More from: Protocols and Standards

Windows 7, Vista, 2008 Tweaks

Check the TCP/IP state

To check the current status of the Vista TCP/IP tweakable parameters, in elevated command prompt type the following command:

netsh int tcp show global

You will be presented with something like the following:

The settings, as well as their default and recommended state are explained below. The two most important tweakable parameters are “Auto-Tuning Level” and “Congestion Control Provider”.

When checking the TCP state with the “netsh int tcp show global” command, it is also possible to see the following message below all those parameters:

** The above autotuninglevel setting is the result of Windows Scaling heuristics overriding any local/policy configuration on at least one profile.

It is displayed when the “Receive Window Auto-Tuning Level” is not explicitly set, or if the system deemed it necessary to make a change because of user prompted “repairing” of your network connection, for example.

Disable Windows Scaling heuristics

Windows Vista/7 has the ability to automatically change its own TCP Window auto-tuning behavior to a more conservative state regardless of any user settings. It is possible for Windows to override the autotuninlevel even after an user sets their custom TCP auto-tuning level. When that behavior occurs, the ”netsh int tcp show global” command displays the following message:

** The above autotuninglevel setting is the result of Windows Scaling heuristics overriding any local/policy configuration on at least one profile.

To prevent that behavior and enforce any user-set TCP Window auto-tunning level, you should execute the following command:

netsh int tcp set heuristics disabled

Possible settings are: disabled,enabled,default (sets to the Windows default state)
recommended: disabled (to retain user-set auto-tuning level)

Note this should be executed in elevated command prompt (with admin priviledges) before setting the autotuninlevel in next section. If the command is accepted by the OS you will see an “Ok.” on a new line.

TCP Auto-Tuning

To turn off the default RWIN auto tuning behavior, (in elevated command prompt) type:
netsh int tcp set global autotuninglevel=disabled
The default auto-tuning level is “normal”, and the possible settings for the above command are:
disabled: uses a fixed value for the tcp receive window. Limits it to 64KB (limited at 65535).
highlyrestricted: allows the receive window to grow beyond its default value, very conservatively
restricted: somewhat restricted growth of the tcp receive window beyond its default value
normal: default value, allows the receive window to grow to accommodate most conditions
experimental: allows the receive window to grow to accommodate extreme scenarios (not recommended, it can degrade performance in common scenarios, only intended for research purposes. It enables RWIN values of over 16 MB)
Our recommendation: normal  (unless you’re experiencing problems).

If you’re experiencing problems with your NAT router or SPI firewall, try the “restricted”, “highlyrestricted”, or even “disabled” state.

QoS Reserved Bandwidth

As with Windows XP, nework adapters have a “QoS Packet Scheduler” enabled by default, which reserves 20% of bandwidth by default for QoS applications that request priority traffic. Note this only has effect in the presence of running QoS applications that request priority traffic. Registry value is undocumented for the Vista version of Windows. To customize this setting, in the Windows Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Psched
NonBestEffortLimit=0
(DWORD, not present in the registry by default. Recommended: 0 , possible values between 0 and 100) – indicates the percentage value of reserved bandwidth for QoS applications. Set to 0 to disable.

Notes: This tweak applies only to Windows versions that have Qos Packet Scheduler enabled. It will ONLY have effect in the presense of running QoSapplications.

Gaming Tweak – Disable Nagle’s algorithm

The tweak below allows for tweaking or disabling Nagle’s alogrithm. Disabling ”nagling” allows for very small packets to be transferred immediately without delay. Note that disabling Nagle’s algorithm is only recommended for some games, and it may have negative impact on file transfers/throughput. The dafault state (Nagling enabled) improves performance by allowing several small packets to be combined together into a single, larger packet for more efficient transmission. While this improves overall performance and reduces TCP/IP overhead, it may briefly delay transmission of smaller packets. Keep in mind that disabling Nagle’s algorithm may have some negative effect on file transfers, and can only help reduce delay in some games. To implement this tweak, in the registry editor (Start>Run>regedit) find:

This setting configures the maximum number of outstanding ACKs in Windows XP/2003/Vista/2008:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
Interfaces\{NIC-id}

There will be multiple NIC interfaces listed there, for example: {1660430C-B14A-4AC2-8F83-B653E83E8297}. Find the correct one with your IP address listed. Under this {NIC-id} key, create a new DWORD value:
TcpAckFrequency=1 (DWORD value, 1=disable, 2=default, 2-n=send ACKs if outstanding ACKs before timed interval. Setting not present by default).

For gaming performance, recommended is 1 (disable). For pure throughput and data streaming, you can experiment with values over 2. If you try larger values, just make sure TcpAckFrequency*MTU is less than RWIN, since the sender may stop sending data if RWIN fills witout acknowledgement.

Also, find the following key (if present):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\Parameters
Add a new DWORD value:
TCPNoDelay=1 (DWORD value, 0 to enable Nagle’s algorithm, 1 to disable, not present by default)

To configure the ACK interval timeout (only has effect if nagling is enabled), find the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
Interfaces\{NIC-id}
TcpDelAckTicks=0 (DWORD value, default=2, 0=disable nagling, 1-6=100-600 ms). Note you can also set this to 1 to reduce the nagle effect from the default of 200ms without disabling it.

Notes:
Reportedly, the above gaming tweak (disabling nagle’s algorithm) can reduce WoW (World of Warcraft) latency by almost half!
XP/2003 needs hotfix or SP2 for it to work (MS KB 815230)
Vista needs hotfix or SP1 for it to work (MS KB 935458)

SG Vista TCP/IP Patch – automatic optimization

For user convenience, we also provide a quick way to apply all optimal values as recommended above using our SG Vista TCP/IP Patch. It allows for tweaking all the above netsh settings and registry values in one simple step (with the exception of the “gaming tweak” section). The patch also provides for easily reverting the settings to their Windows default values. To apply, save to your desktop and run as administrator (right-click -> run as administrator). Click Y when prompted to apply settings.

See Also

Windows Vista tcpip.sys connection limit patch for Event ID 4226 – removing the limit on half-open TCP connections.

References

Windows Server 2008 Network Shell (Netsh) Technical Reference
Microsoft KB951037

RFC 2581
Wikipedia: Nagle’s algorithm
Technet: TCPNoDelay
MS KB 311833
MS KB 328890
MS KB 321098
MS KB 321169
MS KB 951037 – TCP Chimney Offload, Receive Side Scaling, and Network DMA in Windows Server 2008


Install and Enable SNMP Service in Windows XP, 7 and 2008

SNMP (Simple Network Management Protocol) is an internet protocol used in network management systems to monitor network-attached devices such as computers, servers, routers, switches, gateways, wireless access points, VoIP phones, and etc. for conditions that warrant administrative attention. SNMP provides management data in the form of variables on the managed systems, which describe the system configuration parameter or current status value.

How to Install and Enable the SNMP Service

  1. In Windows XP and Windows 2008, click Start button, then go to Control Panel and run Add or Remove Programs applet. On Add or Remove Programs dialog, click Add/Remove Windows Components to open Windows Components wizard.In Windows Vista, click Start button, then go to Control Panel. Click on Programs link and then click on Turn Windows features on or off. If you’re prompted with User Account Control dialog, click “Continue”.
  2. In Components of Windows XP and 2008, click on the Management and Monitoring Tools (make sure that you do not select or clear, tick or untick its check box to change the existing selection), and then click Details.In Windows Features of 7, locate SNMP feature.
  3. Select and tick the check box of Simple Network Management Protocolor SNMP feature.
  4. Click OK. Also click Next if you’re in Windows XP or 2008. SNMP service will be installed on the system. You may require to insert the Windows setup CD/DVD disc into optical drive.
    • SNMP Service which is the main engine with agents that monitor the activity in the network devices and report the information to the monitoring console workstation.
    • SNMP Trap Service which receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on this computer.
  5. SNMP will start automatically after installation. But it’s recommended to verify the service status from Services in Control Panel, and if it’s stopped, you can start the SNMP service from there.Two new services will be created:

Windows doesn’t assign any community string to the SNMP service by default, and also only allow access from localhost or local devices. Further configuration is needed to add in desired community string, which act as the password to grant reply to any SNMP request from remote system.

How to Configure SNMP Service (Add “public” community string)

  1. Click on Start button, then go to Control Panel.
  2. In Windows Vista, click on System and Maintenance link.
  3. Open Adminstrative Tools.
  4. Run Services applet.
  5. Locate and right click on SNMP Service, then select Properties.
  6. In SNMP Service Properties window, click on Traps tab.
  7. In the “Community name” text box, enter public or any other case-sensitive SNMP community name to which this computer will send trap messages.
  8. Click on Add to list button.

How to Configure Security for SNMP Service for a Community

  1. Continue from above steps, click on Security tab. If you already close SNMP Service Properties window, re-open it.
  2. Under “Accepted community names” section, click Add button.
  3. Select the appropriate permission level for the community string in the “Community Rights” drop down list to specify how the host processes SNMP requests from the selected community. Normally READ ONLY is recommended.
  4. In the “Community Name” box, type public or any case-sensitive community name that you want.
  5. Click on Add button.

In order for the SNMP service to accept and receive SNMP request packets from any host on the network, including external remote host regardless of identity, click Accept SNMP packets from any host.

To limit the acceptance of SNMP packets, click Accept SNMP packets from these hosts, and then click Add,  and then type the appropriate host name, IP or IPX address in the Host name, IP or IPX address box. You can restrict the access to local host or limited servers only by using this setting. Finish off by clicking Add button again.

Click OK when done. Note that you may need to reboot for the settings to take effect.

Source: My Digital Life


Crackers break GSM encryption, carriers consider new algorithms


Encrypted data on GSM-supported cell phones may not be as secure as previously thought after a widely known encryption expert presented research showing how hackers can poke holes in the algorithm to eavesdrop on calls.
Karsten Nohl, chief research scientist at H4RDW4RE, who asked hackers last summer to focus on cracking the widely used GSM encryption algorithm, presented research this week showing how an earnest hacker can find tools on hacking forums to intercept calls protected by the GSM A5/1 algorithm, a 64-bit binary code.
In an interview with SearchSecurity, Nohl said a newer A5/3 encryption algorithm exists, but operators have been slow to deploy it.
“Were urging operators to think of security as something that should be a moving part rather than something that’s created and used for 20 years,” Nohl said. “With research picking up, A5/3 will be broken at some point too.”
The older A5/1 encryption algorithm is used in 80% of cell phones worldwide. It was first introduced in 1987 and Nohl points out that it became publicly available in 1994. A technique cracking the algorithm has been widely used in government intelligence gathering and law enforcement investigations, but until now, technology hasn’t been available to make it practical for hackers to crack it. The GSM hacking technique has been too expensive and too complicated to pull off.
Nohl’s GSM research presented this week at the Chaos Communications Congress in Berlin, shows that the technology has finally caught up to make it easier for hackers. Nohl said he is being pressured by the GSM Association (GSMA), an organization of licensed GSM mobile network operators, to cancel or scale back a demonstration planned Wednesday at the conference. A GSMA spokesperson did not return a request for comment.
It takes a mixture of hardware and computational software to pull off an attack, he said.

“The equipment used is getting cheaper and cheaper,” Nohl said. “This will not be a vulnerability as widespread as Internet spam; it will always stay a targeted attack.”

Nohl urged security professionals at enterprises to be aware of the potential threat and use additional security mechanisms to protect sensitive calls. For now, breaking the algorithm means a hacker can intercept text messages, conversations and data only on rare occasions. Data on GSM networks is routed through faster networks, which protects the information, but banking applications designed to work on GSM enabled phones may also be under an increased risk.
“They should treat the Internet as an untrusted network and [should] take precautions by adding their own encryption on top of it,” Nohl said of enterprises concerned about secure communications.
In his presentation, Nohl describes both an active technique, in which cell phone calls are routed through a base station and a more challenging passive technique that involves more heavy computation. While it takes a savvy hacker to make the attack work, all of the parts making up the radio receiver system and signal processing software are open source and can be found on file swapping services and hacking websites, he said.
Nohl said he found an India-based equipment manufacturer advertising GSM cracking machines for as little as $US200,000. Using the same techniques a hacker can build a machine from scratch much cheaper, he said.

“As the attack becomes cheaper, more people will be interested in listening in to steal information on phone calls,” Nohl said. “It’s only a matter of time.

source: SearchSecurity.com