Overview
The Stanford Network Registration Tool (SNRT) ensures that your computer is up-to-date and secure before you can be assigned a Stanford network address.
Version
The Windows configuration set version number is: 1.2.
The Macintosh configuration set version number is: N/A.
Microsoft Windows settings details
1. File system settings
1.1 Disable ADODB.Stream (Min OS: Windows 2000)
An ADO stream represents a file in memory. The stream object contains several methods for reading and writing binary files and text files. When this by-design functionality is combinnedd with known security vulnerabilities in Microsoft Internet Explorer, an Internet Web site could possibly execute scripts from the Local Machine zone. Using the ADODB Stream is not safe and shall be disabled.
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}
Registry Item: Compatibility Flags
Compliant Values: 1024
1.2 Disable ADODB.Stream (Min OS: Windows 2000) (x64)
An ADO stream represents a file in memory. The stream object contains several methods for reading and writing binary files and text files. When this by-design functionality is combinnedd with known security vulnerabilities in Microsoft Internet Explorer, an Internet Web site could possibly execute scripts from the Local Machine zone. Using the ADODB Stream is not safe and shall be disabled.
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}
Registry Item: Compatibility Flags
Compliant Values: 1024
2. Network security settings
2.1 Alternate gateway detection disabled (Min OS: Windows 2000)
This setting specifies whether Windows shall automatically detect and use an alternate gateway in the event of transmitting a segment several times without receiving a response. This is a denial of service attack vulnerability. For more info
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Registry Item: EnableDeadGWDetect
Compliant Values: 0
2.2 Blank passwords allowed for console logon only (Min OS: Windows 2000)
This setting controls whether or not local accounts with blank passwords can log on from the network. After this setting is applied, local accounts with blank passwords cannot be used to connect to the machine from across the network, via Windows Networking or Terminal Services.
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SYSTEM\CurrentControlSet\Control\Lsa
Registry Item: limitblankpassworduse
Compliant Values: 1
2.3 DoS attack settings (Min OS: Windows 2000)
Denial of Service attacks are network attacks aimed at making a computer or a particular network-based service unavailable to users. These configuration settings can be used to improve Windows' ability to defend against such attacks.
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Registry Item: EnableICMPRedirect
Compliant Values: 0
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Registry Item: KeepAliveTime
Compliant Values: 300000
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Registry Item: PerformRouterDiscovery
Compliant Values: 0
2.4 IP source routing disabled (Min OS: Windows 2000)
The IP stack on any host (router or not) will drop packets with the source route option set if DisableIPSourceRouting is turned on. In most cases you do not want a source-routed packet to hit your computer.
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Registry Item: DisableIPSourceRouting
Compliant Values: 2
2.5 No name release on demand (Min OS: Windows 2000)
The NetBIOS over TCP/IP (NBT) protocols are, by design, unauthenticated and therefore vulnerable to spoofing. A malicious user could possibly misuse the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer to cause it to relinquish its name and stop responding to queries.
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Registry Item: NoNameReleaseOnDemand
Compliant Values: 1
2.6 Path MTU discovery enabled (Min OS: Windows 2000)
Enabling the setting causes TCP to attempt to discover the Maximum Transmission Unit (MTU or largest packet size) over the path to a remote host. By discovering the path MTU and limiting TCP segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs. This setting can improve network connectivity performance.
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Registry Item: EnablePMTUDiscovery
Compliant Values: 1
2.7 Protect against SYN flood attacks (Min OS: Windows 2000)
Windows includes protection that allows it to detect and adjust when the system is being targeted with a SYN flood attack (a type of denial of service attack that takes advantage of incomplete TCP handshake requests).
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Registry Item: SynAttackProtect
Compliant Values: 1
2.8 TcpMaxHalfOpen configured (Min OS: Windows 2000)
SYN attack protection involves reducing the number of retransmissions for the SYN-ACKs, which reduces the amount of time that resources have to remain allocated. The allocation of route cache entry resources is delayed until a connection is made. If synattackprotect = 1, then the connection indication to AFD is delayed until the three-way handshake is completed. Also note that the actions taken by the protection mechanism only occur if TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are exceeded.
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Registry Item: TcpMaxHalfOpen
Compliant Values: 100
2.9 TcpMaxHalfOpenRetried configured (Min OS: Windows 2000)
SYN attack protection involves reducing the number of re-transmissions for the SYN-ACKs, which reduces the amount of time that resources have to remain allocated. The allocation of route cache entry resources is delayed until a connection is made. If synattackprotect = 1, then the connection indication to AFD is delayed until the three-way handshake is completed. Also note that the actions taken by the protection mechanism only occur if TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are exceeded.
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Registry Item: TcpMaxHalfOpenRetried
Compliant Values: 80
3. System settings
3.1 AEDebug disabled (Min OS: Windows 2000)
This setting is intended to allow an administrator to specify a remote debugger that will be invoked in the event of a system crash. The debugger runs in a highly privileged state and, unless specifically required by the user, shall be disabled.
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug
Registry Item: Auto
Compliant Values: 0
3.2 AEDebug disabled (Min OS: Windows 2000) (x64)
This setting is intended to allow an administrator to specify a remote debugger that will be invoked in the event of a system crash. The debugger runs in a highly privileged state and, unless specifically required by the user, shall be disabled.
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug
Registry Item: Auto
Compliant Values: 0
3.3 Automatic Update enabled and run daily (Min OS: Windows 2000) (x64)
Enables Windows Automatic Update, so that critical security patches may be automatically acquired from the Windows Update service.
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Registry Item: NoAutoUpdate
Compliant Values: 0
3.4 Automatic Update enabled and run daily (Min OS: Windows 2000)
Enables Windows Automatic Update, so that critical security patches may be automatically acquired from the Windows Update service.
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Registry Item: NoAutoUpdate
Compliant Values: 0
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
Registry Item: ScheduledInstallDay
Compliant Values: 0
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
Registry Item: ScheduledInstallDay
Compliant Values: 0
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
Registry Item: AUOptions
Compliant Values: 4
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
Registry Item: AUOptions
Compliant Values: 4
3.5 DLL search order optimized (Min OS: Windows 2000)
This setting controls the order in which directories are searched for DLL (Dynamic Link Library) files. It ensures that a local DLL is used when a program is being run over the network, and it resolves issues where incompatible system DLL files are being loaded first.
Setting properties:
Registry change
Registry Hive: HKEY_LOCAL_MACHINE
Registry Key: SYSTEM\CurrentControlSet\Control\Session Manager
Registry Item: SafeDllSearchMode
Compliant Values: 1
