Networking Restrictions to improve security

Networking Restrictions
http://hardenwindows8forsecurity.com/Harden%20Windows%208.1%2064bit%20Home.html

Updated 1/31/00

There are general restrictions you can make in Networking

Start Regedit
Go to HKEY_Current_User / Software / Microsoft / Windows / CurrentVersion / Policies
Create a new key under Policies called Network
You can then add DWORD values set to 1 in the appropriate keys
To re-enable them, either delete the key or set the value to 0
DisablePwdCaching = Password Caching
HideSharePwds [hex] =Shared Passwords
NoEntireNetwork =Entire Network
NoNetSetup =Network applet
NoNetSetupIDPage =Network Identification tab
NoNetSetupSecurityPage =Network Access tab
NoFileSharing =Network File Sharing button
MinPwdLen = set Minimum Password Length (integer number: 0 - 99)
NoPrintSharing =Network Print Sharing button
NoWorkgroupContents =Network Workgroup

disabled windows services (blue) for best perfomance internet connection

completely disable IPv4, IPv6 only for SYSTEM, 

- Click Start –> run –> regedit

- Locate the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

- In the details pane click New and then click DWORD (32-bit) Value.

- Type DisabledComponents, and then press ENTER.

- Double-click DisabledComponents, and then type 0xffffffff in Hexadecimal or4294967295 in Decimal.

Note: The 0xffffffff value or the 4294967295 value disables all IPv6 components except for the IPv6 loopback interface.
http://support.microsoft.com/kb/929852

http://rmlinar.net/blog/2012/01/03/disable-ipv6-in-windows-server-2008-r2-all-editions/
http://www.ehow.com/how_8110801_disable-tcpip-properties-regedit.html

+disable services.msc DNS

ip dns to write manualy in properties of adapter

regedit: ...services cryptsvc start 4 and change rights of this key to admin only
cryptsvc.dll rename to cryptsvc.dll.old

service netprofm start 4 (and others from logs windows\system32\winevt)

ACKs in Windows

To configure the max outstanding ACKs in Windows XP/2003/Vista/2008/7:

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Tcpip \Parameters \Interfaces \{Adapter-id}]
TcpAckFrequency = 2 (Default=2, 1=Disables delayed ACK, 2-n = If n outstanding ACKs before timed interval, sent ACK)

More Info MS KB328890
More Info MS KB815230 (XP/2003 needs hotfix or SP2 for it to work)
More Info MS KB935458 (Vista/2008 needs hotfix or SP1 for it to work)
More Info MS KB2020559 (Applies also to Win7/Win2008 R2)

To configure the interval timeout in Windows 2000/XP/2003:

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \Tcpip \Parameters \Interfaces \{Adapter-id}]
TcpDelAckTicks = 1 (Default=2, 0=Disables delayed ACK, 1-6 = 100-600 ms)

More Info MS KB311833 (Win2000 requires SP3)
More Info MS KB321098
More Info MS KB321169

To configure the interval timeout in WinNT SP4 (Go to the Services-key and do a search for "TCPIP" to find the different adapters using TCPIP):

[HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \{Adapter-Name} \Parameters \Tcpip]
TcpDelAckTicks = 1 (Default=2, 0=Disables nagling, 1-6 = 100-600 ms)

http://smallvoid.com/article/winnt-nagle-algorithm.html

disable Chrome’s AppID

• HKLM\Software\Classes\Chrome
• HKLM\Software\Classes\ChromeHTML\open\command\DelegateExecute

When you delete the registry keys that enable DelegateExecute, they disable Chrome’s AppID. But the problem, is that when Chrome updates itself again, you may find that these keys has been re-created. In such a case, you may have to again delete these keys.

Restart your Windows PC.

If this does not work, delete the start screen or start menu Chrome shortcut and navigate to the following folder:

C:\Users\username\AppData\Local\Google\Chrome\Application

Check if clicking on chrome.exe works. It should. If so, pin its shortcut to the start screen. It will now work correctly.

http://www.thewindowsclub.com/class-not-registered-chrome-exe-windows



remove harmful auto programs (and google chrome id)
http://greatis.com/unhackme/ru/download.htm

IGMPVersion and IGMPLevel registry value

Hi,

We could take a try to add this IGMPVersion  and IGMPLevel  registry value in Windows 7, please note: please backup your registry settings before any modification.

1.type “regedit” , then navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\

1.In the right pane, right-click and select New – DWORD (32-bit value) and set its name as “IGMPVersion” , set it with the value 4

1.Version values:

2 – Support IGMP version 1

3 – Support IGMP version 2

4 – Support IGMP version 3 (default)
1.In the right pane, right-click and select New – DWORD (32-bit value) and set its name as “IGMPLevel” and set it to 2
2.Level  values:

0 – Disable Multicast support

1 – Support only sending IPv4 Multicast packets (do not receive)

2 – Fully participate in IGMP. Support sending and receiving Multicast packets (default)

Here is the reference download link for the IGMP values:


changes to TCP/IP registry values


http://www.microsoft.com/en-us/download/details.aspx?id=9152


Best regards

autorun tweak keys

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Dnscache Parameters

If you find after a period of time that your browser seems sluggish with the DNS Client service enabled you can manually flush the DNS cache
Close all browser windows ... open a "Command Prompt" from the Start Menu > All Programs > Accessories > Command Prompt
(type) ipconfig /flushdns (press Enter) Then close the Command Prompt ...

A better Win7/Vista/XP workaround would be to add two Registry entries to control the amount of time the DNS cache is saved. (KB318803)

• Flush the existing DNS cache (see above)
• Start > Run (type) regedit
• Navigate to the following location:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
• Click Edit > New > DWORD Value (type) MaxCacheTtl
• Click Edit > New > DWORD Value (type) MaxNegativeCacheTtl
• Next right-click on the MaxCacheTtl entry (right pane) and select: Modify and change the value to 1
• The MaxNegativeCacheTtl entry should already have a value of 0 (leave it that way - see screenshot)
• Close Regedit and reboot ...
• As usual you should always backup your Registry before editing ... see Regedit Help under "Exporting Registry files"

arp network tweak

To keep from having to repeatedly perform ARP resolutions, Windows 2000 stores ARP bindings in a local cache on each networked computer. The lifetime of the entries in this cache is by default a mere two minutes. If you have systems in a local network that perform a great deal of peer-to-peer communication, and their IP addresses tend to remain static for a long time (for instance, if they aren't shut down often), it makes sense to increase the lifetime of entries in the cache. Otherwise, they expire unnecessarily.

Open the Registry and navigate to
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. Add a new DWORD entry name ArpCacheLife and set it to the total lifetime of each unreferenced cache entry in seconds. The default value is 120 seconds. The cache holds fifty entries by default, but will expand if needed.

Add another DWORD entry named ArpCacheMinReferencedLife. This governs how long an entry remains in the cache even if it has been referenced. The default value is 600 (for 600 seconds, or 10 minutes).

Another Windows 2000 ARP behavior that can be modified is the gratuitous ARP broadcast. When a Windows 2000 machine is first booted, it broadcasts an ARP packet containing that machine's TCP/IP address to make sure no other machine on the network is using the same IP address. If you are using DHCP, this is almost never needed, and can be disabled. Add or edit a DWORD entry in the same key listed above with the name ArpRetryCount and set it to 0. Be sure to reboot after making any of these changes.

By turning off gratuitous ARP broadcasts and changing the ARP cache lifetime, it's possible to significantly cut down on the amount of ARP "chatter" on a local network, and increase network performance by reducing the need for constant ARP re-resolutions.