Win2022系统优化预防SYN攻击和DDOS攻击防护,Windows Server 2025优化预防SYN攻击和DDOS攻击防护注册表优化项目:
Windows Registry Editor Version 5.00 ;禁用SMB设备直通 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters] "SMBDeviceEnabled"=dword:00000000 ;使用组策略禁用服务器端 SMBv1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters] "SMB1"=dword:00000000 "SMBv1"=dword:00000000 ;禁用客户端SMBv1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10] "Start"=dword:00000004 ;防火墙屏蔽445端口入站 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{EC190356-C52F-4DE4-980F-4D0800F565A6}"="v2.28|Action=Block|Active=TRUE|Dir=In|Protocol=6|LPort=445|Name=445-tcp|" "{9D830D0C-3B75-4EF7-9F23-88C367272884}"="v2.28|Action=Block|Active=TRUE|Dir=In|Protocol=17|LPort=445|Name=445-udp|" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy\FirewallRules] "{EC190356-C52F-4DE4-980F-4D0800F565A6}"="v2.28|Action=Block|Active=TRUE|Dir=In|Protocol=6|LPort=445|Name=445-tcp|" "{9D830D0C-3B75-4EF7-9F23-88C367272884}"="v2.28|Action=Block|Active=TRUE|Dir=In|Protocol=17|LPort=445|Name=445-udp|" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters] "新值 #1"=hex(b):00,00,00,00,00,00,00,00 ;64400 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "TcpWindowSize"=dword:0000fb90 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters] "TcpWindowSize"=dword:0000fb90 ;1030400 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "GlobalMaxTcpWindowSize"=dword:000fb900 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters] "GlobalMaxTcpWindowSize"=dword:000fb900 ;通过修改调整这个动态端口的范围,可以提高系统的数据吞吐率,最少设置十进制32768 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "MaxUserPort"=dword:00008000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters] "MaxUserPort"=dword:00008000 ;SYN攻击防护 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "SynAttackProtect"=dword:00000002 "TcpMaxPortsExhausted"=dword:00000005 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters] "SynAttackProtect"=dword:00000002 "TcpMaxPortsExhausted"=dword:00000005 ;MaximumDynamicBacklog的设置最好不超过2000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters] "EnableDynamicBacklog"=dword:00000001 ;值为1时,表示启用动态backlog,可以修改最大半连接数 "MinimumDynamicBacklog"=dword:00000014 ;表示半连接队列为单个TCP端囗分配的最小空闲连接数 "MaximumDynamicBacklog"=dword:00000400 ;当前活动的半连接和空闲连接的和 "DynamicBacklogGrowthDelta"=dword:0000000a ;扩展的空闲连接数此连接数并不计算在MaximumDynamicBacklog内 ;同时允许打开的半连接数量,500 ;半开连接是指客户端发送了 SYN 包,但服务器尚未收到客户端的 ACK 包时的连接状态 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "TcpMaxHalfOpen"=dword:000001f4 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters] "TcpMaxHalfOpen"=dword:000001f4 ;判断是否存在攻击的触发点,400 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "TcpMaxHalfOpenRetried"=dword:00000190 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters] "TcpMaxHalfOpenRetried"=dword:00000190 ;禁止IP源路由,缺省项值为1,表示不转发源路由包,项值设为0,表示全部转发,设置为2,表示丢弃所有接受的源路由包 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "DisableIPSourceRouting"=dword:0000002 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters] "DisableIPSourceRouting"=dword:0000002 ;TCP数据最大重发次数 TcpMaxDataRetransmissions [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "TcpMaxDataRetransmissions"=dword:00000003 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters] "TcpMaxDataRetransmissions"=dword:00000003 ;TCP连接最大重发次数 TcpMaxConnectResponseRetransmissions ;服务器如果在时间内还未收到ack确认包就自动从backlog队列中删除该连接条目 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "TcpMaxConnectResponseRetransmissions"=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters] "TcpMaxConnectResponseRetransmissions"=dword:00000002 ; 禁用不必要协议 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "EnableICMPRedirect"=dword:00000000 ;禁用 ICMP 重定向 "EnableAddrMaskReply"=dword:00000000 ;禁用地址掩码回复 "EnableBcastArpReply"=dword:00000000 ;禁用地址广播 ARP 回复 "DisableDynamicDiscovery"=dword:00000001 ;禁用 LLMNR(链路本地多播名称解析)和 NBT-NS(NetBIOS 名称服务 "UseDomainNameDevolution"=dword:00000000 ;禁用域名退化 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters] "EnableICMPRedirect"=dword:00000000 ;禁用 ICMP 重定向 "EnableAddrMaskReply"=dword:00000000 ;禁用地址掩码回复 "EnableBcastArpReply"=dword:00000000 ;禁用地址广播 ARP 回复 "DisableDynamicDiscovery"=dword:00000001 ;禁用 LLMNR(链路本地多播名称解析)和 NBT-NS(NetBIOS 名称服务 "UseDomainNameDevolution"=dword:00000000 ;禁用域名退化 ;无效网关检测功能-关闭它可以抵御SNMP攻击,优化网络 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "EnableDeadGWDetect"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters] "EnableDeadGWDetect"=dword:00000000 ;允许计算机忽略除来自 Windows服务器以外的 NetBIOS名称发布请求 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "NoNameReleaseOnDemand"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters] "NoNameReleaseOnDemand"=dword:00000001 ;;win7和win10的默认IGMP版本都是V3,但是很多时间,设备只支持V2,这会导致无法观看组播视频 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters] "IGMPLevel"=dword:00000000 ;;0=不支持组播,1=只支持发送 IPv4 组播,2=完全支持IGMP(默认) "IGMPVersion"=dword:00000003 ;;2=IGMPv1,3=IGMPv2,4=IGMPv3(默认) [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters] "IGMPLevel"=dword:00000000 "IGMPVersion"=dword:00000003 ;匿名访问限制 RestrictAnonymous,1=匿名用户无法列举本机用户列表,2=匿名用户无法连接本机IPC$共享 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa] "restrictanonymous"=dword:00000001 ;1=强制要求提供有效的身份验证,限制匿名访问,可增强安全性,但可能影响旧版应用程序 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters] "RestrictAnonymous"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters] "RestrictAnonymous"=dword:00000001 |
文章来源:
网络小编D
版权声明:
本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,请联系本站立刻删除。
