function Set-NetworkHardening { <# .SYNOPSIS Disables legacy or insecure network protocols and services. .DESCRIPTION Applies registry and system settings to harden network configuration: - IPv6 - LLMNR - NBNS - mDNS - SMB 1.0 - SMB 2.0 (also disables SMB 3.0) .PARAMETER DisableIPv6 .PARAMETER DisableLLMNR .PARAMETER DisableNBNS .PARAMETER DisableMDNS .PARAMETER DisableSMB1 .PARAMETER DisableSMB2 .EXAMPLE Set-NetworkHardening -DisableIPv6 -DisableLLMNR -DisableNBNS -DisableMDNS -DisableSMB1 -DisableSMB2 .NOTES Some settings may require a reboot. #> [CmdletBinding()] param ( [switch]$DisableIPv6, [switch]$DisableLLMNR, [switch]$DisableNBNS, [switch]$DisableMDNS, [switch]$DisableSMB1, [switch]$DisableSMB2 ) function Disable-IPv6 { $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" $name = "DisabledComponents" $value = 0xFF Write-Host "`n[IPv6] Disabling via registry..." -ForegroundColor Cyan New-ItemProperty -Path $regPath -Name $name -PropertyType DWORD -Value $value -Force | Out-Null Write-Host " → Set $regPath\$name = $value" } function Disable-LLMNR { $regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" $name = "EnableMulticast" $value = 0 Write-Host "`n[LLMNR] Disabling via registry..." -ForegroundColor Cyan if (-not (Test-Path $regPath)) { New-Item -Path $regPath -Force | Out-Null } New-ItemProperty -Path $regPath -Name $name -PropertyType DWORD -Value $value -Force | Out-Null Write-Host " → Set $regPath\$name = $value" } function Disable-NBNS { $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" Write-Host "`n[NBNS] Disabling NetBIOS over TCP/IP on all adapters..." -ForegroundColor Cyan Get-ChildItem -Path $regPath | ForEach-Object { $path = $_.PsPath try { Set-ItemProperty -Path $path -Name NetbiosOptions -Value 2 Write-Host " → Set $path\NetbiosOptions = 2" } catch { Write-Warning "Failed to set NetbiosOptions on $path - $_" } } } function Disable-mDNS { $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" $name = "EnableMDNS" $value = 0 Write-Host "`n[mDNS] Disabling via registry..." -ForegroundColor Cyan if (-not (Test-Path $regPath)) { New-Item -Path $regPath -Force | Out-Null } New-ItemProperty -Path $regPath -Name $name -PropertyType DWORD -Value $value -Force | Out-Null Write-Host " → Set $regPath\$name = $value" } function Disable-SMB1 { Write-Host "`n[SMB1] Disabling SMB 1.0..." -ForegroundColor Cyan try { Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart -ErrorAction Stop Write-Host " → Disabled via Windows Optional Features" } catch { Write-Warning "SMB1 disable via feature failed. Falling back to registry." $reg = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" $name = "SMB1" $value = 0 New-ItemProperty -Path $reg -Name $name -PropertyType DWORD -Value $value -Force | Out-Null Write-Host " → Set $reg\$name = $value" } $clientReg = "HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10" if (Test-Path $clientReg) { Set-ItemProperty -Path $clientReg -Name Start -Value 4 Write-Host " → Set $clientReg\Start = 4 (Disabled)" } } function Disable-SMB2And3 { Write-Host "`n[SMB2/3] Disabling SMB 2.0 and 3.0..." -ForegroundColor Cyan $reg = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" $name = "SMB2" $value = 0 New-ItemProperty -Path $reg -Name $name -PropertyType DWORD -Value $value -Force | Out-Null Write-Host " → Set $reg\$name = $value" } # --- Execute requested settings --- if ($DisableIPv6) { Disable-IPv6 } if ($DisableLLMNR) { Disable-LLMNR } if ($DisableNBNS) { Disable-NBNS } if ($DisableMDNS) { Disable-mDNS } if ($DisableSMB1) { Disable-SMB1 } if ($DisableSMB2) { Disable-SMB2And3 } Write-Host "`n✅ Network hardening complete. Reboot may be required for changes to apply." -ForegroundColor Green }