227 lines
8.2 KiB
PowerShell
227 lines
8.2 KiB
PowerShell
function Set-NetworkHardening {
|
|
<#
|
|
.SYNOPSIS
|
|
Hardens the network stack by disabling legacy and insecure protocols and services.
|
|
|
|
.DESCRIPTION
|
|
This cmdlet applies a set of hardening actions via registry and Windows feature settings.
|
|
It allows selectively disabling:
|
|
|
|
- IPv6
|
|
- LLMNR (Link-Local Multicast Name Resolution)
|
|
- NBNS (NetBIOS over TCP/IP)
|
|
- mDNS (Multicast DNS)
|
|
- SMB 1.0
|
|
- SMB 2.0 (also disables SMB 3.0)
|
|
|
|
You can use individual parameters or apply all changes using `-All`. Use `-Reset` to undo all changes.
|
|
|
|
.PARAMETER DisableIPv6
|
|
Disables IPv6 networking support by modifying the Tcpip6 registry key.
|
|
|
|
.PARAMETER DisableLLMNR
|
|
Disables LLMNR name resolution via DNSClient group policy registry.
|
|
|
|
.PARAMETER DisableNBNS
|
|
Disables NetBIOS over TCP/IP on all network adapters.
|
|
|
|
.PARAMETER DisableMDNS
|
|
Disables mDNS multicast resolution support via dnscache registry key.
|
|
|
|
.PARAMETER DisableSMB1
|
|
Disables SMB 1.0 via Windows Features or registry fallback.
|
|
|
|
.PARAMETER DisableSMB2
|
|
Disables SMB 2.0 and SMB 3.0 by setting SMB2 = 0 in the LanmanServer registry key (only if no custom shares exist).
|
|
|
|
.PARAMETER All
|
|
Enables all above parameters unless explicitly overridden.
|
|
|
|
.PARAMETER Reset
|
|
Reverts all applied changes to their default state.
|
|
|
|
.EXAMPLE
|
|
Set-NetworkHardening -All
|
|
|
|
.EXAMPLE
|
|
Set-NetworkHardening -DisableLLMNR -DisableSMB1
|
|
|
|
.EXAMPLE
|
|
Set-NetworkHardening -Reset
|
|
|
|
.NOTES
|
|
Author: SVSMSP Toolkit
|
|
Some changes may require a reboot to take full effect.
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
param (
|
|
[switch]$DisableIPv6,
|
|
[switch]$DisableLLMNR,
|
|
[switch]$DisableNBNS,
|
|
[switch]$DisableMDNS,
|
|
[switch]$DisableSMB1,
|
|
[switch]$DisableSMB2,
|
|
[switch]$All,
|
|
[switch]$Reset
|
|
)
|
|
|
|
function Reset-NetworkHardening {
|
|
Write-Host "`n[RESET] Reverting all settings to default..." -ForegroundColor Yellow
|
|
|
|
$keysToRemove = @(
|
|
@{ Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters"; Name = "DisabledComponents" },
|
|
@{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient"; Name = "EnableMulticast" },
|
|
@{ Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters"; Name = "EnableMDNS" },
|
|
@{ Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"; Name = "SMB2" }
|
|
)
|
|
|
|
foreach ($key in $keysToRemove) {
|
|
if (Test-Path $key.Path) {
|
|
Remove-ItemProperty -Path $key.Path -Name $key.Name -ErrorAction SilentlyContinue
|
|
Write-Host " → Removed $($key.Path)\$($key.Name)"
|
|
}
|
|
}
|
|
|
|
$nbnsPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"
|
|
Get-ChildItem -Path $nbnsPath | ForEach-Object {
|
|
try {
|
|
Set-ItemProperty -Path $_.PsPath -Name NetbiosOptions -Value 0
|
|
Write-Host " → Set $($_.PsPath)\NetbiosOptions = 0"
|
|
} catch {
|
|
Write-Warning "Failed to reset NetbiosOptions for $($_.PsPath)"
|
|
}
|
|
}
|
|
|
|
$smb1reg = "HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10"
|
|
if (Test-Path $smb1reg) {
|
|
Set-ItemProperty -Path $smb1reg -Name Start -Value 3
|
|
Write-Host " → Set $smb1reg\Start = 3"
|
|
}
|
|
|
|
Write-Host "`n✅ Reset complete. Reboot may be required." -ForegroundColor Green
|
|
}
|
|
|
|
if ($Reset) {
|
|
Reset-NetworkHardening
|
|
return
|
|
}
|
|
|
|
if ($All) {
|
|
if (-not ($DisableIPv6.IsPresent)) { $DisableIPv6 = $true }
|
|
if (-not ($DisableLLMNR.IsPresent)) { $DisableLLMNR = $true }
|
|
if (-not ($DisableNBNS.IsPresent)) { $DisableNBNS = $true }
|
|
if (-not ($DisableMDNS.IsPresent)) { $DisableMDNS = $true }
|
|
if (-not ($DisableSMB1.IsPresent)) { $DisableSMB1 = $true }
|
|
if (-not ($DisableSMB2.IsPresent)) { $DisableSMB2 = $true }
|
|
}
|
|
|
|
function Disable-IPv6 {
|
|
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters"
|
|
$name = "DisabledComponents"
|
|
$value = 0xFF
|
|
|
|
Write-Host "`n[IPv6] Disabling via registry..." -ForegroundColor Cyan
|
|
New-ItemProperty -Path $regPath -Name $name -PropertyType DWORD -Value $value -Force | Out-Null
|
|
Write-Host " → Set $regPath\$name = $value"
|
|
}
|
|
|
|
function Disable-LLMNR {
|
|
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient"
|
|
$name = "EnableMulticast"
|
|
$value = 0
|
|
|
|
Write-Host "`n[LLMNR] Disabling via registry..." -ForegroundColor Cyan
|
|
if (-not (Test-Path $regPath)) {
|
|
New-Item -Path $regPath -Force | Out-Null
|
|
}
|
|
New-ItemProperty -Path $regPath -Name $name -PropertyType DWORD -Value $value -Force | Out-Null
|
|
Write-Host " → Set $regPath\$name = $value"
|
|
}
|
|
|
|
function Disable-NBNS {
|
|
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"
|
|
Write-Host "`n[NBNS] Disabling NetBIOS over TCP/IP on all adapters..." -ForegroundColor Cyan
|
|
|
|
Get-ChildItem -Path $regPath | ForEach-Object {
|
|
try {
|
|
Set-ItemProperty -Path $_.PsPath -Name NetbiosOptions -Value 2
|
|
Write-Host " → Set $($_.PsPath)\NetbiosOptions = 2"
|
|
} catch {
|
|
Write-Warning "Failed to set NetbiosOptions for $($_.PsPath)"
|
|
}
|
|
}
|
|
}
|
|
|
|
function Disable-mDNS {
|
|
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters"
|
|
$name = "EnableMDNS"
|
|
$value = 0
|
|
|
|
Write-Host "`n[mDNS] Disabling via registry..." -ForegroundColor Cyan
|
|
if (-not (Test-Path $regPath)) {
|
|
New-Item -Path $regPath -Force | Out-Null
|
|
}
|
|
New-ItemProperty -Path $regPath -Name $name -PropertyType DWORD -Value $value -Force | Out-Null
|
|
Write-Host " → Set $regPath\$name = $value"
|
|
}
|
|
|
|
function Disable-SMB1 {
|
|
Write-Host "`n[SMB1] Disabling SMB 1.0..." -ForegroundColor Cyan
|
|
try {
|
|
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart -ErrorAction Stop
|
|
Write-Host " → Disabled via Windows Optional Features"
|
|
} catch {
|
|
Write-Warning "SMB1 disable via feature failed. Falling back to registry."
|
|
$reg = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
|
|
$name = "SMB1"
|
|
$value = 0
|
|
New-ItemProperty -Path $reg -Name $name -PropertyType DWORD -Value $value -Force | Out-Null
|
|
Write-Host " → Set $reg\$name = $value"
|
|
}
|
|
|
|
$clientReg = "HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10"
|
|
if (Test-Path $clientReg) {
|
|
Set-ItemProperty -Path $clientReg -Name Start -Value 4
|
|
Write-Host " → Set $clientReg\Start = 4 (Disabled)"
|
|
}
|
|
}
|
|
|
|
function Disable-SMB2And3 {
|
|
Write-Host "`n[SMB2/3] Checking for custom SMB shares..." -ForegroundColor Cyan
|
|
|
|
try {
|
|
$shares = Get-SmbShare | Where-Object {
|
|
$_.Name -notin @('ADMIN$', 'IPC$') -and -not ($_.Name -match '^[A-Z]\$')
|
|
}
|
|
|
|
if ($shares.Count -gt 0) {
|
|
Write-Warning "Custom SMB shares detected. SMB 2/3 will NOT be disabled."
|
|
$shares | ForEach-Object {
|
|
Write-Host " → $($_.Name) [$($_.Path)]"
|
|
}
|
|
return
|
|
}
|
|
} catch {
|
|
Write-Warning "Failed to query SMB shares: $_"
|
|
return
|
|
}
|
|
|
|
Write-Host "No custom SMB shares found. Disabling SMB 2.0 and 3.0..." -ForegroundColor Cyan
|
|
$reg = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
|
|
$name = "SMB2"
|
|
$value = 0
|
|
New-ItemProperty -Path $reg -Name $name -PropertyType DWORD -Value $value -Force | Out-Null
|
|
Write-Host " → Set $reg\$name = $value"
|
|
}
|
|
|
|
if ($DisableIPv6) { Disable-IPv6 }
|
|
if ($DisableLLMNR) { Disable-LLMNR }
|
|
if ($DisableNBNS) { Disable-NBNS }
|
|
if ($DisableMDNS) { Disable-mDNS }
|
|
if ($DisableSMB1) { Disable-SMB1 }
|
|
if ($DisableSMB2) { Disable-SMB2And3 }
|
|
|
|
Write-Host "`n✅ Network hardening complete. Reboot may be required for changes to apply." -ForegroundColor Green
|
|
}
|