Tenaka
Feb 13, 20202 min
The following tweaks are for disabling network features that are either legacy but still enabled or not required.
Each setting can be applied by running an elevated PowerShell directly or deployed from MDT or ConfigMgr.
<#
.Synopsis
.Description
If IPv6 isnt deployed on the network should be disabled correctly via the Registry and not by unchecking the IPv6 component in network connections.
.Version
#>
#Disable IPv6 by setting 0xff, do not set fffffff as it slows down bootup
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' -Name DisabledComponents -PropertyType DWORD -Value 0xff -Force
<#
.Synopsis
Disable LLMNR
.Description
LLMNR or Responder should be actively disabled as it broadcasts the password hash and account name of the user or service account. Open Run and type '\\server\share' as this is very unlikely to exist the client will query the network by broadcasting on port 5355 containing your account with the password hash. Kali running Responder will pick this up and feed it into 'John the Ripper',
Block ports TCP\UDP 5355 both InBound and OutBound
Or set 'Turn on Responder (RSPNDR) Driver' to 'Disable' in GPO 'Computer > Policies > Administrative Templates > Network > Link-Layer Topology Discovery'
.Version
#>
#Disabled LLMNR
New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT" -Name DNSClient -ForceNew-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name EnableMultiCast -Value 0 -PropertyType DWORD -Force
<#
.Synopsis
Disable both LMHosts and NetBios
.Description
LMHosts is the legacy file used for name resolution.
NetBios is often enabled by default on Windows system but is legacy for SMB and Printer traffic, it can be abused leading to the system being exploited.
Port 139 is used by Nbtstat to query for Windows devices.
Block ports UDP 137-138 both InBound and OutBound
Block ports TCP 139 both InBound and OutBound
.Version
#>
#Disable LMHOSTS File in Network Settings
$lmhost = @{ {
DNSEnabledForWINSResolution = $false
WINSEnableLMHostsLookup = $false
}
Invoke-CimMethod -ClassName win32_networkadapterconfiguration -methodName enableWins -Arguments $lmhost
#Disable NetBios in Network Settings
$netbios = Get-ChildItem -Recurse "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" | where {$_.property -eq "NetBiosOptions"}
foreach ($op in $netbios)
{
cd hklm:
$opPath = $op.Name.Replace("HKEY_LOCAL_MACHINE","HKLM:")
Set-ItemProperty $opPath -name NetBiosOptions -Value 2 -Force
}
<#
.Synopsis
Disable Universal Plug and Play for network devices
.Description
uPnP allows devices to discover and share data with other network devices, there is a small risk of this service being abused. Its a small but potential risk, more importantly it's a service that isn't needed, so it's disabled
Block port TCP 5000 Inbound
Block port UDP 1901 Inbound
Stopping 'UPnP Device Host' Windows Service
.Version
#>
#Disable uPnP (Network Discovery)
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name AllowLLTDIOOnDomain -Value 0 -Force
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name AllowLLTDIOOnPublicNet -Value 0 -Force
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name AllowRspndrOnDomain -Value 0 -Force
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name AllowRspndrOnPublicNet -Value 0 -Force
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name EnableLLTDIO -Value 0 -Force
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name EnableRspndr -Value 0 -Force
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name ProhibitLLTDIOOnPrivateNet -Value 1 -Force
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name ProhibitRspndrOnPrivateNet -Value 1 -Force