Disable Recent Shares in Network Places

This restriction stops remote shared folders from being added to Network Places whenever you open a document in the shared folder.

Open your registry and find the key below.

Create a new DWORD value, or modify the existing value called 'NoRecentDocsNetHood' using the settings below.

Exit your registry, you may need to restart or log out of Windows for the change to take effect.


Settings:
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Name: NoRecentDocsNetHood
Type: REG_DWORD (DWORD Value)
Value: (0 = track shares, 1 = disable tracking)

Protect Against SYN Flood Attacks

Windows includes protection that allows it to detect and adjust when the system is being targeted with a SYN flood attack (a type of denial of service attack). When enabled the connection responses time out more quickly in the event of an attack.

Open your registry and find the key below.

Create a new DWORD value called "SynAttackProtect" and set it to either 0, 1 or 2 based on the table below.

This value causes Transmission Control Protocol (TCP) to adjust retransmission of SYN-ACKS. When you configure this value, the connection responses time out more quickly in the event of a SYN attack (a type of denial of service attack).

0 (default) - typical protection against SYN attacks
1 - better protection against SYN attacks that uses the advanced values below.
2 (recommended) - best protection against SYN attacks. This value adds additional delays to connection indications, and TCP connection requests quickly timeout when a SYN attack is in progress.

Optional Advanced Values
For extra control you can create these additional DWORD values in the same key for each of the items below. They are not required for SynAttackProtect to be effective.

TcpMaxHalfOpen - default value is "100"
TcpMaxHalfOpenRetried - default value is "80"
TcpMaxPortsExhausted - default value is "5"
TcpMaxConnectResponseRetransmissions - default value is "3"
Restart Windows for the changes to take effect.

Note: When SynAttackProtect is using the best protection option then Scalable windows and TCP parameters that are configured on each adapter (including Initial RTT and window size) are no longer available.


Settings:
System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
Name: SynAttackProtect,
Type: REG_DWORD (DWORD Value)

Disables DHCP Router Discovery

The ICMP Router Discovery Protocol (IRDP) comes enabled by default for Windows clients using DHCP. This can be a security issue because by spoofing IRDP Router Advertisements, an attacker can remotely add default route entries on a remote system.

Open your registry and find the key below for your operating system.

Windows 95, 98 and Me
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Class\NetTrans\####]

Where #### is the protocol binding for TCP/IP. More than one TCP/IP binding may exist.

Windows NT, 2000 and XP [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]

Create a new DWORD value called "PerformRouterDiscovery" and set the value to equal "0" to disable router discovery.

Restart Windows for the change to take effect.

Note: It is recommended that you disable this value as it is a possible security flaw in the DHCP service.


Settings:
System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
Name: PerformRouterDiscovery
Type: REG_DWORD (DWORD Value)
Value: (0 = disabled, 1 = enabled)

Harden the TCP/IP Stack for Denial of Service Attacks

Denial of service attacks are network attacks that are aimed at making a computer or a particular service unavailable to network users. These settings can be used to increase the ability for Windows to defend against these attacks when connected directly to the Internet.

Open your registry and find the key below.

Create the following DWORD values and set them according to the table below.

EnableDeadGWDetect = "0" (default = 1)

Disables dead-gateway detection as an attack could force the server to switch gateways.

EnableICMPRedirect = "0" (default = 1)
Stops Windows from altering its route table in response to ICMP redirect messages. Some documentation has this listed as "EnableICMPRedirects" but according to Microsoft it should be "EnableICMPRedirect" no "s".

EnablePMTUDiscovery = "0" (default = 1)
Disables maximum transmission unit (MTU) discovery as an attacker could force the MTU value to a very small value and overwork the stack.

KeepAliveTime = "300,000" (default = 7,200,000)
Reduces how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.

NoNameReleaseOnDemand = "1" (default = 0)
Protects the computer against malicious NetBIOS name-release attacks.

PerformRouterDiscovery = "0" (default = 1)
Disables ICMP Router Discovery Protocol (IRDP) where an an attacker may remotely add default route entries on a remote system.

SynAttackProtect = "2" (default = 0)
Automatically adds additional delays to connection indications, and TCP connection requests quickly timeout when a SYN attack is in progress.

Restart Windows for the changes to take effect.

Note: These values will not give the best performance due to additional checking and less optimization, but they will provide greater protection against attacks.


Settings:
System Key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
Name: EnableDeadGWDetect, EnableICMPRedirect, EnablePMTUDiscovery, KeepAliveTime, NoNameReleaseOnDemand, PerformRouterDiscovery, SynAttackProtect
Type: REG_DWORD (DWORD Value)

Remove Log Off from the Start Menu

This tweak allows you to remove the Log Off [Username] option from the Start menu.

Open your registry and find the key below.

Create a new DWORD value, or modify the existing value called 'NoLogOff' using the settings below.

Exit your registry, you may need to restart or log out of Windows for the change to take effect.


Note: In older version of Windows this value may be REG_BINARY.

Note: This setting relies in Internet Explorer 4.0 or greater being installed.


Settings:
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Name: NoLogOff
Type: REG_DWORD (DWORD Value)
Value: (1 = no log off, 0 = show log off)