Disabling Windows Server 2003 SP1 and SP2 Denial of Service Checking

You should disable the Windows Server 2003 Service Pack 1 and Service Pack 2 denial of service checking. This is because under certain high-load scenarios, Windows Server 2003 SP1 and SP2 denial of service checking may incorrectly identify valid TCP/IP connections as a denial of service attack.

How Denial of Service Can Affect TCP/IP Connections

Windows Server 2003 SP1 and SP2 implement a security feature that reduces the size of the queue for concurrent TCP/IP connections to the server. This feature helps prevent denial of service attacks. Under heavy load conditions, the TCP/IP protocol in Windows Server 2003 SP1 or later may incorrectly identify valid TCP/IP connections as a denial of service attack. This may occur when BizTalk Server is under heavy load.

Modifying the Registry Entry

Create the SynAttackProtect registry entry on computers running SQL Server that host BizTalk Server databases and on any computers running BizTalk Server that are running Windows Server 2003 SP1 or later.

Tuning Registry Settings that Govern the Level of Denial of Service Attack Protection

In certain scenarios you may want to maintain denial of service protection but reduce how aggressively the denial of service functionality is applied. It is possible to tune the default behavior of the denial of service protection feature by following these steps:

1. Ensure that the SynAttackProtect registry entry is set to a REG_DWORD value of 1 as described at SynAttackProtect.

2. Configure the TcpMaxHalfOpen registry entry as described at TcpMaxHalfOpen.

3. Configure the TcpMaxHalfOpenRetried registry entry as described at TcpMaxHalfOpenRetried.

See Also

Operational Readiness Checklists