Disable LLMNR, IPv6 and Other Network Services

The following tweaks  are for turning off network features that are either legacy but still enabled or not required.  

Each settings can be applied by running an elevated PowerShell directly or deployed from MDT or ConfigMgr.

<#
.Synopsis

.Description

If IPv6 isnt deployed on the network should be disabled correctly via the Registry and not by unchecking the IPv6 component in network connections.

.Version

#>

#Disable IPv6 by setting 0xff, do not set fffffff as it slows down bootup

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters' -Name DisabledComponents -PropertyType DWORD -Value 0xff -Force

<#
.Synopsis

Disable LLMNR

.Description

LLMNR or Responder should be actively disabled as it broadcasts the password hash and account name of the user or service account. Open Run and type '\\server\share' as this is very unlikely to exist the client will query the network by broadcasting on port 5355 containing your account with the password hash. Kali running Responder will pick this up and feed it into 'John the Ripper',

Block ports TCP\UDP 5355 both InBound and OutBound

Or  set 'Turn on Responder (RSPNDR) Driver' to 'Disable'  in GPO 'Computer > Policies > Administrative Templates > Network > Link-Layer Topology Discovery'

.Version

#>

#Disabled LLMNR

New-Item  "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT" -Name DNSClient  -ForceNew-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name EnableMultiCast -Value 0 -PropertyType DWORD  -Force

 

<#
.Synopsis

Disable both LMHosts and NetBios

.Description

LMHosts is the legacy file used for name resolution. 

NetBios is often enabled by default on Windows system but is legacy for SMB and Printer traffic, it can be abused leading to the system being exploited.

 

Port 139 is used by Nbtstat to query for Windows devices.

Block ports UDP 137-138 both InBound and OutBound

Block ports TCP 139 both InBound and OutBound

.Version

#>

#Disable LMHOSTS File in Network Settings
$lmhost = @{                {
                      DNSEnabledForWINSResolution = $false
                      WINSEnableLMHostsLookup = $false
                     }
 Invoke-CimMethod -ClassName win32_networkadapterconfiguration -methodName enableWins -Arguments $lmhost

 

#Disable NetBios in Network Settings

$netbios = Get-ChildItem -Recurse "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" | where {$_.property -eq "NetBiosOptions"}

 foreach ($op in $netbios)
 {
           cd hklm:

 $opPath = $op.Name.Replace("HKEY_LOCAL_MACHINE","HKLM:")
 Set-ItemProperty $opPath -name  NetBiosOptions -Value 2  -Force

 }

<#
.Synopsis

Disable Universal Plug and Play for network devices

.Description

uPnP allows devices to discover and share data with other network devices, there is a  small risk of this service being abused. Its a small but potential risk, more importantly its a service that isn't needed, so its disabled

Block port TCP 5000 Inbound

Block port UDP 1901 Inbound

Stopping 'UPnP Device Host' Windows Service

.Version

#>

#Disable uPnP (Network Discovery)

Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name AllowLLTDIOOnDomain -Value 0  -Force
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name AllowLLTDIOOnPublicNet -Value 0  -Force
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name AllowRspndrOnDomain -Value 0  -Force
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name AllowRspndrOnPublicNet -Value 0  -Force
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name EnableLLTDIO -Value 0  -Force
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name EnableRspndr -Value 0  -Force
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name ProhibitLLTDIOOnPrivateNet -Value 1  -Force
Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD" -name ProhibitRspndrOnPrivateNet -Value 1  -Force