Add test.ps1

2025-06-18 20:39:04 -04:00
parent d76a5d3929
commit 05cee909e9
1 changed files with 129 additions and 0 deletions
--- a/test.ps1
+++ b/test.ps1
@@ -0,0 +1,129 @@
+function Set-NetworkHardening {
+    <#
+    .SYNOPSIS
+    Disables legacy or insecure network protocols and services.
+
+    .DESCRIPTION
+    Applies registry and system settings to harden network configuration:
+    - IPv6
+    - LLMNR
+    - NBNS
+    - mDNS
+    - SMB 1.0
+    - SMB 2.0 (also disables SMB 3.0)
+
+    .PARAMETER DisableIPv6
+    .PARAMETER DisableLLMNR
+    .PARAMETER DisableNBNS
+    .PARAMETER DisableMDNS
+    .PARAMETER DisableSMB1
+    .PARAMETER DisableSMB2
+
+    .EXAMPLE
+    Set-NetworkHardening -DisableIPv6 -DisableLLMNR -DisableNBNS -DisableMDNS -DisableSMB1 -DisableSMB2
+
+    .NOTES
+    Some settings may require a reboot.
+    #>
+
+    [CmdletBinding()]
+    param (
+        [switch]$DisableIPv6,
+        [switch]$DisableLLMNR,
+        [switch]$DisableNBNS,
+        [switch]$DisableMDNS,
+        [switch]$DisableSMB1,
+        [switch]$DisableSMB2
+    )
+
+    function Disable-IPv6 {
+        $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters"
+        $name = "DisabledComponents"
+        $value = 0xFF
+
+        Write-Host "`n[IPv6] Disabling via registry..." -ForegroundColor Cyan
+        New-ItemProperty -Path $regPath -Name $name -PropertyType DWORD -Value $value -Force | Out-Null
+        Write-Host " → Set $regPath\$name = $value"
+    }
+
+    function Disable-LLMNR {
+        $regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient"
+        $name = "EnableMulticast"
+        $value = 0
+
+        Write-Host "`n[LLMNR] Disabling via registry..." -ForegroundColor Cyan
+        if (-not (Test-Path $regPath)) {
+            New-Item -Path $regPath -Force | Out-Null
+        }
+        New-ItemProperty -Path $regPath -Name $name -PropertyType DWORD -Value $value -Force | Out-Null
+        Write-Host " → Set $regPath\$name = $value"
+    }
+
+    function Disable-NBNS {
+        $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"
+        Write-Host "`n[NBNS] Disabling NetBIOS over TCP/IP on all adapters..." -ForegroundColor Cyan
+
+        Get-ChildItem -Path $regPath | ForEach-Object {
+            $path = $_.PsPath
+            try {
+                Set-ItemProperty -Path $path -Name NetbiosOptions -Value 2
+                Write-Host " → Set $path\NetbiosOptions = 2"
+            } catch {
+                Write-Warning "Failed to set NetbiosOptions on $path - $_"
+            }
+        }
+    }
+
+    function Disable-mDNS {
+        $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters"
+        $name = "EnableMDNS"
+        $value = 0
+
+        Write-Host "`n[mDNS] Disabling via registry..." -ForegroundColor Cyan
+        if (-not (Test-Path $regPath)) {
+            New-Item -Path $regPath -Force | Out-Null
+        }
+        New-ItemProperty -Path $regPath -Name $name -PropertyType DWORD -Value $value -Force | Out-Null
+        Write-Host " → Set $regPath\$name = $value"
+    }
+
+    function Disable-SMB1 {
+        Write-Host "`n[SMB1] Disabling SMB 1.0..." -ForegroundColor Cyan
+        try {
+            Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart -ErrorAction Stop
+            Write-Host " → Disabled via Windows Optional Features"
+        } catch {
+            Write-Warning "SMB1 disable via feature failed. Falling back to registry."
+            $reg = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
+            $name = "SMB1"
+            $value = 0
+            New-ItemProperty -Path $reg -Name $name -PropertyType DWORD -Value $value -Force | Out-Null
+            Write-Host " → Set $reg\$name = $value"
+        }
+
+        $clientReg = "HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10"
+        if (Test-Path $clientReg) {
+            Set-ItemProperty -Path $clientReg -Name Start -Value 4
+            Write-Host " → Set $clientReg\Start = 4 (Disabled)"
+        }
+    }
+
+    function Disable-SMB2And3 {
+        Write-Host "`n[SMB2/3] Disabling SMB 2.0 and 3.0..." -ForegroundColor Cyan
+        $reg = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
+        $name = "SMB2"
+        $value = 0
+        New-ItemProperty -Path $reg -Name $name -PropertyType DWORD -Value $value -Force | Out-Null
+        Write-Host " → Set $reg\$name = $value"
+    }
+
+    # --- Execute requested settings ---
+    if ($DisableIPv6)  { Disable-IPv6 }
+    if ($DisableLLMNR) { Disable-LLMNR }
+    if ($DisableNBNS)  { Disable-NBNS }
+    if ($DisableMDNS)  { Disable-mDNS }
+    if ($DisableSMB1)  { Disable-SMB1 }
+    if ($DisableSMB2)  { Disable-SMB2And3 }
+
+    Write-Host "`n✅ Network hardening complete. Reboot may be required for changes to apply." -ForegroundColor Green
+}