Re: How to Secure Windows? was How to Save the World

[Mark <firewalladmin () bellsouth net>]

On Tue, 2004-12-21 at 16:25, Paul D. Robertson wrote:

> Any idea if you can make Windows *not* dynamically accept ARP entires and
> rely only on static entries in the table?
>
> Paul

Would it be enough to simply add a static arp entry on all your hosts
for the default gateway and any important hosts/servers on the local
subnet? Once you have a static entry, it won't broadcast for a mac
address to my knowledge. Something like this:
arp -s 10.0.0.1 aa-bb-cc-dd-11-22-33

It should be fairly simply to add the entries needed via login script or
whatnot. What about a script that deletes all cached entries first (arp
-d *) followed by the needed static entries? Not sure on the effects of
running that on a semi continuous basis. There are registry entries
controlling the default ttl of cached arp entries (default is 2 minutes,
wonder what setting it to 0 would do).

As far as NOT accepting dynamic arp entries... Disable TCP/IP. DOH!

Mark

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards