diff --git a/Set-NetworkHardening.ps1 b/Set-NetworkHardening.ps1 deleted file mode 100644 index 0d0a2e3..0000000 --- a/Set-NetworkHardening.ps1 +++ /dev/null @@ -1,226 +0,0 @@ -function Set-NetworkHardening { - <# - .SYNOPSIS - Hardens the network stack by disabling legacy and insecure protocols and services. - - .DESCRIPTION - This cmdlet applies a set of hardening actions via registry and Windows feature settings. - It allows selectively disabling: - - - IPv6 - - LLMNR (Link-Local Multicast Name Resolution) - - NBNS (NetBIOS over TCP/IP) - - mDNS (Multicast DNS) - - SMB 1.0 - - SMB 2.0 (also disables SMB 3.0) - - You can use individual parameters or apply all changes using `-All`. Use `-Reset` to undo all changes. - - .PARAMETER DisableIPv6 - Disables IPv6 networking support by modifying the Tcpip6 registry key. - - .PARAMETER DisableLLMNR - Disables LLMNR name resolution via DNSClient group policy registry. - - .PARAMETER DisableNBNS - Disables NetBIOS over TCP/IP on all network adapters. - - .PARAMETER DisableMDNS - Disables mDNS multicast resolution support via dnscache registry key. - - .PARAMETER DisableSMB1 - Disables SMB 1.0 via Windows Features or registry fallback. - - .PARAMETER DisableSMB2 - Disables SMB 2.0 and SMB 3.0 by setting SMB2 = 0 in the LanmanServer registry key (only if no custom shares exist). - - .PARAMETER All - Enables all above parameters unless explicitly overridden. - - .PARAMETER Reset - Reverts all applied changes to their default state. - - .EXAMPLE - Set-NetworkHardening -All - - .EXAMPLE - Set-NetworkHardening -DisableLLMNR -DisableSMB1 - - .EXAMPLE - Set-NetworkHardening -Reset - - .NOTES - Author: SVSMSP Toolkit - Some changes may require a reboot to take full effect. - #> - - [CmdletBinding()] - param ( - [switch]$DisableIPv6, - [switch]$DisableLLMNR, - [switch]$DisableNBNS, - [switch]$DisableMDNS, - [switch]$DisableSMB1, - [switch]$DisableSMB2, - [switch]$All, - [switch]$Reset - ) - - function Reset-NetworkHardening { - Write-Host "`n[RESET] Reverting all settings to default..." -ForegroundColor Yellow - - $keysToRemove = @( - @{ Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters"; Name = "DisabledComponents" }, - @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient"; Name = "EnableMulticast" }, - @{ Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters"; Name = "EnableMDNS" }, - @{ Path = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"; Name = "SMB2" } - ) - - foreach ($key in $keysToRemove) { - if (Test-Path $key.Path) { - Remove-ItemProperty -Path $key.Path -Name $key.Name -ErrorAction SilentlyContinue - Write-Host " → Removed $($key.Path)\$($key.Name)" - } - } - - $nbnsPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" - Get-ChildItem -Path $nbnsPath | ForEach-Object { - try { - Set-ItemProperty -Path $_.PsPath -Name NetbiosOptions -Value 0 - Write-Host " → Set $($_.PsPath)\NetbiosOptions = 0" - } catch { - Write-Warning "Failed to reset NetbiosOptions for $($_.PsPath)" - } - } - - $smb1reg = "HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10" - if (Test-Path $smb1reg) { - Set-ItemProperty -Path $smb1reg -Name Start -Value 3 - Write-Host " → Set $smb1reg\Start = 3" - } - - Write-Host "`n✅ Reset complete. Reboot may be required." -ForegroundColor Green - } - - if ($Reset) { - Reset-NetworkHardening - return - } - - if ($All) { - if (-not ($DisableIPv6.IsPresent)) { $DisableIPv6 = $true } - if (-not ($DisableLLMNR.IsPresent)) { $DisableLLMNR = $true } - if (-not ($DisableNBNS.IsPresent)) { $DisableNBNS = $true } - if (-not ($DisableMDNS.IsPresent)) { $DisableMDNS = $true } - if (-not ($DisableSMB1.IsPresent)) { $DisableSMB1 = $true } - if (-not ($DisableSMB2.IsPresent)) { $DisableSMB2 = $true } - } - - function Disable-IPv6 { - $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" - $name = "DisabledComponents" - $value = 0xFF - - Write-Host "`n[IPv6] Disabling via registry..." -ForegroundColor Cyan - New-ItemProperty -Path $regPath -Name $name -PropertyType DWORD -Value $value -Force | Out-Null - Write-Host " → Set $regPath\$name = $value" - } - - function Disable-LLMNR { - $regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" - $name = "EnableMulticast" - $value = 0 - - Write-Host "`n[LLMNR] Disabling via registry..." -ForegroundColor Cyan - if (-not (Test-Path $regPath)) { - New-Item -Path $regPath -Force | Out-Null - } - New-ItemProperty -Path $regPath -Name $name -PropertyType DWORD -Value $value -Force | Out-Null - Write-Host " → Set $regPath\$name = $value" - } - - function Disable-NBNS { - $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" - Write-Host "`n[NBNS] Disabling NetBIOS over TCP/IP on all adapters..." -ForegroundColor Cyan - - Get-ChildItem -Path $regPath | ForEach-Object { - try { - Set-ItemProperty -Path $_.PsPath -Name NetbiosOptions -Value 2 - Write-Host " → Set $($_.PsPath)\NetbiosOptions = 2" - } catch { - Write-Warning "Failed to set NetbiosOptions for $($_.PsPath)" - } - } - } - - function Disable-mDNS { - $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" - $name = "EnableMDNS" - $value = 0 - - Write-Host "`n[mDNS] Disabling via registry..." -ForegroundColor Cyan - if (-not (Test-Path $regPath)) { - New-Item -Path $regPath -Force | Out-Null - } - New-ItemProperty -Path $regPath -Name $name -PropertyType DWORD -Value $value -Force | Out-Null - Write-Host " → Set $regPath\$name = $value" - } - - function Disable-SMB1 { - Write-Host "`n[SMB1] Disabling SMB 1.0..." -ForegroundColor Cyan - try { - Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart -ErrorAction Stop - Write-Host " → Disabled via Windows Optional Features" - } catch { - Write-Warning "SMB1 disable via feature failed. Falling back to registry." - $reg = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" - $name = "SMB1" - $value = 0 - New-ItemProperty -Path $reg -Name $name -PropertyType DWORD -Value $value -Force | Out-Null - Write-Host " → Set $reg\$name = $value" - } - - $clientReg = "HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10" - if (Test-Path $clientReg) { - Set-ItemProperty -Path $clientReg -Name Start -Value 4 - Write-Host " → Set $clientReg\Start = 4 (Disabled)" - } - } - - function Disable-SMB2And3 { - Write-Host "`n[SMB2/3] Checking for custom SMB shares..." -ForegroundColor Cyan - - try { - $shares = Get-SmbShare | Where-Object { - $_.Name -notin @('ADMIN$', 'IPC$') -and -not ($_.Name -match '^[A-Z]\$') - } - - if ($shares.Count -gt 0) { - Write-Warning "Custom SMB shares detected. SMB 2/3 will NOT be disabled." - $shares | ForEach-Object { - Write-Host " → $($_.Name) [$($_.Path)]" - } - return - } - } catch { - Write-Warning "Failed to query SMB shares: $_" - return - } - - Write-Host "No custom SMB shares found. Disabling SMB 2.0 and 3.0..." -ForegroundColor Cyan - $reg = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" - $name = "SMB2" - $value = 0 - New-ItemProperty -Path $reg -Name $name -PropertyType DWORD -Value $value -Force | Out-Null - Write-Host " → Set $reg\$name = $value" - } - - if ($DisableIPv6) { Disable-IPv6 } - if ($DisableLLMNR) { Disable-LLMNR } - if ($DisableNBNS) { Disable-NBNS } - if ($DisableMDNS) { Disable-mDNS } - if ($DisableSMB1) { Disable-SMB1 } - if ($DisableSMB2) { Disable-SMB2And3 } - - Write-Host "`n✅ Network hardening complete. Reboot may be required for changes to apply." -ForegroundColor Green -}