G
Guest
Hello,
I want to use group policy to add certain registry keys automatically. I'd prefer to use an ADM file rather than a logon script.
I've been playing with it but I am not having any luck. The registry keys that I want added are for DoS protection that MS recommends. These will be applied to a web hosting environment.
I am not sure what I am missing but here is what I have in my ADM file:
;#if version <= 2
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;CLASS MACHINE ;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;CATEGORY !!GPOnly
; POLICY !!GPOnlyPolicy
; KEYNAME "Software\Policies"
;
; PART !!GPOnly_Tip1 TEXT
; END PART
;
; PART !!GPOnly_Tip2 TEXT
; END PART
;
; PART !!GPOnly_Tip3 TEXT
; END PART
;
; PART !!GPOnly_Tip4 TEXT
; END PART
;
; PART !!GPOnly_Tip5 TEXT
; END PART
; END POLICY
;END CATEGORY
;
;#endif
#if version >= 3
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CLASS MACHINE ;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CATEGORY !!WindowsComponents
CATEGORY !!DoSProtection
POLICY !!Set_SynAttackProtect
KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
EXPLAIN !!SynAttackProtect_Help
PART !!SynAttackProtect NUMERIC
MIN 0 MAX 2 DEFAULT 2
VALUENAME "NoSynAttackProtect"
END PART
END POLICY
POLICY !!Set_EnableDeadGWDetect
KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
EXPLAIN !!EnableDeadGWDetect_Help
PART !!EnableDeadGWDetect NUMERIC
MIN 0 MAX 1 DEFAULT 0
VALUENAME "NoEnableDeadGWDetect"
END PART
END POLICY
POLICY !!Set_EnablePMTUDiscovery
KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
EXPLAIN !!EnablePMTUDiscovery_Help
PART !!EnablePMTUDiscovery NUMERIC
MIN 0 MAX 1 DEFAULT 0
VALUENAME "NoEnablePMTUDiscovery"
END PART
END POLICY
POLICY !!Set_KeepAliveTime
KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
EXPLAIN !!KeepAliveTime_Help
PART !!KeepAliveTime NUMERIC
MIN 1 MAX 7200000 DEFAULT 300000
VALUENAME "NoKeepAliveTime"
END PART
END POLICY
POLICY !!Set_TcpMaxHalfOpen
EXPLAIN !!TcpMaxHalfOpen_Help
KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
; PART !!TcpMaxHalfOpen NUMERIC
; MIN 0 MAX 65535 DEFAULT 100
VALUENAME "NoTcpMaxHalfOpen"
VALUEON NUMERIC 100
VALUEOFF NUMERIC 0
; END PART
END POLICY
POLICY !!Set_TcpMaxHalfOpenRetried
KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
EXPLAIN !!TcpMaxHalfOpenRetried_Help
PART !!TcpMaxHalfOpenRetried NUMERIC
MIN 0 MAX 65535 DEFAULT 80
VALUENAME "NoTcpMaxHalfOpenRetried"
END PART
END POLICY
POLICY !!Set_NoNameReleasedOnDemand
KEYNAME "SYSTEM\CurrentControlSet\Services\Netbt\Parameters"
EXPLAIN !!NoNameReleasedOnDemand_Help
PART !!NoNameReleasedOnDemand NUMERIC
MIN 0 MAX 1 DEFAULT 1
VALUENAME "NoNoNameReleasedOnDemand"
END PART
END POLICY
END CATEGORY ; DoSProtection
END CATEGORY ; WindowsComponents
#endif
[strings]
;GPOnly_Tip1="The DoS_Protection1.adm file you have loaded requires Group Policy"
;GPOnly_Tip2="in Windows 2000. You cannot use the System Policy Editor"
;GPOnly_Tip3="to display Windows 2000 Group Policy settings."
;GPOnly_Tip4=" "
;GPOnly_Tip5="Enabling or disabling this policy has no effect."
;GPOnly="Unsupported Administrative Templates"
;GPOnlyPolicy="DoS_Protecion1.adm"
WindowsComponents="Windows Components"
DoSProtection="DoS Protection"
Set_SynAttackProtect="Enable SynAttackProtect"
SynAttackProtect_Help="Set SynAttackProtect to 0 for typical protection against SYN attacks.\n\nSet SynAttackProtect to 1 for better protection against SYN attacks.\n\nThis parameter causes TCP to adjust the retransmission of SYN-ACKS.\n\nWhen you set SynAttackProtect to 1, connection responses time out more quickly if it appears that there is a SYN attack in progress.\n\nSet SynAttackProtect to 2 for the best protection against SYN attacks. This value adds additional delays to connection indications, and TCP connection requests quickly timeout when a SYN attack is in progress. This parameter is the recommended setting."
SynAttackProtect="Enable SynAttackProtect Value:
Set_EnableDeadGWDetect="EnableDeadGWDetect"
EnableDeadGWDetect_Help="When you set EnableDeadGWDetect to 1, TCP is allowed to perform dead-gateway detection. When dead-gateway detection is enabled, TCP may ask the Internet Protocol (IP) to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways are defined in the Advanced section of the TCP/IP configuration dialog box in Network Control Panel.\n\nIt is recommended that you set EnableDeadGWDetect to 0. If you do not set this value to 0, an attack could force the server to switch gateways and cause it to switch to an unintended gateway."
EnableDeadGWDetect="EnableDeadGWDetect Value:
Set_EnablePMTUDiscovery="EnablePMTUDiscovery"
EnablePMTUDiscovery_Help="When you set EnablePMTUDiscovery to 1, TCP attempts to discover either the maximum transmission unit (MTU) or then largest packet size over the path to a remote host. TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs by discovering the path MTU and limiting TCP segments to this size. Fragmentation adversely affects TCP throughput.\n\nIt is recommended that you set EnablePMTUDiscovery to 0. When you do so, an MTU of 576 bytes is used for all connections that are not hosts on the local subnet. If you do not set this value to 0, an attacker could force the MTU value to a very small value and overwork the stack."
EnablePMTUDiscovery="EnablePMTUDiscovery Value:
Set_KeepAliveTime="KeepAliveTime"
KeepAliveTime_Help="This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. Keep-alive packets are not sent by default. You can use a program to configure this value on a connection. The recommended value setting is 300,000 (5 minutes)."
KeepAliveTime="KeepAliveTime Value:
Set_TcpMaxHalfOpen="TcpMaxHalfOpen"
TcpMaxHalfOpen_Help="This parameter controls the number of connections in the SYN-RCVD state allowed before SYN-ATTACK protection begins to operate. Recommended value of 100 on Windows 2000 Server and Professional."
TcpMaxHalfOpen="TcpMaxHalfOpen Value:
Set_TcpMaxHalfOpenRetried="TcpMaxHalfOpenRetried"
TcpMaxHalfOpenRetried_Help="This parameter controls the number of connections in the SYN-RCVD state for which there has been at least one retransmission of the SYN sent, before SYN-ATTACK attack protection begins to operate. Recommended value of 80 on Windows 2000 Server and Professional."
TcpMaxHalfOpenRetried="TcpMaxHalfOpenRetried Value:
Set_NoNameReleasedOnDemand="NoNameReleasedOnDemand"
NoNameReleasedOnDemand_Help="This value determines whether the computer releases its NetBIOS name when it receives a name-release request. This value was added to allow the administrator to protect the computer against malicious name-release attacks. It is recommended that you set the NoNameReleaseOnDemand value to 1 (the default value)."
NoNameReleasedOnDemand="NoNameReleasedOnDemand Value:
I want to use group policy to add certain registry keys automatically. I'd prefer to use an ADM file rather than a logon script.
I've been playing with it but I am not having any luck. The registry keys that I want added are for DoS protection that MS recommends. These will be applied to a web hosting environment.
I am not sure what I am missing but here is what I have in my ADM file:
;#if version <= 2
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;CLASS MACHINE ;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
;CATEGORY !!GPOnly
; POLICY !!GPOnlyPolicy
; KEYNAME "Software\Policies"
;
; PART !!GPOnly_Tip1 TEXT
; END PART
;
; PART !!GPOnly_Tip2 TEXT
; END PART
;
; PART !!GPOnly_Tip3 TEXT
; END PART
;
; PART !!GPOnly_Tip4 TEXT
; END PART
;
; PART !!GPOnly_Tip5 TEXT
; END PART
; END POLICY
;END CATEGORY
;
;#endif
#if version >= 3
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CLASS MACHINE ;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CATEGORY !!WindowsComponents
CATEGORY !!DoSProtection
POLICY !!Set_SynAttackProtect
KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
EXPLAIN !!SynAttackProtect_Help
PART !!SynAttackProtect NUMERIC
MIN 0 MAX 2 DEFAULT 2
VALUENAME "NoSynAttackProtect"
END PART
END POLICY
POLICY !!Set_EnableDeadGWDetect
KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
EXPLAIN !!EnableDeadGWDetect_Help
PART !!EnableDeadGWDetect NUMERIC
MIN 0 MAX 1 DEFAULT 0
VALUENAME "NoEnableDeadGWDetect"
END PART
END POLICY
POLICY !!Set_EnablePMTUDiscovery
KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
EXPLAIN !!EnablePMTUDiscovery_Help
PART !!EnablePMTUDiscovery NUMERIC
MIN 0 MAX 1 DEFAULT 0
VALUENAME "NoEnablePMTUDiscovery"
END PART
END POLICY
POLICY !!Set_KeepAliveTime
KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
EXPLAIN !!KeepAliveTime_Help
PART !!KeepAliveTime NUMERIC
MIN 1 MAX 7200000 DEFAULT 300000
VALUENAME "NoKeepAliveTime"
END PART
END POLICY
POLICY !!Set_TcpMaxHalfOpen
EXPLAIN !!TcpMaxHalfOpen_Help
KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
; PART !!TcpMaxHalfOpen NUMERIC
; MIN 0 MAX 65535 DEFAULT 100
VALUENAME "NoTcpMaxHalfOpen"
VALUEON NUMERIC 100
VALUEOFF NUMERIC 0
; END PART
END POLICY
POLICY !!Set_TcpMaxHalfOpenRetried
KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
EXPLAIN !!TcpMaxHalfOpenRetried_Help
PART !!TcpMaxHalfOpenRetried NUMERIC
MIN 0 MAX 65535 DEFAULT 80
VALUENAME "NoTcpMaxHalfOpenRetried"
END PART
END POLICY
POLICY !!Set_NoNameReleasedOnDemand
KEYNAME "SYSTEM\CurrentControlSet\Services\Netbt\Parameters"
EXPLAIN !!NoNameReleasedOnDemand_Help
PART !!NoNameReleasedOnDemand NUMERIC
MIN 0 MAX 1 DEFAULT 1
VALUENAME "NoNoNameReleasedOnDemand"
END PART
END POLICY
END CATEGORY ; DoSProtection
END CATEGORY ; WindowsComponents
#endif
[strings]
;GPOnly_Tip1="The DoS_Protection1.adm file you have loaded requires Group Policy"
;GPOnly_Tip2="in Windows 2000. You cannot use the System Policy Editor"
;GPOnly_Tip3="to display Windows 2000 Group Policy settings."
;GPOnly_Tip4=" "
;GPOnly_Tip5="Enabling or disabling this policy has no effect."
;GPOnly="Unsupported Administrative Templates"
;GPOnlyPolicy="DoS_Protecion1.adm"
WindowsComponents="Windows Components"
DoSProtection="DoS Protection"
Set_SynAttackProtect="Enable SynAttackProtect"
SynAttackProtect_Help="Set SynAttackProtect to 0 for typical protection against SYN attacks.\n\nSet SynAttackProtect to 1 for better protection against SYN attacks.\n\nThis parameter causes TCP to adjust the retransmission of SYN-ACKS.\n\nWhen you set SynAttackProtect to 1, connection responses time out more quickly if it appears that there is a SYN attack in progress.\n\nSet SynAttackProtect to 2 for the best protection against SYN attacks. This value adds additional delays to connection indications, and TCP connection requests quickly timeout when a SYN attack is in progress. This parameter is the recommended setting."
SynAttackProtect="Enable SynAttackProtect Value:
Set_EnableDeadGWDetect="EnableDeadGWDetect"
EnableDeadGWDetect_Help="When you set EnableDeadGWDetect to 1, TCP is allowed to perform dead-gateway detection. When dead-gateway detection is enabled, TCP may ask the Internet Protocol (IP) to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways are defined in the Advanced section of the TCP/IP configuration dialog box in Network Control Panel.\n\nIt is recommended that you set EnableDeadGWDetect to 0. If you do not set this value to 0, an attack could force the server to switch gateways and cause it to switch to an unintended gateway."
EnableDeadGWDetect="EnableDeadGWDetect Value:
Set_EnablePMTUDiscovery="EnablePMTUDiscovery"
EnablePMTUDiscovery_Help="When you set EnablePMTUDiscovery to 1, TCP attempts to discover either the maximum transmission unit (MTU) or then largest packet size over the path to a remote host. TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs by discovering the path MTU and limiting TCP segments to this size. Fragmentation adversely affects TCP throughput.\n\nIt is recommended that you set EnablePMTUDiscovery to 0. When you do so, an MTU of 576 bytes is used for all connections that are not hosts on the local subnet. If you do not set this value to 0, an attacker could force the MTU value to a very small value and overwork the stack."
EnablePMTUDiscovery="EnablePMTUDiscovery Value:
Set_KeepAliveTime="KeepAliveTime"
KeepAliveTime_Help="This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. Keep-alive packets are not sent by default. You can use a program to configure this value on a connection. The recommended value setting is 300,000 (5 minutes)."
KeepAliveTime="KeepAliveTime Value:
Set_TcpMaxHalfOpen="TcpMaxHalfOpen"
TcpMaxHalfOpen_Help="This parameter controls the number of connections in the SYN-RCVD state allowed before SYN-ATTACK protection begins to operate. Recommended value of 100 on Windows 2000 Server and Professional."
TcpMaxHalfOpen="TcpMaxHalfOpen Value:
Set_TcpMaxHalfOpenRetried="TcpMaxHalfOpenRetried"
TcpMaxHalfOpenRetried_Help="This parameter controls the number of connections in the SYN-RCVD state for which there has been at least one retransmission of the SYN sent, before SYN-ATTACK attack protection begins to operate. Recommended value of 80 on Windows 2000 Server and Professional."
TcpMaxHalfOpenRetried="TcpMaxHalfOpenRetried Value:
Set_NoNameReleasedOnDemand="NoNameReleasedOnDemand"
NoNameReleasedOnDemand_Help="This value determines whether the computer releases its NetBIOS name when it receives a name-release request. This value was added to allow the administrator to protect the computer against malicious name-release attacks. It is recommended that you set the NoNameReleaseOnDemand value to 1 (the default value)."
NoNameReleasedOnDemand="NoNameReleasedOnDemand Value: