been misrouted
;or delayed are not delivered unexpectedly.
;
;RFC 793 specifies the length of time that the socket-pair should not be reused as two maximum segment
;lifetimes (2 MSL), or four minutes.
;
;This is the default setting for Windows Server 2003 TCP/IP. However, with this default setting, some
;network applications that perform many outbound connections in a short time may use up all available ports
;before the ports can be recycled.
;
;Windows Server 2003 TCP/IP offers two methods of controlling this behavior.
;
;First, the TcpTimedWaitDelay registry parameter (this one) can be used to alter this value.
;
;Windows Server 2003 TCP/IP allows it to be set as low as 30 seconds, which should not cause problems in
;most environments.
;
;Second, the number of user-accessible ephemeral ports that can be used to source outbound connections is
;configurable using the MaxUserPorts (next below for your reference) registry parameter.
;
;By default, when an application requests any socket from the system to use for an outbound call, a port
;between the values of 1024 and 5000 is supplied.
;
;The MaxUserPorts parameter can be used to set the value of the uppermost port that the administrator
;chooses to allow for outbound connections.
;
;For instance, setting this value to 10,000 (decimal) would make approximately 9000 user ports available
;for outbound connections.
;
;For more details on this concept, see RFC 793.
;
;See also the MaxFreeTcbs (below next) and MaxHashTableSize (next one after) registry
;parameters in Appendix A.
;
;DEFAULT = 30 second default based on MaxUserPorts ephemeral ports
; (short lived ports (dynamics that change ALOT per netstat -ano I have seen)
; usually WAY high up in the IP range 5000-65535 etc. in my experience)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;
;============================================================================================================
"MaxUserPorts"=dword:00002710
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;DESCRIPTION - SEE ABOVE ENTRY! apk
;
;Acceptable Paramater Ranges-> See above... apk
;
;DEFAULT = 10,000 decimal per above advice/example... apk
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Set per previous parameters entry advisement... apk
;
;============================================================================================================
"MaxFreeTcbs"=dword:000007d0
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58770.asp
;
;Determines the number of TCP control blocks (TCBs) the system creates to support active connections
;Because each connection requires a control block, this value determines how many active connections
;TCP can support simultaneously.
;
;If all control blocks are used and more connection requests arrive, TCP can prematurely release
;connections in the TIME_WAIT state in order to free a control block for a new connection.
;
;Normally, TCP does not release a connection or reuse its resources until the connection has remained
;closed for a period specified by the value of the TcpTimedWaitDelay (see next entry below) entry.
;
;This interval is known as the TIME_WAIT or 2MSL (2 x maximum segment lifetime) state.
;
;However, if the system is supporting an unusually large number of connections and is running short
;of connection resources, TCP releases the connection before the value stored in the TcpTimedWaitDelay entry
;has expired.
;
;The default value for this entry is determined both by the amount of physical memory on the computer
;when TCP/IP starts and by the version of Windows running on the computer, as shown in the following table
;
;SMALL SYSTEM (Less than 19 MB RAM) - Server = 500, Pro/Workstation = 250
;MEDIUM SYSTEM (19–63 MB RAM) - Server = 1000 , Pro/Workstation = 500
;LARGE SYSTEM (64 MB or more RAM) - Server = 2,000 , Pro/Workstation = 1,000
;
;Acceptable Ranges - 0x0–0xFFFFFFFF (connections)
;
;DEFAULT = see table above!
; (Varies with the system and amount of physical memory on the computer. See description.)
;Windows 2000 does not add this entry to the registry. You can add it by editing the registry
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Doubled to 2000 (2x workstation value) Server default
;
;============================================================================================================
"MaxFreeTWTcbs"=dword:000003E8
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/94179.asp
;
;Determines the number of partitions in the Transport Control Block (TCB) table.
;
;Partitioning the TCB table minimizes contention for table access. This is especially useful on SMP/HT
;systems.
;
;This parameter controls the number of Transport Control Blocks (TCBs) in the TIME-WAIT state that are
;allowed on the TIME-WAIT state list.
;
;Once this number is exceeded, the oldest TCB will be scavenged from the list.
;
;In order to maintain connections in the TIME-WAIT state for at least 60 seconds, this value should be
;greater than OR equal to (>= 60 * (the rate of graceful connection closures per second)) for the computer.
;
;The default value is adequate for most cases!
;
;Acceptable ranges - 0x1–0xFFFF
;
;DEFAULT = 0x4 (1000 decimal)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;Do not change the value of this entry before carefully studying the effect of different
;values in a test environment.
;
;When testing, do not enter a value greater than two times the number of processors on the computer.
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default per description advice... apk
;
;============================================================================================================
"MaxHashTableSize"=dword:00000200
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58769.asp
;
;Determines the size of the hash table in which TCP control blocks (TCBs) are stored.
;TCP stores control blocks in a hash table so it can find them very quickly. If you adjust the number of
;TCBs the system creates (as specified by the value of the MaxFreeTcbs entry), you should also adjust
;the value of this entry proportionately.
;This value should be set to a power of 2 (for example, 512, 1024, 2048, and so on.) If this value is not a
;power of 2, the system configures the hash table to the next power of 2 value!
;
; (E.G.=> A setting of 513 is rounded up to 1024.)
;
;This value controls how fast the system can find a TCB and should be increased if MaxFreeTcbs is increased
;from the default.
;
;The value of this entry must be a power of two. If you change the value, the system rounds the
;value you enter to the next higher power of two.
;
;Acceptable Ranges - 64–65,536 (table entries) 0x40–0x10000 (64-65536 decimal)
;
;DEFAULT = 512
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default to match MaxFreeTcbs default... apk
;
;============================================================================================================
"MaxNormLookupMemory"=dword:00500000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58786.asp
;
;Determines the maximum amount of system memory that TCP can allocate for the routing table and its data.
;
;This parameter controls the maximum amount of memory that the system allows for the route table data and
;the routes themselves.
;
;It is designed to prevent memory exhaustion on the computer caused by adding large numbers of routes.
;
;Acceptable Ranges - 0x0 | 0x1–0xFFFFFFFE (bytes) | 0xFFFFFFFF
;Values Table:
;
;0x0 = There is no TCP routing table.
;0x1–0xFFFFFFFE = Specifies the max amount of system memory that can be allocated to the TCP routing table.
;0xFFFFFFFF = No limit on the amount of system memory that TCP can allocate to the TCP routing table.
;
;The default value for this entry is determined both by the amount of physical memory on the computer
;when TCP/IP starts and by the version of Windows running on the computer, as shown in the following table:
;
;The following default values are used:
;
;Small is defined as a computer with less than 19 MB of RAM,
;Medium is 19–63 MB of RAM,
;and Large is 64 MB or more of RAM.
;
;Less than 19 MB -> Server = 0x25800 (150 KB=1,000 routes), Pro/Workstation = 0x25800 (150 KB=1,000 routes)
;19–63 MB -> Server ONLY = 0x180000 (1.5 MB=10,000 routes)
;64mb or more -> Server ONLY = 0x500000 (5 MB=40,000 routes)
;
;For Windows Server 2003:
;
;Small system—150,000 bytes, which accommodates 1000 routes
;Medium system—1,500,000 bytes, which accommodates 10,000 routes
;Large system—5,000,000 bytes, which accommodates 40,000 routes
;
; (150,000 bytes, which accommodates 1000 routes)
;
;DEFAULT = (Varies with the system and amount of physical memory on the computer. See description.)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left server default for midrange type box... apk
;
;************************************************************************************************************
;BEGIN AFD registry subsection [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters] related
;************************************************************************************************************
;============================================================================================================
"DefaultReceiveWindow"=dword:00002000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;The number of receive bytes that AFD buffers on a connection before imposing flow control.
;For some applications, a larger value here gives slightly better performance at the expense of
;increased resource utilization. Applications can modify this value on a per-socket basis with
;the SO_RCVBUF socket option.
;
;DEFAULT = 4096/8192/8192
;Windows 2000 does not add this entry to the registry. You can add it by editing the registry
;Is used, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Set 8192 max as mine
;
;============================================================================================================
"DefaultSendWindow"=dword:00002000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This is similar to DefaultReceiveWindow, but for the send side of connections. (See setting above this one)
;
;DEFAULT = 4096/8192/8192
;Windows 2000 does not add this entry to the registry. You can add it by editing the registry
;Is used, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Set 8192 max as mine
;
;============================================================================================================
"SynAttackProtect"=dword:00000002
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58799.asp
;
;DOS/DDOS protection method
;SYN attack protection involves reducing the amount of retransmissions for the SYN-ACKS, which will reduce
;the time for which resources have to remain allocated. The allocation of route cache entry resources is
;delayed until a connection is made and the connection indication to AFD is delayed until the three-way
;handshake is completed. Note that the actions taken by the protection mechanism only occur if
;TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are exceeded.
;
;Determines whether the SYN flooding attack protection feature of TCP/IP is enabled. SYN flooding attack
;protection is enabled when the value of this entry is 1 and the value of the
;TcpMaxConnectResponseRetransmissions entry is at least 2 (see note below).
;
;NOTE - This value is used only when the number of SYN-ACK retransmissions is likely to impair the server,
;that is, when the value of the TcpMaxConnectResponseRetransmissions entry is at least 2.
;
;The SYN flooding attack protection feature of TCP detects symptoms of denial-of-service attacks
; (also known as SYN flooding), and it responds by reducing the time the server spends on connection
;requests that it cannot acknowledge.
;
;Acceptable Ranges -> 0, 1
;
;0 (no SYN attack protection) SYN flooding attack protection is not enabled.
;1 (reduced retransmission retries and delayed RCE [route cache entry] creation if the TcpMaxHalfOpen and
; TcpMaxHalfOpenRetried settings are satisfied and a delayed indication to Winsock is made.)
; SYN flooding attack protection is enabled.
;
;DEFAULT = 0 (on/true boolean switch) Recommend 1 (older 2 was for more protection, but affects below note)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Would do 2, but Tcp1323Opts is harmed by it & that
; gets you 12 extra bytes per-packet send/recv by not
; timestamping each packet sent/received... apk
;
;============================================================================================================
"PriorityBoost"=dword:00000002
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;The priority boost that AFD gives to a thread when it completes I/O for that thread. If a multithreaded
;application experiences starvation of some threads, the problem may be remedied by reducing this value.
;
;Acceptable Ranges -> 0–16
;
;DEFAULT = 2
;Windows 2000 does not add this entry to the registry. You can add it by editing the registry
;Is used, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Reduced by 1 for multithreaded apps (which is 90%
; of what I run here, internet apps included)... apk
;
;============================================================================================================
"TcpMaxHalfOpen"=dword:00000064
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter controls the number of connections in the SYN-RCVD state allowed before SYN-ATTACK protection
;begins to operate. If SynAttackProtect is set to 1, ensure that this value is lower than the AFD listen
;backlog on the port that you want to protect (see backlog parameters in Appendix C for more information).
;See the SynAttackProtect parameter for more details.
;
;Acceptable Ranges -> 100–0xFFFF
;
;DEFAULT = 100 decimal (Professional, Server) hex 64 above, 500 decimal (Advanced Server) 1F4 hex
;Windows 2000 does not add this entry to the registry. You can add it by editing the registry
;Is used, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Kept workstation low, since I use Windows Server 2003
; as workstation rig, & to reduce SYN-ACK/DDOS-DOS
;
;============================================================================================================
"TcpMaxHalfOpenRetried"=dword:00000050
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter controls the number of connections in the SYN-RCVD state for which there has been at least
;one retransmission of the SYN sent, before SYN-ATTACK attack protection begins to operate.
;See the SynAttackProtect parameter for more details.
;
;Acceptable Ranges -> 80–0xFFFF
;
;DEFAULT = 80 decimal (Professional, Server) 50hex, 400 decimal (Advanced Server) 190 hex
;Windows 2000 does not add this entry to the registry. You can add it by editing the registry
;Is used, but no visible value present @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Kept workstation low, since I use Windows Server 2003
; as workstation rig, & to reduce SYN-ACK/DDOS-DOS
;
;============================================================================================================
"TcpMaxRetransmissionAttempts"=dword:00000050
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter controls the number of connections in the SYN-RCVD state for which there has been at least
;one retransmission of the SYN sent, before SYN-ATTACK attack protection begins to operate. See the
;SynAttackProtect parameter for more details.
;
;Acceptable Ranges -> 80–0xFFFF
;
;DEFAULT = 80 (Pro/Server), 400 (AdvancedServer/Enterprise)
;Windows 2000 does not add this entry to the registry. You can add it by editing the registry
;Is used, but no visible value present @ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Kept workstation min, since I use Windows Server 2003
; as workstation rig, & to reduce SYN-ACK/DDOS-DOS
;
;============================================================================================================
"TcpMaxConnectRetransmissions"=dword:00000002
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58804.asp
;
;Determines how many times TCP retransmits an unanswered request for a new connection. TCP
;retransmits new connection requests until they are answered or until this value expires.
;
;TCP/IP adjusts the frequency of retransmissions over time. The delay between the original transmission
;and the first retransmission for each interface is determined by the value of the TcpInitialRTT entry
;By default, it is three seconds. This delay doubles after each attempt. After the final attempt, TCP/IP
;waits for an interval equal to double the last delay, and then it abandons the connection request.
;
;This entry determines how many times TCP retransmits requests for new connections. When sending
;data on existing connections, the maximum number of retransmissions is determined by the value of
;the TcpMaxDataRetransmissions entry.
;
;DEFAULT = 2 (Range 0-255)
;default is no visible value present in registry
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Lowered by 1 second for Syn-Ack/DDOS-DOS protection
;
;============================================================================================================
"IgnorePushBitOnReceives"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;Setting this parameter to a 1 causes Afd.sys to treat all incoming packets as though the push bit was set.
;This should only be done when necessary to work around client TCP/IP implementations that are not properly
;pushing data.
;
;If a client program is run on a computer with a TCP/IP implementation that does not set the PUSH bit
;on sends, response delays may result.
;
;It's best to correct this on the client side
;
;However, a configuration parameter (IgnorePushBitOnReceives) is added to Afd.sys to force it to treat
;all arriving packets as though the PUSH bit were set.
;
;Normally, Windows Server 2003 completes a Windows Sockets Receive when one of the following occurs:
;
;Data arrives with the push bit set.
;
;The user recv buffer is full.
;
;0.5 seconds have elapsed since any data arrived.
;
;DEFAULT = 0 (off/false boolean switch)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Default left... apk
;
;============================================================================================================
"SmallBufferSize"=dword:0000080
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;The size in bytes of small buffers used by AFD.
;
;DEFAULT = 128
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default but I have doubled to 256 before... apk
;
;============================================================================================================
"MediumBufferSize"=dword:000005e0
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;The size, in bytes, of medium buffers used by AFD.
;
;DEFAULT = 1504
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default but I have doubled to 3008 before... apk
;
;============================================================================================================
"LargeBufferSize"=dword:00001000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;The size, in bytes, of large buffers used by AFD. Smaller values use less memory and larger values
;can improve performance.
;
;LargeBufferSize are in Megabytes (MB) and need to be adjusted according to the configuration of your server.
;The buffers are allocated from physical memory, so set the sizes accordingly.
;
;DEFAULT = PAGE_SIZE (4096 bytes on i386, 8192 bytes on Alpha)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default 4096 bytes
;
;************************************************************************************************************
;END AFD registry subsection [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters] related
;************************************************************************************************************
;============================================================================================================
"CacheTimeout"=dword:000927c0
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This value determines the time interval that names are cached in the remote name table.
;The nbtstat –c command can be used to view the remaining time for each name in the cache.
;
;Acceptable Ranges - 0xEA60–0xFFFFFFFF
;
;DEFAULT = 0x927c0 (600000 milliseconds = 10 minutes)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;
;============================================================================================================
"AllowUserRawAccess"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/94009.asp
;For information about raw sockets, see the Windows Sockets Specification link on the Web Resources page:
;http://www.sockets.com/winsock.htm
;http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/tcp_ip_raw_sockets_2.asp
;
;Determines whether users who are not administrators can use raw sockets. By default, only users in
;the Administrators group can use them.
;This parameter controls access to raw sockets. If true, non - administrative users have access to raw sockets.
;
;By default, only administrators have access to raw sockets.
;
;For more information on raw sockets, see the Windows Sockets Specifications
;available from ftp://ftp.microsoft.com/bussys/winsock/winsock2/.
;
;When an application sends a datagram it may or may not include the IP header at the front of the
;outgoing datagrams depending on the IP_HDRINCL option set for the socket.
;An application always gets the IP header at the front of each received datagram regardless of the
;P_HDRINCL option
;
;If a foreign address is defined for the socket, it should correspond to the source address as
;specified in the IP header of the received datagram.
;
;IMPORTANT: OPENS THE DOOR FOR SPOOFING UDP HEADERS OR NOT SENDING ANY INFORMATION AT ALL IN PACKETS
;FOR SOURCE vs. DESTINATION:
;
;"The Microsoft implementation of TCP/IP on Windows is capable of opening a raw UDP socket:
;
;An application may specify the foreign IP address by calling connect functions. If no foreign IP address
;is specified for the socket, the datagrams are copied into the socket regardless of the source IP address
;in the IP header of the received datagram. (In other words you DON'T KNOW where they came from!)
;
;It is important to understand that SOCK_RAW sockets may get many unexpected datagrams. For
;example, a PING program may use SOCK_RAW sockets to send ICMP echo requests. While the
;application is expecting ICMP echo responses, all other ICMP messages (such as ICMP
;HOST_UNREACHABLE) may be delivered to this application also. Moreover, if several SOCK_RAW
;sockets are open on a machine at the same time, the same datagrams may be delivered to all the
;open sockets. An application must have a mechanism to recognize its datagram and to ignore all
;others. Such mechanism may include inspecting the received IP header–using unique identifiers in the
;ICMP header (ProcessID, for example), and so forth."
;
; * i.e.-> Now, was Mr. Steve Gibson Wrong worrying about this? I think not & agree with him... apk
;
;DEFAULT = 0 (off/false) Only administrators can use raw sockets & 1 (on/true) All users can use raw sockets.
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: I turn this on for myself... apk
;I would only leave this to admin. users... apk
;============================================================================================================
"ArpCacheLife"=dword:00000258
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/58735.asp
;
;Determines how long an unreferenced entry can remain in the Address Resolution Protocol (ARP) cache
;table. Entries cannot remain in the table longer than specified by the value of this entry. However,
;entries can be removed sooner if the table space they occupy is needed to store a new entry.
;By default, this entry applies to unreferenced entries, and the ArpCacheMinReferencedLife entry
;applies to referenced entries, which defaults to a duration of 10 minutes. However, referenced entries
;must remain in the table at least as long as unreferenced entries. Therefore, if the value of this entry
;is greater than or equal to the value of the ArpCacheMinReferencedLife entry, the
;ArpCacheMinReferencedLife entry is ignored, and the ArpCacheLife entry applies to both referenced
;and unreferenced entries.
;
;ArpCacheMinReferencedLife (see next entry) controls the minimum time until a referenced ARP cache entry expires.
;This parameter can be used in combination with the ArpCacheLife parameter, as follows:
;
;In absence of an ArpCacheLife parameter, the defaults for ARP cache time-outs are a two-minute time-out on
;unused entries and a ten-minute time-out on used entries
;
;If ArpCacheLife is greater than or equal to ArpCacheMinReferencedLife, referenced and unreferenced ARP cache
;entries expire in ArpCacheLife seconds.
;
;If ArpCacheLife is less than ArpCacheMinReferencedLife, unreferenced entries expire in ArpCacheLife seconds,
;and referenced entries expire in ArpCacheMinReferencedLife seconds.
;
;Entries in the ARP cache are referenced each time that an outbound packet is sent to the IP address in the entry.
;
;Acceptable Ranges -> 0–0xFFFFFFFF / 0x0–0xFFFFFFFF (seconds)
;
;DEFAULT = 10 minutes (600 seconds) on USED entries & 0x78 (120 seconds = 2 minutes) on unused entries for
;its aging algorithm...
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;In absence of an ArpCacheLife parameter, the defaults for ARP cache time-outs are a two-minute time-out on unused entries and a ten-minute
;time-out on used entries
;
;This value does not affect ARP cache table entries that are added manually. TCP/IP does not remove manual entries
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;
;============================================================================================================
"ArpCacheMinReferencedLife"=dword:00000258
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;ArpCacheMinReferencedLife controls the minimum time until a referenced ARP cache entry expires.
;
;This parameter can be used in combination with the ArpCacheLife parameter, as follows:
;
;If ArpCacheLife is greater than or equal to ArpCacheMinReferencedLife, referenced and unreferenced ARP
;cache entries expire in ArpCacheLife seconds.
;
;If ArpCacheLife is less than ArpCacheMinReferencedLife, unreferenced entries expire in ArpCacheLife seconds,
;and referenced entries expire in ArpCacheMinReferencedLife seconds.
;
;Entries in the ARP cache are referenced each time that an outbound packet is sent to the IP address
;in the entry.
;
;DEFAULT = 600 seconds (10 minutes)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;In absence of an ArpCacheLife parameter, the defaults for ARP cache time-outs are a two-minute time-out
;on unused entries and a ten-minute time-out on used entries
;
;Entries in the ARP cache are referenced each time that an outbound packet is sent to the IP address in the entry.
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;
;============================================================================================================
"DefaultRegistrationTTL"=dword:000004B0
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter can be used to control the TTL value sent with dynamic DNS registrations.
;
;Acceptable Ranges - 0–0xFFFFFFFF
;
;DEFAULT = 0x4B0 (1200 decimal, or 20 minutes)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;
;============================================================================================================
"DefaultTTL"=dword:00000080
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;Specifies the default time-to-live (TTL) value set in the header of outgoing IP packets. The TTL determines
;the maximum amount of time that an IP packet may live in the network without reaching its destination.
;
;It is effectively a limit on the number of links on which an IP packet is allowed to travel before
;being discarded.
;
;Acceptable Ranges -> 0–0xff (0–255 decimal)
;
;DEFAULT = 128
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;
;============================================================================================================
"DisableAddressSharing"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter is used to prevent address sharing (SO_REUSEADDR) between processes so that if a process
;opens a socket, no other process can steal data from it.
;
;A similar effect can be achieved if an application uses the new socket option SO_EXCLUSIVEADDRUSE.
;
;This setting allows administrators to secure older applications that are not aware of this option.
;
;DEFAULT = 0 (off/false)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Turned on for security and stabilities' sake... apk
;
;============================================================================================================
"DisableReplaceAddressesInConflicts"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter is used to turn off the address registration conflict rule that the last writer wins.
;By default, a computer does not replace any current records on the DNS server that do not appear to
;have been owned by it at one time.
;
;DEFAULT = 0 (off/false)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;
;============================================================================================================
"DisableReverseAddressRegistrations"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/94186.asp
;
;This parameter can be used to turn off DNS dynamic update reverse address (PTR) record registration.
;
;If the DHCP server that configures this computer is running Windows Server 2003, then it is capable of
;registering the PTR record with the DNS dynamic update protocol.
;
;However, if the DHCP server is not capable of performing DNS dynamic update PTR registrations and you
;do not want to register PTR records with the DNS dynamic update protocol, set this parameter to 1.
;
;Disables the Domain Name System (DNS) dynamic update registration of PTR (pointer) records by this DNS
;client. PTR (pointer) records associate an IP address with a computer name.
;
;This entry is designed for enterprises in which the primary DNS server that is authoritative for the
;reverse lookup zone cannot or is configured not to perform dynamic updates. It reduces unnecessary
;network traffic and eliminates event log errors that record failed attempts to register PTR records.
;
;Acceptable parameters -> 0 = Register PTR records, 1 = Do not register PTR records.
;
;DEFAULT = 0 (off/false boolean switch)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;
;============================================================================================================
"DisjointNameSpace"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter instructs the DNR to treat each interface as a disjoint name space.
;
;On a multihomed computer, a query to the DNS server(s) that is/are configured for one interface may result
;in a name error.
;
;This parameter is used to instruct the resolver to try the query against the possible DNS servers that are
;configured for other interfaces before returning results.
;
;DEFAULT = 1 (Off/False boolean switch)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default, not multihomed here... apk
;
;============================================================================================================
"IPReassemblyTimeOut"=dword:0000003C
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;Determines how long IP accepts fragments when attempting to reassemble a previously fragmented packet.
;
;That is, if a packet is fragmented, all of the fragments must make it to the destination within this time
;limit - otherwise, the fragments will be discarded and the packet will be lost.
;
;DEFAULT = 60 seconds
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;
;============================================================================================================
"NoNameReleaseOnDemand"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter determines whether the computer releases its NetBIOS name when it receives a name-release
;request from the network. It was added to allow the administrator to protect the machine against malicious
;name-release attacks.
;
;DEFAULT = 0 (off/false boolean switch)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Recommended 1 for security purposes... apk
;
;============================================================================================================
"QueryIpMatching"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cncf_imp_sykl.asp
;http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prjj_ipa_vitx.asp
;
;This parameter controls whether or not the IP address of the DNS server queried is matched to the IP address
;of the server that sent the DNS response.
;
;This can be used as a primitive security feature to ensure that the resolver is not being fooled by a
;random query response from some computer other than the intended DNS server.
;
;By default, the resolver accepts responses from the servers that it did not query.
;
;This feature speeds performance but can be a security risk!
;
;Especially effective in DnsCache parms area of registry as well.. apk (per 2nd URL above.)
;
;THIS ALSO CAN BE ADDED TO -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters
;
;DEFAULT = 0 (off/false boolean switch) Depending on if you want "positive dns caching"
;or "negative dns caching"
;
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;ipconfig.exe /flushdns typed in @ DOS prompt console window tty terminal clears the DNS cache
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 0 is faster network performance, 1 is more secure
;
;============================================================================================================
"SackOpts"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58797.asp
;
;This parameter controls whether or not Selective Acknowledgment (SACK) support, as specified in RFC 2018,
;is enabled. SACK is described in more detail in the “Transmission Control Protocol (TCP)” section.
;
;Enables and disables the Selective Acknowledgment (SACK) feature of Windows 2000 TCP/IP. SACK is specified
;in RFC 2018, TCP Selective Acknowledgement Options.
;
;SACK is an optimizing feature that lets you acknowledge receipt of individual blocks of data in a continuous
;sequence, rather than just the last sequence number. The recipient can tell the sender that one or more data
;blocks are missing from the middle of a sequence, and the sender can retransmit only the missing data.
;
;DEFAULT = 1 (on-off boolean switches)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default as it is a GOOD thing... apk
;
;============================================================================================================
"TcpNumConnections"=dword:00FFFFFE
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter limits the maximum number of connections that TCP can have open simultaneously.
;
;If the value of this entry is 0, you cannot establish any connections.
;
;NOTE by APK - Be one heck of a registry hack for a virus! apk
;
;Acceptable Ranges -> 0–0xFFFFFE
;
;DEFAULT = 0xFFFFFE
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: SET TO MAX AMOUNT...
;
; (The default value of 16 million is probably a good value as it limits max concurrent connections,
;though it seems that the value only has importance in early versions of NT4)
;
;============================================================================================================
"UpdateSecurityLevel"=dword:00000100
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/94187.asp
;
;This parameter can be used to control the security that is used for DNS dynamic updates. It defaults to 0,
;to try nonsecure update, and if refused, to send Windows Server 2003 secure dynamic updates. Valid values
;are listed below:
;
;0x00000000—default, nonsecure updates
;
;0x00000010—security OFF (16 decimal)
;
;0x00000100—secure ONLY ON (256 decimal)
;
;Acceptable Ranges -> 0,0x00000010, 0x00000020, 0x00000100
;
;DEFAULT = 0 (off/false boolean switch)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Set to SECURE ONLY... apk
;
;============================================================================================================
"TcpUseRFC1122UrgentPointer"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter determines whether TCP uses the RFC 1122 or RFC 793 specification for urgent data
; (used by BSD-derived systems).
;
;There are two ways to interpret the value of the Urgent Pointer field in the
;TCP header: RFC 793 defines the value as indicating the first byte of normal data,
;RFC 1122 defines the value as indicating the last byte of urgent data.
;
;These two interpretations are not interoperable. Windows Server
;2003 TCP/IP defaults to the RFC 793 interpretation (BSD mode).
;
;DEFAULT = 1/0 (on-off boolean switches)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default for Windows Server 2003 RFC 793 type
;
;============================================================================================================
"TransmitWorker"=dword:00000400
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;Datagrams smaller than the value of this parameter go through the fast I/O path or are buffered on send.
;Larger ones are held until the datagram is actually sent.
;
;The default value was found by testing to be the best overall value for performance.
;
;Fast I/O means copying data and bypassing the I/O subsystem, instead of mapping memory and going through
;the I/O subsystem.
;
;This is advantageous for small amounts of data. Changing this value is not generally recommended.
;
;DEFAULT = 1024
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default per advice above in description... apk
;
;============================================================================================================
"FastSendDatagramThreshold"=dword:00000400
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;Datagrams smaller than the value of this parameter go through the fast I/O path or are buffered on send.
;Larger ones are held until the datagram is actually sent.
;
;The default value was found by testing to be the best overall value for performance.
;
;Fast I/O means copying data and bypassing the I/O subsystem, instead of mapping memory and going through
;the I/O subsystem. This is advantageous for small amounts of data.
;
;Changing this value is not generally recommended.
;
;DEFAULT = 1024
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: DON'T! Leave default per advice above from MS... apk
;
;============================================================================================================
"MaxFastTransmit"=dword:00000040
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter controls the maximum amount of data that is transferred in a TransmitFile request on the fast
;path. Fast I/O is essentially copying data and bypassing the I/O subsystem, instead of mapping memory and
;going through the I/O subsystem. This is advantageous for small amounts of data.
;
;Changing this value is not generally recommended.
;
;Acceptable Ranges -> 0–0xffffffff
;
;DEFAULT = 64kb
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default per above description... apk
;
;============================================================================================================
"IGMPLevel"=dword:00000002
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter determines to what extent the system supports IP multicasting and participates in the Internet
;Group Management Protocol. At level 0, the system provides no multicast support. At level 1, the system can
;send IP multicast packets but cannot receive them. At level 2, the system can send IP multicast packets and
;fully participate in IGMP to receive multicast packets.
;
;Acceptable Ranges -> 0,1,2
;
;DEFAULT = 2
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default, I am not messing with IGMP stuff... apk
;
;============================================================================================================
"BCastNameQueryCount"=dword:00000002
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;Determines the number of times NetBT broadcasts a query for a specific name w/out receiving a response.
;
;Acceptable Ranges -> 1–0xFFFF
;
;DEFAULT = 3
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Cut by one for more speed... apk
;
;============================================================================================================
"BcastQueryTimeout"=dword:000002ee
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This value determines the time interval between successive broadcast name queries for the same name.
;
;Acceptable Ranges -> 100–0xFFFFFFFF
;
;DEFAULT = 0x2ee (750 decimal)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;
;============================================================================================================
"KeepAliveInterval"=dword:00001000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter determines the interval between TCP keep-alive retransmissions until a response is received.
;Once a response is received, the delay until the next keep-alive transmission is again controlled by the
;value of KeepAliveTime. The connection is aborted after the number of retransmissions specified by
;TcpMaxDataRetransmissions have gone unanswered.
;
;Acceptable Parameter Ranges -> 1–0xFFFFFFFF
;
;DEFAULT = 1000 (one second)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;

*****************************************************************



(Tcp/IP continued next, last one for APKTcpIP.reg #3 of 3 total

Post #156113
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 15:29:35

(Part #3 of 3 APK Tcp/IP parameters entries tuned + documentation from Microsoft)

============================================================================================================
"NameSrvQueryTimeout"=dword:000005DC
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This value determines the time interval between successive name queries to WINS for a specified name
;
;Acceptable Parameter Ranges -> 100–0xFFFFFFFF
;
;DEFAULT = 1500 (1.5 seconds)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;
;============================================================================================================
"SessionKeepAlive"=dword:001B7740
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This value determines the time interval between keep-alive transmissions on a session. Setting the value
;to 0xFFFFFFF disables keep-alives.
;
;Acceptable Parameter Ranges -> 60,000–0xFFFFFFFF
;
;DEFAULT = 3,600,000 (1 hour)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Cut in 1/2 for more "keep alives" on 56k dialup
;
;============================================================================================================
"DisableUserTOSSetting"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This parameter can be used to allow programs to manipulate the Type Of Service (TOS) bits in the header of
;outgoing IP packets. In Windows Server 2003, this defaults to True. In general, individual applications
;should not be allowed to manipulate TOS bits.
;
;DEFAULT = 1 (on/true boolean switch)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;
;============================================================================================================
"Size/Small/Medium/Large"=dword:00000003
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;
;This value determines the size of the name tables that are used to store local and remote names.
;In general, a setting of 1 (small) is adequate. If the system is acting as a proxy name server,
;the value is automatically set to 3 (large) to increase the size of the name cache hash table.
;
;Hash table buckets are sized as follows:
;Acceptable Paramter Ranges -> 1, 2, 3 (small 16, medium 128, large 256)
;
;DEFAULT = 1 (small)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: set to max largest size... apk
;
;============================================================================================================
;************************************************************************************************************
;START FOUND @ SECTION OF MICROSOFT REGARDING TCP TRANSPORTS (odd entries not found anyplace else)... apk
;************************************************************************************************************
;============================================================================================================
"ArpCacheSize"=dword:0000003E
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/kb/q102973/
;
;Determines the maximum number of entries that the ARP cache table can hold.
;
;The ARP cache is allowed to grow dynamically until this size is reached.
;
;After the table reaches this size new entries can only be added by replacing the oldest entries that exist.
;
;DEFAULT = 62
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default
;
;============================================================================================================
"TCPDisableReceiveChecksum"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/kb/q102973/
;
;Specifies whether Checksums is disabled on receive.
;
;DEFAULT = 1 (on/true boolean switch)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;Set to 1 so no checksum is generated on received packets for speed
;
;============================================================================================================
"TCPDisableSendChecksum"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/kb/q102973/A
;
;Specifies whether Checksums is disabled on send.
;
;DEFAULT = 1 (on/true boolean switch)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;Set to 1 so no checksum is generated on sent packets for speed
;
;============================================================================================================
"UDPDisableSendChecksum"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/kb/q102973/
;
;Specifies whether Checksums is disabled on send of udp datagrams.
;
;DEFAULT = 0 (off/false boolean switch)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;Set to 1 so no checksum is generated on sent packets for speed
;
;============================================================================================================
"UDPDisableReceiveChecksum"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/kb/q102973/
;
;Specifies whether Checksums is disabled on Receive of udp datagrams.
;
;DEFAULT = 0 (on/false boolean switch)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;Set to 1 so no checksum is generated on sent packets for speed
;
;============================================================================================================
"TcpKeepCnt"=dword:0000003C
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/kb/q102973/
;
;Specifies how often TCP/IP will generate keep-alive traffic. When TCP/IP determines that no activity has
;occurred on the connection within the specified time, it generates keep-alive traffic to probe the
;connection. After trying TcpKeepTries number of times to deliver the keep-alive traffic without success,
;it marks the connection as down.
;
;DEFAULT = 120
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Cut in 1/2 so more "keep alives" used on 56k... apk
;
;============================================================================================================
"TcpKeepTries"=dword:0000000A
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/kb/q102973/
;
;Specifies the maximum number of times that TCP/IP will attempt to deliver keep-alive traffic before
;marking a connection as down.
;
;DEFAULT = 20
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Cut down to 5, so DDOS/DOS & Syn-Ack (same) are less
;
;============================================================================================================
"TcpLogLevel"=dword:00000010
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/kb/q102973/
;
;Specifies how verbose TCP/IP should be about logging events in the event log. The highest level of
;verbosity is 16, and 1 is the lowest level. The following shows general information about these levels.
;
;DEFAULT = 16 (log everything)
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Log EVERYTHING default left... apk
;
;============================================================================================================
"TcpMaxConnectAttempts"=dword:00000002
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/kb/q102973/
;
;Specifies the maximum number of times TCP/IP attempts to establish a connection before reporting failure.
;The initial delay between connection attempts is 3 seconds. This delay is doubled after each attempt.
;
;DEFAULT = 3
;Windows 2000 does not add this entry to the registry.
;
;Is used by default, but no visible value present
;@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Lessened by 1 to aid in Syn-Ack/DDOS-DOS attack
; protection... apk
;
;============================================================================================================
;************************************************************************************************************
;START DEPRECATED/OBSOLETE ENTRIES SECTION PER MICROSOFT WINDOWS 9x TCP/IP PARAMETERS ENTRIES...apk
;************************************************************************************************************
;============================================================================================================
;"ForwardBroadcasts"=dword:00000000 (Deprecated - 2000 onwards dont use this: commented off semi colon @ start)
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx#ECAA
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/regentry/33569.asp
;
;Do not delete this entry from the registry or change its value, can cause damage! apk
;2000 onwards does not use the above period to ForwardBroadCasts to other machines on networks... apk
;
;DEFAULT = 0 (off/false) on Windows Server 2003
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;
;============================================================================================================

END Tcp/IP parameters documented tweaks for .reg file template)



APK

P.S.=> AFD is next below... apk

Post #156114
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 15:43:35

AFD PARAMETERS TUNED and DOCUMENTED:

(Again, copy between the FIRST & LAST ASTERISKED ( " * " ) LINES AND PASTE INTO NOTEPAD.EXE, AND USE FILE MENU, SAVE AS SUBMENU, TYPE ALL FILES (vs. .txt) TO CREATE THIS AFD TEMPLATE & THEN DOUBLECLICK THE FILENAME IN EXPLORER.EXE TO MERGE IT INTO YOUR REGISTRY & REBOOT FOR IT TO BE EFFECTIVE! )

*****************************************************************

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters]
;************************************************************************************************************
;APK FORMAT FOR DOCUMENTING EACH POSSIBLE Tcp/IP stack entry for performance & security tuning generic header
;************************************************************************************************************
;"ENTRY NAME"=dword:00000000 (on) or 00000001(off) OR String Values (varies by param type)
;URL to description by Microsoft
;Description
;DEFAULT SETTINGS PER OEM/MICROSOFT
;Tweaked/Tuned OR Untweaked/Default Parameter Status
;************************************************************************************************************
;============================================================================================================
;USEFUL GENERIC URLS LIST FROM MICROSOFT FOR SECURITY PURPOSES USED IN THIS PREBUILT .REG FILE DOCUMENT
;============================================================================================================
;------------------------------------------------------------------------------------------------------------
;Microsoft Windows Server 2003 AFD Implementation Details MAIN PAGE:
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;------------------------------------------------------------------------------------------------------------
;============================================================================================================
;============================================================================================================
"DefaultReceiveWindow"=dword:00004000
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;246984
;
;The Windows NT socket driver (Afd.sys) has a default receive buffer size of 8 KB. When a program receives
;more data than this buffer is configured to hold, all data received up to this ;count must be transferred
;to the program before receiving continues. When this happens, RPC sends an acknowledgement to the computer
;that is sending the RPC data. In some cases, the program's receive function may experience a time-out
;during this period.
;
;The number of receive bytes that AFD buffers on a connection before imposing flow control. For some
;applications, a larger value here gives slightly better performance at the expense of increased resource
;utilization. Applications can modify this value on a per-socket basis with the SO_RCVBUF socket option.
;
;DEFAULT 8kb -> 4096/8192/16384
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 16384 per Ms page above
;
;============================================================================================================
"DefaultSendWindow"=dword:00004000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;This is similar to DefaultReceiveWindow, but for the send side of connections
;
;DEFAULT 8kb -> 4096/8192/16384
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: : 16384 per Ms page above
;
;============================================================================================================
"DisableAddressSharing"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;This parameter is used to prevent address sharing (SO_REUSEADDR) between processes so that if a process
;opens a socket, no other process can steal data from it. A similar effect can be achieved if an application
;uses the new socket option SO_EXCLUSIVEADDRUSE. This setting allows administrators to secure older
;applications that are not aware of this option
;
;Acceptable Ranges = 0,1
;
;DEFAULT 0
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 1
;
;============================================================================================================
"FastCopyReceiveThreshold"=dword:00000800
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;When an application posts a receive with a buffer that is smaller than the current packet being buffered by
;Winsock, AFD can either make an additional copy of the packet and then copy data to the application buffers
;directly (which is a two-stage copy because application buffers cannot be accessed directly under the lock),
;or it can lock and map application buffers and copy data once. This value represents a compromise between
;extra code execution for data copying, and extra code execution in the I/O subsystem and memory manager.
;
;The default value was found, by testing, to be the best overall value for performance. Changing this value
;is not generally recommended.
;
;DEFAULT 1024
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 1024
;
;============================================================================================================
"FastSendDatagramThreshold"=dword:00000800
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;Datagrams smaller than the value of this parameter go through the fast I/O path or are buffered on send.
;Larger ones are held until the datagram is actually sent. The default value was found by testing to be the
;best overall value for performance. Fast I/O means copying data and bypassing the I/O subsystem, instead of
;mapping memory and going through the I/O subsystem. This is advantageous for small amounts of data. Changing
;this value is not generally recommended.
;
;DEFAULT 1024
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;
;============================================================================================================
"IgnorePushBitOnReceives"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;Setting this parameter to a 1 causes Afd.sys to treat all incoming packets as though the push bit was set.
;This should only be done when necessary to work around client TCP/IP implementations that are not properly
;pushing data. This only usually happens if the push bit is set or recv buffer for current user is full, or
;1/2 (.5) seconds have elapsed since any data arrived.

;Normally, Windows Server 2003 completes a Windows Sockets Receive when one of the following occurs:
;A.) Data arrives with the push bit set.
;
;B.) The user recv buffer is full.
;
;C.) 0.5 seconds have elapsed since any data arrived.
;
;Acceptable Ranges -> 0/1
;
;DEFAULT 0
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 0
;
;============================================================================================================
"LargeBufferSize"=dword:00002000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;The size, in bytes, of large buffers used by AFD. Smaller values use less memory and larger values can
;improve performance.
;
;Default: PAGE_SIZE (4096 bytes on i386, 8192 bytes on Alpha)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Doubled to 8192... apk
;
;============================================================================================================
"LargeBufferListDepth"=dword:0000000a
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;Depth of large buffer look-aside list
;
;DEFAULT 0/2/10
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;
;============================================================================================================
"MaxFastTransmit"=dword:00000040
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;This parameter controls the maximum amount of data that is transferred in a TransmitFile request on the
;fast path. Fast I/O is essentially copying data and bypassing the I/O subsystem, instead of mapping memory
;and going through the I/O subsystem.
;
;This is advantageous for small amounts of data. Changing this value is not generally recommended.
;
;Acceptable Parameter Ranges -> Valid Range: 0-0xffffffff
;
;Default: 64 KB
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 64kb default, but moving up to 128kb wouldnt hurt
;
;============================================================================================================
"MaxFastCopyTransmit"=dword:00000080
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;This parameter controls the maximum size of data that uses copy instead of cached memory on the fast-path.
;Fast I/O is essentially copying data and bypassing the I/O subsystem, instead of mapping memory and going
;through the I/O subsystem. This is advantageous for small amounts of data.
;
;Changing this value is not generally recommended.
;
;Acceptable Parameter Ranges -> Valid Range: 0-0xFFFFFFFF
;
;DEFAULT 128
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;
;============================================================================================================
"MediumBufferSize"=dword:00000800
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;The size, in bytes, of medium buffers used by AFD.
;
;DEFAULT 1504 decimal
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: set to 2048 decimal per tweak... apk
;
;============================================================================================================
"MediumBufferListDepth"=dword:00000018
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;Depth of medium buffer look-aside list.
;
;DEFAULT: 4/8/24
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Maxed to 24 per tweak... apk
;
;============================================================================================================
"OverheadChargeGranularity"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;This parameter determines in what increments overhead is actually charged. The default is one page,
;and the intention is to properly charge and contain attacker type applications that try to run the
;system out of memory.
;
;Acceptable Parameter Ranges: A power of 2
;
;DEFAULT 1 page
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: GOOD FOR SECURITY! apk
;
;============================================================================================================
"PriorityBoost"=dword:00000004
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;The priority boost that AFD gives to a thread when it completes I/O for that thread. If a multithreaded
;application experiences starvation of some threads, the problem may be remedied by reducing this value.
;
;Acceptable Parameter Ranges: 0-16
;
;DEFAULT 2
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Upped to 4 (hex/dec is same as are 0,1,2,3)
;
;============================================================================================================
"SmallBufferSize"=dword:00000100
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;The size in bytes of small buffers used by AFD.
;
;DEFAULT 128
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Upped to 256 per tweak... apk
;
;============================================================================================================
"SmallBufferListDepth"=dword:00000020
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;Depth of the small buffer look-aside list.
;
;DEFAULT: 8/16/32
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Put to MAX of 32 per tweak... apk
;
;============================================================================================================
"StandardAddressLength"=dword:00000018
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;The length of TDI addresses that are typically used for the computer. When using an alternate transport
;protocol, such as TP4, which uses very long addresses, increasing this value results in a slight
;performance improvement.
;
;DEFAULT 22
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Upped to 24 decimal (hex 18 above) per tweak... apk
;
;============================================================================================================
"TransmitWorker"=dword:00000020
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;This parameter controls how Afd.sys uses system threads. Setting it to 0x10 causes AFD to use system
;threads to perform IO that results from a long (more than 2 SendPacketLength worth of data) TransmitFile
;request.
;
;Setting it to 0x20 causes AFD to use kernel-mode APC for IO and to execute everything in the context
;of the same thread.
;
;This is new in Windows Server 2003 and can improve performance by reducing the number of context switches
;in long TransmitFile requests.
;
;DEFAULT: 0x10
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Set per hex 0x20 (32 decimal) for better performance
;
;============================================================================================================
"TransmitIoLength"=dword:0000FFFF
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;The default size for I/O (reads and sends) performed by TransmitFile().
;
;For Windows XP Professional, the default I/O size is exactly one page.
;
;Default: I/O size is exactly one page - PAGE_SIZE/PAGE_SIZE*2/65536
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Set to Max 65535 dec/0x0FFF hex... apk
;
;============================================================================================================
"EnableDynamicBacklog"=dword:000000001
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;Enabled to help security against SYN and DDOS/DOS attacks... apk
;
;DEFAULT
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Good against network attacks
;
;============================================================================================================
"MinimumDynamicBacklog"=dword:00000020
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;Enabled to help security against SYN and DDOS/DOS attacks... apk
;
;DEFAULT none unless setting above of EnableDynamicBacklog = 1/true/on
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Good against network attacks
;
;============================================================================================================
"MaximumDynamicBacklog"=dword:00000020
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;Enabled to help security against SYN and DDOS/DOS attacks... apk
;
;DEFAULT none unless setting above of EnableDynamicBacklog = 1/true/on
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Good against network attacks
;
;============================================================================================================
"DynamicBacklogGrowthDelta"=dword:00000032
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;
;Enabled to help security against SYN and DDOS/DOS attacks... apk
;
;DEFAULT none unless setting above of EnableDynamicBacklog = 1/true/on
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Good against network attacks
;
;============================================================================================================
; STILL TO BE FOUND AND DOCUMENTED LIST BELOW... apk
;============================================================================================================
"MaxActiveTransmitFileCount"=dword:00000002
;------------------------------------------------------------------------------------------------------------
;
;URL @ Microsoft
;
;Description
;
;DEFAULT
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;
;============================================================================================================
"DisableRawSecurity"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;URL @ Microsoft
;
;Description
;
;DEFAULT
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;
;============================================================================================================
"BufferMultiplier"=dword:00000400
;------------------------------------------------------------------------------------------------------------
;
;URL @ Microsoft
;
;Description
;
;DEFAULT
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;
;============================================================================================================

*****************************************************************



APK

P.S.=> LSA is next below... apk

Post #156119
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 15:58:27

LSA PARAMETERS TUNED and DOCUMENTED:

(Again, copy between the FIRST & LAST ASTERISKED ( " * " ) LINES AND PASTE INTO NOTEPAD.EXE, AND USE FILE MENU, SAVE AS SUBMENU, TYPE ALL FILES (vs. .txt) TO CREATE THIS AFD TEMPLATE & THEN DOUBLECLICK THE FILENAME IN EXPLORER.EXE TO MERGE IT INTO YOUR REGISTRY & REBOOT FOR IT TO BE EFFECTIVE! )

*****************************************************************

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
;************************************************************************************************************
;APK FORMAT FOR DOCUMENTING EACH POSSIBLE Tcp/IP stack entry for performance & security tuning generic header
;************************************************************************************************************
;"ENTRY NAME"=dword:00000000 (on) or 00000001(off) OR String Values (varies by param type)
;URL to description by Microsoft
;Description
;DEFAULT SETTINGS PER OEM/MICROSOFT
;Tweaked/Tuned OR Untweaked/Default Parameter Status
;************************************************************************************************************
;============================================================================================================
;USEFUL GENERIC URLS LIST FROM MICROSOFT FOR SECURITY PURPOSES USED IN THIS PREBUILT .REG FILE DOCUMENT
;============================================================================================================
;------------------------------------------------------------------------------------------------------------
;Microsoft Windows Server 2003 AFD Implementation Details MAIN PAGE:
;http://www.microsoft.com
;------------------------------------------------------------------------------------------------------------
;============================================================================================================
;============================================================================================================
"restrictanonymous"=dword:00000002
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;246261
;
;When the RestrictAnonymous registry value is set to 2, the access token built for non-authenticated users
;does not include the Everyone group, and because of this, the access token no longer has access to those
;resources which grant permissions to the Everyone group. This could cause undesired behavior because many
;Windows 2000 services, as well as third-party programs, rely on anonymous access capabilities to perform
;legitimate tasks.
;
;For example, when an administrator in a trusting domain wants to grant local access to a user in a trusted
;domain, there may be a need to enumerate the users in the trusted domain. Because the trusted domain cannot
;authenticate the administrator in the trusting domain, an anonymous enumeration may be used.
;The benefits of restricting the capabilities of anonymous users from a security perspective should be
;weighed against the corresponding requirements of services and programs that rely on anonymous access
;for complete functionality.
;
;The following tasks are restricted when the RestrictAnonymous registry value is set to 2 on a Windows
;2000-based domain controller:
;
;Down-level member workstations or servers are not able to set up a netlogon secure channel.
;
;Down-level domain controllers in trusting domains are not be able to set up a netlogon secure channel.
;
;Microsoft Windows NT users are not able to change their passwords after they expire.
;Also, Macintosh users are not able to change their passwords at all.
;
;The Browser service is not able to retrieve domain lists or server lists from backup browsers, master
;browsers or domain master browsers that are running on computers with the RestrictAnonymous registry
;value set to 2.
;
;Because of this, any program that relies on the Browser service does not function
;properly.
;
;Because of these results, it is not recommended that you set the RestrictAnonymous registry value to
;2 in mixed-mode environments that include down-level clients.
;
;Setting the RestrictAnonymous registry value to 2 should only be considered in Windows 2000
;environments only, and after sufficient quality assurance tests have verified that appropriate
;service levels and program functionality is maintained.
;
;NOTE: Pre-defined "High Secure" security templates set the RestrictAnonymous registry value to 2,
;and because of this, caution should be used when using these templates.
;
;For additional information about the RestrictAnonymous registry value, click the article number
;below to view the article in the Microsoft Knowledge Base:
;
;KB article 178640 "Could Not Find Domain Controller When Establishing a Trust"
;
;RestrictAnonymous is set by changing the registry key to 0 or 1 for Windows NT 4.0 or to
;0, 1, or 2 for Windows 2000. These numbers correspond to the following settings:
;
;Acceptable Ranges ->
;0 = None
;1 Do not allow enumeration of SAM accounts or names
;2 = No access w/out explicit permission
;
;DEFAULT 0
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 2 for security... apk
;
;============================================================================================================
"RestrictAnonymousSAM"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;246261&sd=tech
;
;This configures the following registry value:
;
;HKLM\System\CurrentCurrentControlSet\Control\Lsa\RestrictAnonymousSAM
;
;It wil will prevent the 9x clients from connecting.
;
;If you disable the lmhash listed above also use the following setting the following article:
;
;KB246261 "How to Use the RestrictAnonymous Registry Value in Windows 2000"
;
;DEFAULT 0
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Set for security so remote users cannot list
;shares, folder/files/printers, or registry access permissions... apk
;
;============================================================================================================
"SecureBoot"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;Couldn't find it online @ Microsoft... apk
;
;Check GOOGLE ON THIS... apk
;
;DEFAULT
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;
;============================================================================================================

*****************************************************************

END AFD PARAMETERS TUNED and DOCUMENTED:



APK

P.S.=> NetBT (netbios transport layer) is next... apk

Post #156121
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 16:04:35

RpcSs PARAMETERS TUNED and DOCUMENTED:

(Again, copy between the FIRST & LAST ASTERISKED ( " * " ) LINES AND PASTE INTO NOTEPAD.EXE, AND USE FILE MENU, SAVE AS SUBMENU, TYPE ALL FILES (vs. .txt) TO CREATE THIS AFD TEMPLATE & THEN DOUBLECLICK THE FILENAME IN EXPLORER.EXE TO MERGE IT INTO YOUR REGISTRY & REBOOT FOR IT TO BE EFFECTIVE! )

*****************************************************************

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Parameters]
;************************************************************************************************************
;APK FORMAT FOR DOCUMENTING EACH POSSIBLE Tcp/IP stack entry for performance & security tuning generic header
;************************************************************************************************************
;"ENTRY NAME"=dword:00000000 (on) or 00000001(off) OR String Values (varies by param type)
;URL to description by Microsoft
;Description
;DEFAULT SETTINGS PER OEM/MICROSOFT
;Tweaked/Tuned OR Untweaked/Default Parameter Status
;************************************************************************************************************
;============================================================================================================
;USEFUL GENERIC URLS LIST FROM MICROSOFT FOR SECURITY PURPOSES USED IN THIS PREBUILT .REG FILE DOCUMENT
;============================================================================================================
;Microsoft Windows Server 2003 RpcSs Implementation Details MAIN PAGE:
;http://support.microsoft.com/default.aspx?scid=kb;en-us;229702
;------------------------------------------------------------------------------------------------------------
;============================================================================================================
;============================================================================================================
"ListenOnInternet"="N"
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;229702
;
;By default, the RPC Endpoint Mapper binds to all interfaces on a computer running Windows NT.
;To prevent the RPC Endpoint Mapper from binding to all interfaces, you must apply the following
;hotfix and create the registry entry below.
;
;Acceptable Parameter Ranges -> Y or N (string data)
;
;DEFAULT = Y
;
;If this value is set to "Y", the RPCSS listens on all ports.
;
;If the value is set to "N", RPCSS listens based on the current policy.
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: I turn it off... apk
;
;============================================================================================================

*****************************************************************

END RpcSs PARAMETERS TUNED and DOCUMENTED:



APK

P.S. => LanManServer is next... apk

Post #156122
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 16:06:14

LanManServer PARAMETERS TUNED and DOCUMENTED:

(Again, copy between the FIRST & LAST ASTERISKED ( " * " ) LINES AND PASTE INTO NOTEPAD.EXE, AND USE FILE MENU, SAVE AS SUBMENU, TYPE ALL FILES (vs. .txt) TO CREATE THIS AFD TEMPLATE & THEN DOUBLECLICK THE FILENAME IN EXPLORER.EXE TO MERGE IT INTO YOUR REGISTRY & REBOOT FOR IT TO BE EFFECTIVE! )

*****************************************************************

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters]
;************************************************************************************************************
;APK FORMAT FOR DOCUMENTING EACH POSSIBLE Tcp/IP stack entry for performance & security tuning generic header
;************************************************************************************************************
;"ENTRY NAME"=dword:00000000 (on) or 00000001(off) OR String Values (varies by param type)
;URL to description by Microsoft
;Description
;DEFAULT SETTINGS PER OEM/MICROSOFT
;Tweaked/Tuned OR Untweaked/Default Parameter Status
;************************************************************************************************************
;============================================================================================================
;USEFUL GENERIC URLS LIST FROM MICROSOFT FOR SECURITY PURPOSES USED IN THIS PREBUILT .REG FILE DOCUMENT
;============================================================================================================
;------------------------------------------------------------------------------------------------------------
;Microsoft Windows Server 2003 AFD Implementation Details MAIN PAGE:
;http://www.microsoft.com
;------------------------------------------------------------------------------------------------------------
;============================================================================================================
;============================================================================================================
;"autodisconnect"=dword:0000000a
;------------------------------------------------------------------------------------------------------------
;
;URL @ Microsoft
;
;Description - Unsure so left it commented off... apk
;
;DEFAULT unsure, lookup @ Microsoft again or GOOGLE... apk
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: unsure, note it is ; commented off... apk
;
;============================================================================================================
"enableforcedlogoff"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;URL @ Microsoft
;
;Description - Unsure so left it commented off... apk
;
;DEFAULT unsure, lookup @ Microsoft again or GOOGLE... apk
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: unsure, note it is ; commented off... apk
;
;============================================================================================================
;FOR NEXT 2 BELOW, READ THIS:
;
;Besides disabling netbios over tcp/ip, what else can be done to get rid of lm/ win9x clients from accessing
;win2k3 server?
;
;If you disable the lmhash listed above also use the following setting the following article:
;
;KB246261 "How to Use the RestrictAnonymous Registry Value in Windows 2000"
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;246261&sd=tech
;
;Also you can use the following as well.
;
;The policy is configurable via Security Settings\Local Policies\Security Options\Network access:
;Do not allow anonymous enumeration of SAM accounts.
;
;This configures the following registry value:
;
;HKLM\System\CurrentCurrentControlSet\Control\Lsa\RestrictAnonymousSAM
;
;It wil will prevent the 9x clients from connecting.
;
;You can also use smbsigning [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
;"enablesecuritysignature"=dword:00000001
;"requiresecuritysignature"=dword:00000001
;
;Likewise, for server the settings are as below: Windows Registry Editor Version 5.00 every client
;and server that needs to communicate with each other will have to have this set on them, and the
;overhead is roughly a 15 - 20% performance hit because every packet has to be signed,
;and every packet has to be decrypted.
;
;============================================================================================================
"enablesecuritysignature"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;246261&sd=tech
;
;Description - See above... apk
;
;DEFAULT 0
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: set for security, even though 20% speed hit... apk
;
;============================================================================================================
"requiresecuritysignature"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;246261&sd=tech
;
;Description - See above... apk
;
;DEFAULT 0
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: set for security, even though 20% speed hit... apk
;
;============================================================================================================
"Lmannounce"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;125477
;
;Therefore, you cannot use Control Panel Network to select
;"Make Browser Broadcasts to LAN Manager 2.x Clients."
;
;If you need your Windows NT Workstation's computer name to show up in LAN Manager 2.x client
;browse lists, modify the Lmannounce value in the Registry.
;
;DEFAULT 0 (1 turns it on)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: set for security, even though 20% speed hit... apk
;
;============================================================================================================
"CachedOpenLimit"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;126026
;
;The Server service now caches the file handles (RFCBs) associated with files it has opened on behalf
;of a client request. Although write requests proceed normally, close requests are acknowledged by the
;server, but are buffered from the file system. This is intended to optimize response time to repeated
;open/close operations performed by clients. In regards to Opportunistic Locking (oplock), this optimization
;is a logical extension of the way a client caches its own file close request and relies on the server
;to arbitrate future requests for file access by other clients.
;
;In rare situations, Oplock must be disabled for compatibility purposes. RFCB caching also includes
;a configurable parameter in the registry to modify the server's behavior.
;
;MORE INFORMATION - An obvious sign that a file is being held open is the reported size may be zero.
;In Control Panel, the Server option displays open files, when in fact, they are only open by the Server
;service in a cached mode. Other signs may include sharing violations. Local file operations are not
;serviced by the server and are not subject to RFCB caching. If you experience problems accessing files
;opened via a UNC name or from a different computer, you can diagnose the issue as follows:
;
;DEFAULT 0 (but actual setting default used since does not appear = 5)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Increasing this can help MS-DOS database
;clients or other apps that mess with RFCB (file control blocks) respond if frozen.
;
;============================================================================================================
"IRPStackSize"=dword:00000014
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;285089
;
;IRPStackSize specifies the number of stack locations in I/O request packets (IRPs) used by Windows
;2000 Server. You may have to increase this number for certain transports, MAC drivers, or file system
;drivers. Each stack uses 36 bytes of memory for each receive buffer.
;
;DEFAULT In Windows 2000, the default value of IRPStackSize is 15, and the range is from 11 to 50.
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: tweaked up to 20... apk
;
;============================================================================================================
"AutoShareServer"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;245117
;
;When you attempt to view the administrative shares (for example, c$, d$, admin$, and IPC$) from a computer
;running Microsoft Windows NT Server 4.0 or Microsoft Windows 2000, the shares may not be displayed.
;
;When you restart the computer, you may still not be able to view the shares.
;
;DEFAULT 1
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: set off so any shared disks/files/folders/printers
;are not visible via NetBIOS over Tcp/IP & the internet by default... apk
;
;============================================================================================================
"AutoShareWks"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;245117
;
;Administrative shares (for example, c$, d$, admin$, and IPC$) from a computer running Microsoft Windows
;NT Server 4.0 or Microsoft Windows 2000, the shares may not be displayed.
;
;When you restart the computer, you may still not be able to view the shares.
;
;IF these are set to 0 it causes this and hides those default shares even.
;If set to 1, they will be visible again
;
;DEFAULT 1
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: set off so any shared disks/files/folders/printers
;are not visible via NetBIOS over Tcp/IP & the internet by default... apk
;
;============================================================================================================
"Hidden"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;320829
;
;Sets server hidden on network and its shares (file/print, + default admin$, C$, etc.)
;
;DEFAULT 0
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: hidden for internet security
;
;============================================================================================================
"SizReqBuf"=dword:00004410
;------------------------------------------------------------------------------------------------------------
;
;Specifies the size of the request buffers that the Server service uses.
;Small buffers use less memory, but large buffers can improve performance
;
;In File and Printer Sharing for Microsoft Networks, the SizReqBuf value determines how much data is
;buffered at one time to send to a client. The default values in Windows 2000 provide acceptable
;levels of performance in typical scenarios. However, on a high-latency connection, you may want to
;use an increased SizReqBuf value.
;
;
;Increasing the SizReqBuf value can increase performance significantly in a high-latency environment.
;However, note that increasing the SizReqBuf value also increases the non-paged pool memory that is
;used by the LanManServer service. If you increase the SizReqBuf value, monitor non-paged pool to
;make sure that the change does not affect the performance of the file server. Increasing the SizReqBuf
;value also proportionately increases the risk that a malicious user might exhaust non-paged pool on
;the file server.
;
;By default, all Windows 2000 installations use a SizReqBuf value of 16,644 bytes if the server
;has more than 512 megabytes (MB) of memory.
;
;Note In Windows 2000, the minimum setting is 1024. Small buffers use less memory, and large buffers
;can improve performance. The exact value that works best in a particular environment depends on the
;specific configuration of that environment. For an optional value, try 4410 (hexadecimal); this has
;been shown to work well in a fairly standard Ethernet environment.
;
;By default, this setting is 4356 bytes on computers. On servers that have more than 512 MB of memory
;this value is increased to 16 KB. A receive buffer that is larger can improve performance on query
;directory and similar commands, but at the price of more memory per work item.
;
;Acceptable Parameter Ranges -:
;512-65,536 (bytes), 512 - 65535 (bytes in decimal, or 200 - FFFF hexadecimal)
;
;DEFAULT 4356 Specifies the size of request buffers that the server uses.
;
;For computers running Windows Server 2003 and with 512 MB or more of physical memory,
;the default size of the request buffers is 16,644 bytes
;
;For servers with less physical memory, the default size is 4,356 bytes.
;
;If this entry is present in the registry, its value overrides the default value.
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 4096 decimal (1000 hex) to quadruple this amt.
;for better network performance per description above... apk
;
;============================================================================================================

*****************************************************************

END LanManServer Tuned & Documented parameters lists



APK

P.S.=> LanManWorkstation is next... apk

Post #156124
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 16:14:14

LanManWorkStation PARAMETERS TUNED and DOCUMENTED:

(Again, copy between the FIRST & LAST ASTERISKED ( " * " ) LINES AND PASTE INTO NOTEPAD.EXE, AND USE FILE MENU, SAVE AS SUBMENU, TYPE ALL FILES (vs. .txt) TO CREATE THIS AFD TEMPLATE & THEN DOUBLECLICK THE FILENAME IN EXPLORER.EXE TO MERGE IT INTO YOUR REGISTRY & REBOOT FOR IT TO BE EFFECTIVE! )

*****************************************************************

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
;************************************************************************************************************
;APK FORMAT FOR DOCUMENTING EACH POSSIBLE Tcp/IP stack entry for performance & security tuning generic header
;************************************************************************************************************
;"ENTRY NAME"=dword:00000000 (on) or 00000001(off) OR String Values (varies by param type)
;URL to description by Microsoft
;Description
;DEFAULT SETTINGS PER OEM/MICROSOFT
;Tweaked/Tuned OR Untweaked/Default Parameter Status
;************************************************************************************************************
;============================================================================================================
;USEFUL GENERIC URLS LIST FROM MICROSOFT FOR SECURITY PURPOSES USED IN THIS PREBUILT .REG FILE DOCUMENT
;============================================================================================================
;------------------------------------------------------------------------------------------------------------
;Microsoft Windows LanManWorkstation Parameters Details MAIN PAGES:
;http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/58903.asp
;http://support.microsoft.com/default.aspx?scid=kb;en-us;111664
;http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/58904.asp;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58894.asp
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58891.asp
;http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/58911.asp
;------------------------------------------------------------------------------------------------------------
;============================================================================================================
;============================================================================================================
"MaxCmds"=dword:0000003C
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/58903.asp
;
;Specifies the maximum number of network control blocks that the redirector can reserve. The value of this
;entry coincides with the number of execution threads that can be outstanding simultaneously.
;
;Increase this value to improve network throughput, especially if you are running applications that perform
;more than 15 operations simultaneously. However, because this entry also limits the number of outstanding
;execution threads, your network performance might not improve. Each additional execution thread uses a
;margin of 1 KB of nonpaged pool/nonpaged pool Operating system memory that is never paged to disk.
;
;Paging is the moving of infrequently used parts of a program's working memory from RAM to another storage
;medium, usually the hard disk. In Task Manager, the amount of memory used by a process, in kilobytes.
;
;when the network is at capacity. However, these resources are not consumed until the user references data
;in the network control block.
;
;Acceptable Parameter Ranges -> 50-65535 (network control blocks)
;
;DEFAULT = 50
;
;TWEAK by APK = 60, up from 20 hex/32 decimal (old NT value I had been using) & 10 over default 50... apk
;
;============================================================================================================
"MaxThreads"=dword:0000003C
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;111664
;
;Increasing the workstation services MaxThreads parameter increases the number of kernel threads that the
;redirector will create, thus allowing more operations to be outstanding at any given time.
;
;Acceptable Parameter Ranges -> The parameter can be set from 0 to 255 (the default is 17).
;
;DEFAULT = Match default 17 to 50 of MaxCmds (old docs I saw said make = to MaxCmds, but do not exceed)
;
;TWEAK by APK = 60, up from 20 hex/32 decimal (old NT value I had been using) & 10 over default 50... apk
;
;============================================================================================================
"MaxCollectionCount"=dword:00000020
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/58904.asp;
;
;Specifies the amount of data that must be present in the character-mode buffer of a named pipe to trigger
;a write operation. If the amount of data in the buffer meets or exceeds this value, then it is written
;immediately. Otherwise, it is retained in the buffer until either more data is added or the value of the
;CollectionTime entry expires.
;
;Increasing the value of this entry can improve the performance of named-pipe applications, but it does not
;affect applications that do their own buffering, such as SQL Server applications.
;
;Acceptable Parameter Ranges -> 0x0-0xFFFF (0-65,535 bytes)
;
;DEFAULT = 0x10 (16)
;
;TWEAK by APK = 32 (20 hex) decimal to double the default amt. of 16 decimal... apk
;
;This entry does not exist in the registry by default
;
;============================================================================================================
"SizCharBuf"=dword:00000300
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/58911.asp
;
;Specifies the size of the character buffers for a named pipe, A section of shared memory used for
;interprocess communication.
;
;A program can write to a pipe and a program in another process can read the entry and reply. Processes
;that create pipes are commonly known as pipe servers and processes that read from the pipe are known as
;pipe clients.
;
;The redirector maintains a read-ahead buffer and a write-behind buffer for each pipe. This entry
;establishes the size of both buffers.
;
;The buffer size determines the amount of data the redirector reads and writes.
;
;When reading, the redirector attempts to read enough data to fill the read buffer. If the data it is
;reading is smaller than the buffer, then the redirector reads ahead until the buffer is full. If the
;data is larger than the buffer, then the redirector bypasses the character-mode buffer and reads the
;data directly into the user buffer.
;
;When writing, the redirector collects data in the character-mode buffer until it meets or exceeds the
;size specified by the value of the MaxCollectionCount entry, or until the time specified by the value
;of the CollectionTime entry expires.
;
;Increasing the value of this entry can improve the performance of named-pipe applications, but it does
;not affect applications that do their own buffering, such as SQL Server applications.
;
;Acceptable Parameter Ranges -> 64-4,096 (bytes)
;
;DEFAULT = 512
;
;TWEAK by APK = 300 hex (768 decimal) to increase by 50% the default amt. of 512 decimal... apk
;
;This entry does not exist in the registry by default
;
;============================================================================================================
"CacheFileTimeout"=dword:0000000f
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58891.asp
;
;Determines how long a file can remain in the cache after it is closed. If the file is not reopened before
;the time indicated by the value of this entry expires, it is flushed from the cache.
;
;Increase the value of this entry if you are performing operations on the server, such as performing a build
;over the network, that regularly reopens files more than 10 seconds after an application has closed them.
;
;Acceptable Parameter Ranges -> 0x0-0xFFFFFFFF (seconds)
;
;DEFAULT = 0xA (10 seconds)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Up to 15 from default 10 seconds... apk
;Windows 2000 does not add this entry to the registry
;
;============================================================================================================
"DormantFileLimit"=dword:00000032
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58894.asp
;
;Determines how many files on each share can remain open in the redirector's cache after an application has
;closed them.
;
;If the number of open, cached files on a share exceeds the value of this entry, the system
;begins to close the cached files.
;
;The Windows redirector keeps files open in the cache after an application has closed the file.
;
;This entry prevents cached files from occupying the limited number of places available for open files.
;
;By default, LAN Manager servers permit only 60 files from remote clients and 50 files from each client
;workstation to remain open.
;
;Acceptable Parameter Ranges -> 0x0-0xFFFFFFFF (files)
;
;DEFAULT = 45
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Up to 50 (max) from default 45... apk
;Windows 2000 does not add this entry to the registry
;
;============================================================================================================
"OtherDomains"=hex(7):00,00
;------------------------------------------------------------------------------------------------------------
;
;URL @ Microsoft
;
;Description
;
;DEFAULT
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING:
;
;============================================================================================================

*****************************************************************

End LanManWorkstation tuned parameters list



APK

P.S.=> DCom/OLE server control for security is next... THIS you may NOT want to turn on, or change to Y entries vs. N with some apps or custom in-house stuff like webservices apps, active documents, OR apps that use OLE/Distributed COM services rather than transports like named pipes... apk

Post #156126
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 16:18:11

DCOM/OLE PARAMETERS TUNED and DOCUMENTED:

(Again, copy between the FIRST & LAST ASTERISKED ( " * " ) LINES AND PASTE INTO NOTEPAD.EXE, AND USE FILE MENU, SAVE AS SUBMENU, TYPE ALL FILES (vs. .txt) TO CREATE THIS AFD TEMPLATE & THEN DOUBLECLICK THE FILENAME IN EXPLORER.EXE TO MERGE IT INTO YOUR REGISTRY & REBOOT FOR IT TO BE EFFECTIVE! )

*****************************************************************

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
;************************************************************************************************************
;APK FORMAT FOR DOCUMENTING EACH POSSIBLE Tcp/IP stack entry for performance & security tuning generic header
;************************************************************************************************************
;"ENTRY NAME"=dword:00000000 (on) or 00000001(off) OR String Values (varies by param type)
;URL to description by Microsoft
;Description
;DEFAULT SETTINGS PER OEM/MICROSOFT
;Tweaked/Tuned OR Untweaked/Default Parameter Status
;************************************************************************************************************
;============================================================================================================
;USEFUL GENERIC URLS LIST FROM MICROSOFT FOR SECURITY PURPOSES USED IN THIS PREBUILT .REG FILE DOCUMENT
;============================================================================================================
;------------------------------------------------------------------------------------------------------------
;Microsoft Windows Server 2003 AFD Implementation Details MAIN PAGE:
;http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/htm/reg_0w8d.asp
;------------------------------------------------------------------------------------------------------------
;============================================================================================================
"EnableDCOM"="N"
"EnableRemoteConnect"="N"
;------------------------------------------------------------------------------------------------------------
;
;http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/htm/reg_0w8d.asp
;
;The EnableDCOM controls the global activation and call policies of the machine. Only machine administrators
;and the system have full access to this portion of the registry. All other users have read-only access.
;
;Acceptable Parameter Ranges -> Y or N (string data)
;
;N (or n) = No remote clients may launch servers or connect to objects on this machine.
; Local launching of class code and connecting to objects are allowed on a per-class
; basis according to the value and access permissions of the class's AppID\{...}\LaunchPermission
; key and the global DefaultLaunchPermission key.
;
;Y (or y) = Launching of servers and connecting to objects by remote clients is allowed on a per-class
; basis according to the value and access permissions of the class's LaunchPermission named value
; and the global DefaultLaunchPermission named value
;
;DEFAULT = Y
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: N, I turn this off to for security purposes... apk
;
;============================================================================================================

*****************************************************************

End Dcom/OLE parameters for security tweaking list



APK

P.S.=> MUP is next... &this also, like DCOM/OLE, you may wish to NOT turn off if you use Distributed File System (DFS) virtual disks/directories setups... apk

Post #156127
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 16:21:41

MUP (dfs control) PARAMETERS TUNED and DOCUMENTED:

(Again, copy between the FIRST & LAST ASTERISKED ( " * " ) LINES AND PASTE INTO NOTEPAD.EXE, AND USE FILE MENU, SAVE AS SUBMENU, TYPE ALL FILES (vs. .txt) TO CREATE THIS AFD TEMPLATE & THEN DOUBLECLICK THE FILENAME IN EXPLORER.EXE TO MERGE IT INTO YOUR REGISTRY & REBOOT FOR IT TO BE EFFECTIVE! )

*****************************************************************

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup]
;************************************************************************************************************
;APK FORMAT FOR DOCUMENTING EACH POSSIBLE Tcp/IP stack entry for performance & security tuning generic header
;************************************************************************************************************
;"ENTRY NAME"=dword:00000000 (on) or 00000001(off) OR String Values (varies by param type)
;URL to description by Microsoft
;Description
;DEFAULT SETTINGS PER OEM/MICROSOFT
;Tweaked/Tuned OR Untweaked/Default Parameter Status
;************************************************************************************************************
;============================================================================================================
;USEFUL GENERIC URLS LIST FROM MICROSOFT FOR SECURITY PURPOSES USED IN THIS PREBUILT .REG FILE DOCUMENT
;============================================================================================================
;------------------------------------------------------------------------------------------------------------
;Microsoft Windows Server 2003 Distributed File System Hack Security Implementation Details MAIN PAGE:
;http://support.microsoft.com/default.aspx?scid=kb;en-us;824288
;------------------------------------------------------------------------------------------------------------
;============================================================================================================
;============================================================================================================
"DisableDFS"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;en-us;824288
;
;If DFS Client is turned off. (By default, DFS Client is turned on in Windows 2000.)
;
;Acceptable Parameter Ranges -> 0/1
;
;DEFAULT = 0
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Turned off, I don't need Distributed File System
;
;============================================================================================================

*****************************************************************

End MUP (dfs control) Tuned parameters lists template



APK

P.S.=> DNSCaching parameters are next... apk


Post #156129
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 16:24:12

DNSCache PARAMETERS TUNED and DOCUMENTED:

(Again, copy between the FIRST & LAST ASTERISKED ( " * " ) LINES AND PASTE INTO NOTEPAD.EXE, AND USE FILE MENU, SAVE AS SUBMENU, TYPE ALL FILES (vs. .txt) TO CREATE THIS AFD TEMPLATE & THEN DOUBLECLICK THE FILENAME IN EXPLORER.EXE TO MERGE IT INTO YOUR REGISTRY & REBOOT FOR IT TO BE EFFECTIVE! )

*****************************************************************

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
;************************************************************************************************************
;APK FORMAT FOR DOCUMENTING EACH POSSIBLE Tcp/IP stack entry for performance & security tuning generic header
;************************************************************************************************************
;"ENTRY NAME"=dword:00000000 (on) or 00000001(off) OR String Values (varies by param type)
;URL to description by Microsoft
;Description
;DEFAULT SETTINGS PER OEM/MICROSOFT
;Tweaked/Tuned OR Untweaked/Default Parameter Status
;************************************************************************************************************
;============================================================================================================
;USEFUL GENERIC URLS LIST FROM MICROSOFT FOR SECURITY PURPOSES USED IN THIS PREBUILT .REG FILE DOCUMENT
;============================================================================================================
;------------------------------------------------------------------------------------------------------------
;Microsoft Windows Server 2003 AFD Implementation Details MAIN PAGE:
;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
;------------------------------------------------------------------------------------------------------------
;============================================================================================================
;============================================================================================================
;BELOW = Special Case - IF 1/on, more secure. If 0/off, faster performance...
;============================================================================================================
"QueryIPMatching"=dword:0000000;
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cncf_imp_sykl.asp
;
;By default, the resolver accepts responses from the servers that it did not query. This feature speeds
;performance but can be a security risk. If you want to disable this feature, add the registry entry
;QueryIpMatching with the value 1 of datatype DWORD in this .reg file's regedit.exe pathway…
;
;Acceptable Ranges-> 0/1 on-off/true-false
;
;DEFAULT 0
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 1 for speed, 0 for security (I took security)
;
;============================================================================================================
"CacheHashTableSize"=dword:000000D3
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cncf_imp_sykl.asp
;
;This parameter can be used to control the maximum number of rows in the hash table used by the DNS caching
;resolver service. It should not be necessary to adjust this parameter.
;
;Acceptable Parameter Ranges -> Any prime number greater than 0
;
;DEFAULT: 0xD3 (211 decimal)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: left default
;
;============================================================================================================
"CacheHashTableBucketSize"=dword:0000000A
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cncf_imp_sykl.asp
;
;This parameter can be used to control the maximum number of columns in the hash table used by the DNS
;caching resolver service. It should not be necessary to adjust this parameter.
;
;Acceptable Parameter Ranges -> 0-0x32 (50 decimal)
;
;DEFAULT = 0xa (10 decimal)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default... apk
;
;============================================================================================================
"MaxCacheEntryTtlLimit "=dword:00015180
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cncf_imp_sykl.asp
;
;This parameter can be used to control the maximum cache entry time-to-live (TTL) value. It overrides
;any value that may have been set on a specific record that is larger.
;
;DEFAULT (in seconds) = 0x15180 (86400 decimal)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default... apk
;
;============================================================================================================
"MaxSOACacheEntryTtlLimit"=dword:00000078
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cncf_imp_sykl.asp
;
;The maximum number of seconds that the resolver cache caches any SOA records. This value overrides any
;TTL value greater than itself for a specific SOA record that is returned from a DNS query.
;
;SOA records are essential for dynamic updates; therefore, they are not cached for long, to ensure that
;the most up-to-date record data is available for the DNS start of authority.
;
;Acceptable Parameter Ranges -> 0-0xFFFFFFFF
;
;DEFAULT = 120 (2 minutes) & this is in seconds... apk
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Left default... apk
;
;============================================================================================================
"NegativeSOACacheTime"=dword:00000078
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cncf_imp_sykl.asp
;
;This parameter can be used to control the cache time for negative Start of Authority (SOA) records.
;DNS registrations that fail are retried at five and ten minutes, so if this value is set to five minutes
;or more, retries are answered negatively from cache, instead of from the server, which could be available.
;
;Acceptable Parameter Ranges: 0-0xFFFFFFFF (the suggested value is less than five minutes)
;
;Default: 0x78 (120 decimal, or 2 minutes) in seconds... apk
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: default left... apk
;
;============================================================================================================
"NegativeCacheTime"=dword:0000012c
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cncf_imp_sykl.asp
;
;This parameter can be used to control the cache time for negative records.
;
;Acceptable Parameter Ranges -> 0-0xFFFFFFFF
; (the suggested value is less one day, to prevent very stale records)
;
;DEFAULT = 0x12c (300 decimal, or 5 minutes) & this is done in seconds... apk
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: default left... apk
;
;============================================================================================================
"AdapterTimeoutCacheTime"=dword:0000012C
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cncf_imp_sykl.asp
;
;The amount of time that a particular adapter on a multihomed machine is disabled when a DNS query attempt
;fails (times out) for all of the given adapter's DNS servers. For instance, if you have two adapters and
;the DNS servers on one of the networks are unreachable, mark the adapter as unusable for this time period.
;
; (A Plug and Play event or cache time-out forces the resolver to retry this interface and mark it as
;disabled, if needed.)
;
;Acceptable Parameter Ranges -> 0-0xFFFFFFFF
;
;DEFAULT = 300 (5 minutes) done in seconds... apk
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: default left... apk
;
;============================================================================================================
"DefaultRegistrationRefreshInterval"=dword:00015180
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cncf_imp_sykl.asp
;
;This parameter can be used to control the dynamic DNS registration refresh interval.
;
;Acceptable Parameter Ranges -> 0-0xFFFFFFFF
;
;DEFAULT = 0x15180 (86400 decimal, or 24 hours) done in seconds... apk
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: default left... apk
;
;============================================================================================================
"NetFailureErrorPopupLimit"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cncf_imp_sykl.asp
;
;This parameter enables the UI popup to indicate that the DNS resolver was unable to query (reach) the
;configured DNS servers for a repeated number of query attempts.
;
;Acceptable Parameter Ranges -> 0, 1 (false, true)
;
;DEFAULT = 0 (false)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: default left... apk
;
;============================================================================================================
"NetFailureCacheTime"=dword:0000001E
;------------------------------------------------------------------------------------------------------------
;
;http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/cnet/cncf_imp_sykl.asp
;
;This parameter is used to control the general network failure cache time. It prevents the resolver from
;querying for a period of time when it has been detected that a time-out error is occurring for queries
;against all known DNS servers. This avoids slowness (caused by time-outs) when the network does not respond.
;
;Acceptable Parameter Ranges -> 0-0xFFFFFFFF (suggested value is less than five minutes)
;
;DEFAULT = 0x1e (30 decimal) done in seconds... apk
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: default left... apk
;
;============================================================================================================

*****************************************************************

End DNSCache tuned parameter lists



APK

P.S.=> NetTrans is next... apk

Post #156131
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 16:30:49

NetTrans PARAMETERS TUNED and DOCUMENTED:

(Again, copy between the FIRST & LAST ASTERISKED ( " * " ) LINES AND PASTE INTO NOTEPAD.EXE, AND USE FILE MENU, SAVE AS SUBMENU, TYPE ALL FILES (vs. .txt) TO CREATE THIS AFD TEMPLATE & THEN DOUBLECLICK THE FILENAME IN EXPLORER.EXE TO MERGE IT INTO YOUR REGISTRY & REBOOT FOR IT TO BE EFFECTIVE! )

*****************************************************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\NetTrans]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\NetTrans\0000]
"PerformRouterDiscovery"=dword:00000000
"MaxMTU"=dword:000005dc
"MTU"=dword:000005b0
"MaxMSS"=dword:000005b4
"MSS"=dword:000005b4
"RWIN"=dword:00001f8e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\NetTrans\0001]
"PerformRouterDiscovery"=dword:00000000
"MaxMTU"=dword:000005dc
"MTU"=dword:000005b0
"RWIN"=dword:00001f8e
"MSS"=dword:000005b4
"MaxMSS"=dword:000005b4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\NetTrans\0002]
"PerformRouterDiscovery"=dword:00000000
"MaxMTU"=dword:000005dc
"MTU"=dword:000005b0
"MaxMSS"=dword:000005b4
"MSS"=dword:00001460
"RWIN"=dword:00001f8e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\NetTrans\0003]
"PerformRouterDiscovery"=dword:00000000
"MaxMTU"=dword:000005dc
"MTU"=dword:000005b0
"MaxMSS"=dword:000005b4
"MSS"=dword:000005b4
"RWIN"=dword:00001f8e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\NetTrans\0004]
"PerformRouterDiscovery"=dword:00000000
"MaxMTU"=dword:000005dc
"MTU"=dword:000005b0
"MaxMSS"=dword:000005b4
"MSS"=dword:000005b4
"RWIN"=dword:00001f8e

*****************************************************************

END NetTrans tuning parameters list




* MaxMTU, MTU, MaxMSS, MSS, & RWIN are covered in the Tcp/IP parameters document - PAY ATTENTION, as these VARY from Cablemodem/DSL to dialup accounts sizes for best performance & efficiencies possible & also can conflict with other Tcp/IP settings!

(However, above, for the ones they possibly CAN fight with one another instead of WORKING TOGETHER? Well, those are ALL put RIGHT NEXT to each other in the APKTcpIP.reg file's documentation so you can instantly reference each since they work with or against one another easily for tuning for speed)

APK

P.S.=> Additionally? The MaxMTU, MTU, MaxMSS, MSS, & RWIN can also be put into tcp/ip parameters interfaces entries (interfaces are basically just datastructures with pointers to functions via GUIDS so the system can initialize itself properly)...

MrXSMB is next & LAST one!

apk

Post #156132
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 16:37:34

MrXSmb PARAMETERS TUNED and DOCUMENTED:

(Again, copy between the FIRST & LAST ASTERISKED ( " * " ) LINES AND PASTE INTO NOTEPAD.EXE, AND USE FILE MENU, SAVE AS SUBMENU, TYPE ALL FILES (vs. .txt) TO CREATE THIS AFD TEMPLATE & THEN DOUBLECLICK THE FILENAME IN EXPLORER.EXE TO MERGE IT INTO YOUR REGISTRY & REBOOT FOR IT TO BE EFFECTIVE! )

*****************************************************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxSmb\Parameters]
;============================================================================================================
"EnablePlainTextPassword"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;Determines whether the SMB redirector can send unencrypted passwords to servers that request them.
;The SMB redirector always sends encrypted passwords unless a server specifically requests an
;unencrypted password. If the value of this entry is 0, the SMB redirector sends only encrypted
;passwords. If a server requests an unencrypted password, the request fails. However, you can
;set the value of this entry to 1 to force the redirector to send an unencrypted password when
;a server requests one. This permits you to connect to SMB servers that do not support password
;encryption, such as Samba, Hewlett-Packard (HP) LM/X, or LAN Manager for UNIX. Microsoft SMB
;servers never request unencrypted passwords.
;
;HKLM\SYSTEM\CurrentControlSet\Services\MRxSmb\Parameters
;
;Acceptable Parameter Ranges -> 0 | 1
;
;0 = The SMB redirector sends encrypted passwords only. Requests for unencrypted passwords fail.
;1 = The SMB redirector can send unencrypted passwords to servers that request them.
;
;DEFAULT = 0 (Use this, you always want non-plain text that is encrypted for security purposes... apk)
;
;Windows 2000 does not add this entry to the registry.
;This entry is supported only by Windows NT 4.0 with Service Pack 3 and later.
;
;============================================================================================================

*****************************************************************

End MrXSmb tuned parameters list

THAT'S IT FOLKS! Enjoy...

Hope you find having "prebuilt/prefab" & FULLY documented .reg file templates USEFUL for speeding up tweaking & tuning your systems setups into very fast & yet VERY secure online setups!

(I made these fully documented & tuned (whether I did or not is in EACH one & noted as such per MS documentation) to save time tweaking & tuning @ home for my systems, now you can also using these... )

apk

Post #156133
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 18:01:45

WHOOPS! One more...

RDR Parameters tuning documented entries per MS .reg file template:

*****************************************************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters]
;============================================================================================================
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/kb/161372/EN-US/
;
;These parameters configure SMB signing on a workstation for added security... apk
;
;DEFAULT = 0
;
;0 = no security signature generation is performed/off
;
;1 = security signature generation IS performed/on (costs 15% performance hit, but worth security)
;
;This is "tweaked" for greater security while passing packets/cells/datagrams around networks... apk
;
;============================================================================================================

*****************************************************************

End RDR tweak/tune .reg file template entries data



APK

P.S.=> That's ALL of them, finally... ugh, lotta work + research! apk

Post #156141
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-27 18:15:59

For anyone looking these prebuilt .reg files over? Two things:

1.) IF you see ANY you question? Correct me here...

Put in another post here in this thread regarding WHICH .reg file & which entry in it might need correction!

----------------------------------------------------------------------------------------------------------------------------------

(And, since I see you here RIGHT NOW SNAKEFOOT, & yes, this means YOU man... I could use a bit of feedback if you are into this stuff & I KNOW you are in particular! )

* Snakefoot, I say that because since I know you've mentioned in the past that my older tuning articles have some "deprecated" (older/outta date for Windows NT-based Os' past NT 4.0 etc. &/or 9x entries) stuff in them & that happens over time, things change in the MS implementation of the Tcp/IP stack, especially between OS types/families (9x vs. NT type for instance).

However: This set of these for prebuilt .reg file templates truly SHOULD be free of those & 'up-to-date' for Windows 2000/XP/2003!

----------------------------------------------------------------------------------------------------------------------------------

ALSO, SnakeFoot (or others):

2.) IF you can find the 5-6 entries for various ones definitions & parameters above & beyond the defaults that I left as default noting I could not find GOOD SOLID definitions for them in some categories/.reg file templates?



That would be VERY cool!

APK

P.S.=> There were a few I could not find defs for online thru them above so they were left default... & I am not TOTALLY 110% sure NetTrans or RDR is still useable & valid, BUT it (NetTrans) is there in Windows Server 2003, so odds are? It is... apk

Post #156144
Edit Quote Print Solution Plonk Delete
Lotus
Senior Member


Posts: 286
From: East Coast
Joined: 2001-07-17
Member No.: 6444
Icon 2005-01-28 08:32:39

Wow, this thread is an "above and beyond" type post Alec. I imagine you put in many hours to research this and get it all posted. I give you props man. Hell, it took me a long time just to read through it hehe.

Anyway, great post! Very informative.

- Lotus

Post #156190
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-28 12:28:31

Originally posted by Lotus:
"Wow, this thread is an "above and beyond" type post Alec. I imagine you put in many hours to research this and get it all posted. I give you props man. Hell, it took me a long time just to read through it hehe.

Anyway, great post! Very informative.

- Lotus"


The read is long, but I intended it for "home tweaking use" right as you install your OS, saving time for tweaking by having settings you tune to your connection & hardware thru this prebuilt setup, which is largely default + some security & speed tunes in each .reg file section of the registry.

(And, it's really for my own records of this online as well since creating the prebuilt .reg files (with all settings FULLY documented for tuning for speed or security) only takes minutes of "cut-N-paste" work with notepad.exe & then merging them into your registry via Explorer.exe double-clicks.)

I tell you - Here? This saves me massive time having prebuilt ones I have tuned already, & if the documentation for the settings is inside the .reg file as this one is?? You have INSTA-REFERENCE (as to how far & why you would tune things with their legal/valid parameters for each setting from the "horses' mouth" Microsoft!)



* Enjoy for anyone into tuning IP settings (& all things networking for speed & security really in a Windows based Os for networking + online) using these as your prebuilt, everytime you do a system instant tweaks for them saving you the same time it saves me!

APK

P.S.=> If you want to read it? Go for it, & you have all the references right there, but the main idea?? A template system for anyone that might do this as I do in "1 fell swoop" @ system installation time... apk

Post #156204
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-29 09:06:08

Found definitions for the 3 missing them above for AFD entries:

****************************************************************************************************

AFD MaxActiveTransmitFileCount, DisableRawSecurity, & BufferMultiplier entries definitions & defaults

;============================================================================================================

"MaxActiveTransmitFileCount"=dword:00000004
;------------------------------------------------------------------------------------------------------------
;
;http://www.winntmag.com/Windows/Articles/ArticleID/2816/pg/4/4.html
;
;Per Dr. Mark Russinovich: AFD.sys modifies a variable according to the product type. This change occurs
;where this driver sets the limit on simultaneous network file transfers to 2 if it is running on Workstation.
;
;But afd.sys checks the Registry entry:
;\hkey_local_machine\system\current controlset\control\services\afd\parameters\maxactivetransmitfilecount
;
;for the limit, if afd.sys is running on Server.
;
;This variation exists purely to limit the functionality of Workstation, rather than to optimize performance.
;
;DEFAULT = 2 on workstation, but you can raise it for server-class Os like Windows Server 2003... apk
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: upped it to 4 here... apk
;
;============================================================================================================
"DisableRawSecurity"=dword:00000000
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/kb/q195445/
;
;In Windows 2000, there is no way to disable this security check. Access to Raw Sockets is granted on a
;per-transport basis. For the address family AF_INET, only administrators have the access necessary to
;create Raw Sockets.
;
;DEFAULT = To work around this problem in Windows NT 4.0, you can disable the security check on RAW sockets
; by creating the above DisableRawSecurity registry variable and setting its value to DWORD 1:
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: 0 default, no reason to disable this security feature
;
;============================================================================================================
"BufferMultiplier"=dword:00000200
;------------------------------------------------------------------------------------------------------------
;
;http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00157.html
;
;DefaultReceiveWindow and DefaultSendWindow (from above) get divided by this value to determine how many
;messages can be sent/received before flow control is imposed.
;
;DEFAULT = 512 decimal/200 hex
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: left default
;
;============================================================================================================

****************************************************************************************************

LanManServer AutoDisconnect & EnableForcedLogoff missing ones

;============================================================================================================
;============================================================================================================
;"autodisconnect"=dword:ffffffff
;------------------------------------------------------------------------------------------------------------
;
;http://support.microsoft.com/default.aspx?scid=kb;EN-US;q138365
;
;Windows NT and Windows 2000 use two different Autodisconnect parameters; one for disconnecting Remote
;Access Service (RAS) connections and another for disconnecting LAN connections.
;
;The RAS Autodisconnect parameter is documented in the Microsoft Knowledge Base article Q153944, but the
;LAN version is undocumented.
;
;The only published reference to this Autodisconnect is in the Windows NT Resource Kit NT Registry Entries
;help file, in an overview of entries for the LanmanServer Parameters section.
;
;The purpose is to disconnect idle sessions after a set number of minutes.
;
;The number of minutes can be set at a command prompt using the net config server command.
;
;For example, to set the Autodisconnect value to 30 minutes, you would run the following command line:
;
;net config server /autodisconnect:30
;
;The valid value range is -1 to 65535 minutes at the command line.
;
;To disable Autodisconnect set it to -1.
;
;Setting Autodisconnect to 0 does not turn it off and results in very fast disconnects, within a few seconds
;of idle time. (However, the RAS Autodisconnect parameter is turned off if you set it to a value of 0.)
;
;DEFAULT: Uncertain, read above (sounds like -1 is a GOOD idea though OR upper limit 4294967295/ffff ffff)
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: -1 due to above statements & URL... apk
;
;============================================================================================================
"enableforcedlogoff"=dword:00000001
;------------------------------------------------------------------------------------------------------------
;
;Turns on the above parameter it seems like
;
;Description - Unsure so left it commented off... apk
;
;DEFAULT unsure, lookup @ Microsoft again or GOOGLE... apk
;
;TWEAK PARAMETERS GUIDE FOR ACTUAL SETTING + REASONING: Unsure, but sounds like 1 is a good idea... apk
;
;============================================================================================================



* LOOKS COMPLETE NOW WITH THOSE 5 entries being found & accounted for as to their definitions...

(So, if you do this type of thing? Well, have @ it! You now have a COMPLETELY DOCUMENTED REGISTRY .reg FILE INSERT SET YOU CAN TUNE TO YOUR SETUP & PREFAB INTO .reg FILES for instant tuning of any setup you do in the future using Windows 2000/XP/2003... )

Saves time!

APK

Post #156272
Edit Quote Print Solution Plonk Delete
Alec§taar
Account Disabled


Posts: 207
From: A discrete point in the Space-Time Continuum...
Joined: 2001-04-17
Member No.: 5614
Icon 2005-01-30 07:36:30

Found out some NEAT things last night, while hauling in NERO "burning ROM" updates 6.6.0.3 & Nero InCD updates 4.3.11.1 (fairly large files that weigh in @ 37mb & 11mb each):

When you set the AFD "DefaultReceiveWindow" + "DefaultSendWindow", they seem to perform best (here @ least) @ the 8192 setting along with making RWIN equal to that SAME 8192 helps alot!

AFD setttings (in decimal values):
----------------------------------------------------------------

DefaultReceiveWindow = 8192
DefaultSendWindow = 8192

Tcp/IP Parameters Interfaces & NetTrans (in decimal values):
----------------------------------------------------------------

RWIN = 8192


Matching AFD's DefaultReceiveWindow & DefaultSendWindow WITH the RWIN setting with all of them @ 8192 seems to aid in stability bigtime!

=================================================================

It doesn't end there!

More of what I found related to MTU/MaxMTU, & MSS/MaxMSS settings for Tcp/IP parameters interfaces & NetTrans where they exist as well!

ALSO, matching MTU with TcpRecvSegmentSize + TcpSendSegmentSize @ 1460 (after making your calculations for MTU that is what I came up with doing ping -l -f tests to my default gateway from my ISP) seems to help as well.

Tcp/IP interfaces & NetTrans (in decimal values):
-----------------------------------------------------------------

MTU = 1460
MaxMTU = 1500
MSS = 1460
MaxMSS = 1460


SO, How did I find here that doing ALL that help here? Simple, & in a BIG way:

STABILITY over a larger download! I was able to haul them in on 56k dialup @ a steady 4.8kbps over their course/size w/out it breaking down & having to resume the download!



* Keep this in mind, it works!

APK

P.S.=> It also seemed that "upping" DefaultTTL to 256 (in decimal values) helps as well for dialup connection stability also... apk

Post #156361
Edit Quote Print Solution Plonk Delete
fugly
Junior Member


Posts: 3
Joined: 2006-01-31
Member No.: 77696
Icon 2006-01-31 20:34:47

? wth is the rest of the post at?

Post #170324
Edit Quote Print Solution Plonk Delete
Wilhelmus
Senior Member


Posts: 836
From: Finland / Suomi
Joined: 2004-12-21
Member No.: 51792
Icon 2006-02-01 08:33:02

Member who posted that guide, got deleted.

Post #170339
Edit Quote Print Solution Plonk Delete
fugly
Junior Member


Posts: 3
Joined: 2006-01-31
Member No.: 77696
Icon 2006-02-01 17:33:35

ah that sucks is it archived somewhere?

Post #170356
Edit Quote Print Solution Plonk Delete
Sampson
Senior Member


Posts: 1352
Joined: 2001-12-18
Member No.: 8092
Icon 2006-02-01 18:46:07

It has been a long time since I looked at those files (it was not just one post but several). As I recall it was an extended hosts file that was primarily set up for a computer with a phone modem. It was enormous. Perhaps, if you could detail what you are looking for (I suppose in the way of better security), there are some very knowledgable people here who could point you in a particular direction.

Post #170358
Edit Quote Print Solution Plonk Delete
snakefoot
Member


Posts: 79
Joined: 2001-11-09
Member No.: 7686
Icon 2006-02-01 21:10:38

Originally posted by Wilhelmus:
"Member who posted that guide, got deleted."

Sure looks funny with all those threads, where half the contents now have been removed. Can you point me to a post explaining the cause of this ? (*Update* Found a Thread, seems to be a touchy subject)

Most of the network stuff described was taken from these pages:

TCP/IP and NBT Configuration Parameters for Windows XP (Q314053)
HOW TO: Harden the TCP/IP Stack Against Denial of Service Attacks in Windows Server 2003 (Q324270)
Microsoft Windows Server 2003 TCP/IP Implementation Details

The AlecStar/APK Homepage is still up.

Post #170360
Edit Quote Print Solution Plonk Delete

2 pages 1 2


Related Threads RSS


Related Compatibility RSS Vendor Rating Entries First Post Last Post
Complete Internet Cleanup Lite 1CleanUp.com ***** 1 2008-12-22 10:47:36 2008-12-22 10:47:36
Heroes of Might and Magic III Complete 3DO ***** 4 2001-04-01 12:00:00 2007-12-27 08:37:50
Zoo Tycoon: Complete Collection Microsoft ***** 1 2003-12-01 12:00:00 2003-12-01 12:00:00

Reply New Poll

Forum overview » Customization & Tweaking » Completely documented Tcp/IP, AFD, NetBT, DNS, and more for security + speed

Legend
View   View profile
Solved   Mark this post as solution (topic starter only)
Quote   Reply with quote to post
Edit   Edit post
Delete   Delete post (admin only)

Moderator: Open / Close / Bump / Delete / Move / Merge


All products mentioned are registered trademarks or trademarks of their respective owners.
© 1998-2009 Esselbach Internet Solutions - All Rights Reserved. Terms and privacy policy
Website powered by Esselbach Storyteller CMS System