Documente Academic
Documente Profesional
Documente Cultură
Version 1.2.0
This text file is part of Windows 2000/XP/2003 High Performance TCP/IP Package
(HPTP) [13 KB, free GPL]:
http://www.mdgx.com/files/HPTP.ZIP
HPTP consists of 4 text files:
- HPTPREAD.TXT: ReadMe = MUST read first!
- CALCULAT.TXT: Calculations + formulas for TCP/IP registry settings.
- HPTCPIP.TXT: TCP/IP performance, security documentation + how-tos. (this
file)
- NONREG.TXT: Non-registry Internet + online gaming performance procedures.
______________________________________________________________________________
The Windows 2000 family of operating systems was designed for complete and
fast networking from the ground up. For the most part, Microsoft did a good
job, much better than the sad attempts in the 9x days. However, Windows is not
a hacker's OS and has plenty of room for performance improvement in the TCP
stack. :)
My own experimentation, discovery and the gracious help of those frequenting
DSLnuts.com and SIESystems.com has made this documentation possible.
I have developed what I believe are the ultimate TCP/IP registry settings for
Win2000 systems with a *CABLE* Internet connection.
These settings might not work optimally for DSL users or WinXP users.
These settings work for me, but I cannot guarantee they will work for you.
You may need to do a little experimentation to find the parameters that work
best for you.
In addition to the performance/throughput hacks, here are a few good security
hacks which will make you sleep a bit better at night.
PERFORMANCE/THROUGHPUT SETTINGS
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters]
1. DefaultTTL: dword=0x40
Defines the maximum Time-to-Live of an IP packet. This is the maximum
number of hops that a packet may travel before it is dropped. While its
direct effect on TCP/IP performance is a myth, it can save you the trouble
of having to wait for packets that might come *extremely* slowly or not at
all. Values can be between 32 and 128 (decimal), but a good value is
probably 48 or 64.
2. EnableFastRouteLookup: dword=0x1
When routing, allows Windows to use "fast route lookup" mode. This can help
when acting as a router, but won't help a lot on single adaptor client
systems. Important is "enabled can't hurt". :)
3. EnablePMTUBHDetect: dword=0x0
Controls whether black hole routers are detected. Unless you run into
problems, black hole detection should be disabled as it must be performed
for every new connection and just slows things down.
4. EnablePMTUDiscovery: dword=0x1
Enables path MTU discovery. This means that the TCP stack is able to
dynamically determine the lowest Maximum Transfer Unit (MTU) along a given
data path, enabling data to be sent as quickly and efficiently as possible
due to a reduction in packet segmentation.
5. ForwardBufferMemory: dword=0x24400
Defines how many bytes of memory are used for sending data by default.
6. MaxForwardBufferMemory: dword=0x400000
Sets the maximum memory in bytes that can be used for packet transmission.
7. GlobalMaxTcpWindowSize: dword=0x12890 + TcpWindowSize: dword=0x12890
Sets the global and standard maximum TCP window size. This setting is very
tricky, and you will need to experiment to find your own optimal setting.
As a hint, increasing your TCP window size can speed up connections a
*lot*, but making the window too large will make your connection as slow or
even slower than it is by default. The setting here works for me, but try
it yourself and go from there.
THIS VALUE IS AN EXAMPLE, SEE CALCULAT.TXT ABOUT HOW TO CALCULATE THE
CORRECT MAX TcpWindowSize FOR YOUR INDIVIDUAL CONNECTION!
NOTE: For best performance, my testing has shown that every max TCP window
size registry setting should be set to the same optimal value. Different
settings seem to confuse and slow down the TCP stack.
8. KeepAliveTime: dword=0x927c0
Sets the connection keep alive time in seconds. The value shown here is 600
seconds (10 minutes). This is a good general value, but it may need to be
higher (such as the default of 7200 seconds) for large servers who serve
distant high latency clients worldwide.
9. PerformRouterDiscovery: dword=0x0
Discovers whether or not the TCP/IP stack should try to "discover" routers.
This should be disabled. If the router works, it works, but if it doesn't,
discovering it won't help matters at all. :D
10. PrioritizeRecordData: dword=0x1
When enabled, this setting will force the DNS cache service to sort its
data, resulting in quicker DNS lookups.
11. SackOpts: dword=0x1
Enables "selective acknowlegements". This means that acknowlegement
packets are only transmitted when needed, rather than at an interval.
In some cases this could lead to data corruption over *VERY* damaged
lines, but this is very rare.
12. Tcp1323Opts: dword=0x1
Defines the nature of window scaling and time stamping. A value of 1 is
window scaling only (recommended for best performance), 2 is time stamps
only, and a value of 3 enables both.
Window scaling is required for large TCP receive windows, so it should be
enabled.
Time stamping on the other hand will slow the connection a bit and is very
rarely required, except in certain circumstances. If you don't know what
these circumstances are, then assume that you don't need time stamping.
13. TcpMaxDupAcks: dword=0x3
Controls the number of ACKs (handshake acknowledgements) that must be
initiated before a retransmit of lost data is requested. The value can be
from 1-3, 2 being the default. Setting this parameter to 3 reduces the
number of retransmits required, but can lead to periodic data corruption
over poor quality lines.
14. TcpRecvSegmentSize: dword=0x5b4 + TcpSentSegmentSize: dword=0x5b4
Defines the Maximum Segment Size (MSS) of data packets. Cable and DSL
connections have a Maximum Transfer Unit (MTU) of 1500 bytes, but 40 bytes
are reserved for the header space in every packet, leaving a maximum of
1460 bytes for usable data.
15. FastSendDatagramThreshold: dword=0x1000
Datagrams smaller than this value are allowed to pass through "fast I/O"
and are sometimes buffered. This is beneficial for small amounts of data
in transit.
16. TcpLogLevel: dword=0x1
Determines the logging level of the TCP stack. The default of 16 logs all
"unusual events". This is good if you use the Windows log files, but if
you're lazy like me and don't, because they only seem to catch aplication
errors and the like, you can safely set logging to its lowest value of 1.
This will log only the most critical errors and won't bother with useless
information that you don't need.
17. TcpTimedWaitDelay: dword=0x1e
Determines the timeout length for TCP connections. After this period the
connection will be dropped, freeing up resources for other connections.
Due to the way the TCP/IP protocol works, the effective timeout value is
actually 2x the TimedWaitDelay value [in this case 60 seconds (1 minute)].
If problem occur, increase this value: the default is 240 seconds.
18. MaxFreeTcbs: dword=0x2000
Sets the maximum number of free TCP Control Blocks (TCBs) reserved for
connections. Each connection requires 1 block, so this also defines the
number of maximum simulaneus connections to the system. The default of
1000 for Win2000 Pro and 2000 for Win2000 Server. This should be more than
sufficient for normal use, but this reduces the posibility of dropped
connections due to memory requirements, especially in a server environment
where many concurrent connections are expected.
19. MaxHashTableSize: dword=0x4000
Controls the memory mapping of TCBs. It should be increased if the number
of free TCBs is increased.
20. MaxNormLookupMemory: dword=0x2525a0
Specifies the maximum ammount of memory the TCP stack uses for routing
tables. Increasing it can enable the storing of more routes in memory.
21. DisableTaskOffload: dword=0x0
When disabled, this parameter will enable the use of task offloading.
This means that network tasks will be first processed on a task offloading
compatible NIC, freeing up the CPU for other tasks.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AFD\Parameters]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\ServiceProvider]
SECURITY SETTINGS
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Dnscache\Parameters]
1. QueryIpMatching: dword=0x1
Controls whether the DNS server used by the DNS Resolver Cache Service is
compared to the DNS response for a given address. This is a simple way to
detect and reject DNS server spoofs.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters]
2 SynAttackProtect: dword=0x2
Helps prevent TCP_SYN "denial of service" (DoS) attacks by reducing the
retransmissions of the TCP stack and suspending the connection until a 3
way handshake is performed.
TcpMaxHalfOpen: dword=0x64 (2x value for 2k Server)
This controls the number of connections in the SYN-RCVD state allowed
before SYN-ATTACK protection begins to operate.
TcpMaxHalfOpenRetried: dword=0x32 (2x val for Win2000 Server)
Defines how many connection retries are allowed before SYN-ATTACK
protection kicks in.
3. EnableDeadGWDetect: dword=0x0
When disabled prevents Windows from looking for a secondary gateway if the
first fails. In home networks or bussiness networks with only 1 gateway,
this prevents a malicious user from redirecting connections from your
gateway to another system on the LAN or Internet.
4. EnableICMPRedirect: dword=0x1
Defines whether ICMP_REDIRECT is enabled. In rare cases this can be
exploited in a DoS attack, but is required for most LAN networking. Only
disable this function if you own a home computer connected directly to the
Internet with no other networking going on.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA]
6. RestrictAnonymous: dword=0x1
Defines the restrictions imposed on "anonymous" or "guest" users of the
system. The default of 0 imposes no restriction, 1 imposes the denial of
SAM (Security Account Manager) info and a value of 2 denies access without
explicit permission. Unless you know what you are doing, a value of 1 is
recommended.
[HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\AFD\Parameters\]
7. DisableAddressSharing: dword=0x1
Prevents processes from sharing addresses, assuring that sockets opened by
an application cannot be stolen by another process. This could be exploited
by data gathering or trojan horse programs. If you run into problems,
especially with older applications, disable this feature:
DisableAddressSharing=0
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory
Management]
1. ClearPageFileAtShutdown: dword=0x1
Forces a cleaning of the swap file at shut down. This eliminates the
posibility that the swap file contents can be read by a malicious user.
It may also have the (unconfirmed) benefit of keeping your swap file
contiguous at each boot.
NOTE: your shut down/restart time might be increased by a few seconds with
pagefile clearing enabled.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\]
2. RestrictGuestAccess: dword=0x1
Prevents access to the system logs by guest users. Malicious users could
use your log file info to find vulerabilities.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\]
(WinNT4/2000)
Settings and parameters in this section are not directly related to the above
performance and security categories, they may either be directly related to
both security AND performance or completely unrelated.
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ipsec]
1. EnabledOffload: dword=0x1
Enables IPSEC task offloading for ethernet cards wich support this feature.
Task offloading forces a feature (in this case IPSec or "IP Security") to
the device responsible for it directly, leaving the CPU to perform other
tasks. If you use IPSec and have a compatible card, this can speed things
up a bit, but do not attempt to enable this if you do not use IPSec.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\RemoteComput
er\NameSpace]