First,..it is just not possible to protect against DoS Attacks,..at least
not all of them. All I have to do is overload the line's bandwidth with
non-sense traffic and I have DoS'ed you. The server can't do anything about
that, it just listens on the line, it doesn't control the line.
Second,...the things in that article only make the box itself *slightly*
less suseptable to a DoS Attack of certain types that are directed at the
box itself. So I just wouldn't direct them at the box itself. These things
would not stop me from bombing your router that sits between the server and
the Internet which would stop everything on that whole connection beyond
just that one server.
Anyway...
Go into the Properties of the nic and uncheck the boxes for:
Client for Microsoft Networks
File & Print sharing
QoS
In otherwords,...everything except TCP/IP
Now,...what is the server actually going to "serve"?
Shut off, or just don't install, anything that provides a network service
that isn't required for the job it is supposed to do.
Then on the things it is supposed to do,..securely configure that service
and application. For example, if it is a web server then securely configure
the Web Service (IIS) and then,...most important of all,...the web site's
code itself needs to be securely written. The code of the site itself is
often the "softest" spot of the whole works. It is the same for
Applications using an SQL Server backend,...and sometimes that Application
is also a Web Site as well, such as the case of database driven web sites.
Now I don't consider myself a security expert,..and I don't personally know
how to carry out those types of attacks I mentioned. I just try to
build/follow a common sense design and I try to not over complicate things.
The more you complicate things, the greater the chance you will "miss"
something important.
MS makes several "Best Practices Analyzers" designed for different products
and situations. They can be useful in finding flaws in your setup. Do a
search on MS's site for that and you should find more than one type.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
"David Morgan" <(E-Mail Removed)> wrote in
message news:uYtjt3$(E-Mail Removed)...
> Hello
>
> I am trying to protect our Windows 2003 Servers, (some R2 and all up to
> date with patches), from DoS attacks. I have recently read this in a KB
> (http://support.microsoft.com/kb/324270).
>
> "The default TCP/IP stack configuration is tuned to handle standard
> intranet traffic. If you connect a computer directly to the Internet,
> Microsoft recommends that you harden the TCP/IP stack against denial of
> service attacks."
>
> However this article then goes on to say that various parameters should be
> set and that one, "SynAttackProtect", should automatically be set by SP1.
> Well none of my SP2 machines have this parameter present.
>
> It is mentioned again here
> http://technet2.microsoft.com/window....mspx?mfr=true.
>
> Do any of you guys have this parameter or have you added it manually,
> despite what the above links suggest should already be present.
>
> Thanks a lot
>
> David
>
>
>
Similar Threads
Linear Mode
