102
Countermeasure:
The suggested value for a system under heavy attack is memory dependent. This
value should not exceed 5000 for each 32 MB of RAM installed in the server, in order to prevent
exhaustion of non-paged pool when under attack. As a starting point, evaluate system performance
after configuring MSS: (AFD MaximumDynamicBacklog) Maximum number of ’quasi-free’ connections
for Winsock applications to a value of 20000. The possible values for this Registry value are:
•
1
to
0xFFFFFFFF
; default is
0
In the SCE UI, the following list of options appears:
•
10000
•
15000
•
20000 (recommended)
•
40000
•
80000
•
160000
•
Not Defined
Potential Impact:
Setting this value to too large a number could cause a large amount of system
resources to be assigned to allocating additional free connections that may not actually be needed.
This could lead to poor performance or a DoS condition.
2.8.6.3
NetBIOS Settings
Configure NetBIOS Name Release Security: (NoNameReleaseOnDemand)
Allow the computer to ignore NetBIOS name release requests except
from WINS servers
This entry appears as
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name
release requests except from WINS servers
in the SCE-network basic input/output system (NetBIOS)
over TCP/IP is a networking protocol that, among other things, provides a means of easily resolving
NetBIOS names registered on Windows-based systems to the IP addresses configured on those
systems. This value determines whether the computer releases its NetBIOS name when it receives a
name-release request. The following registry value entry was added to the template file to the
following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\
Subkey Registry Value Entry
Format
Recommended Value (Decimal)
NoNameReleaseOnDemand DWORD
1
Vulnerability:
The NetBIOS over TCP/IP (NetBT) protocol is designed not to use authentication,
and is therefore vulnerable to spoofing. Spoofing is the practice of making a transmission appear to
come from a user other than the user who performed the action. A malicious user could exploit the
unauthenticated nature of the protocol to send a name-conflict datagram to a target computer,
causing it to relinquish its name and stop responding to queries. The result of such an attack could be
to cause intermittent connectivity issues on the target system, or even to prevent the use of Network
Neighborhood, domain logons, the net send command, or further NetBIOS name resolution. For
more information, see Knowledge Base article Q269239, "MS00-047: NetBIOS Vulnerability May
Cause Duplicate Name on the Network Conflicts."
