QA Script

This topic contains 2 replies, has 3 voices, and was last updated by Profile photo of Bob McCoy Bob McCoy 1 year, 3 months ago.

  • Author
    Posts
  • #30191
    Profile photo of Graham Beer
    Graham Beer
    Participant

    Hi,

    I've written this script as part of a company security to harden the corporate image. I would value your input on areas of improvement and techniques i should use or if its perfect !! 🙂

    ##Stage 1
    #Disabled services
    try {
    $Services  = (
        Get-Service -ComputerName $ENV:COMPUTERNAME |
        Where { $_.Displayname -in @(
    
    "Distributed Link Tracking Client",
    "Family Safety",	
    "Function Discovery Provider Host",
    "Function Discovery Resource Publication",
    "HomeGroup Listener",
    "HomeGroup Provider",
    "Internet Connection Sharing (ICS)",
    "IP Helper",
    "KtmRm for Distributed Transaction Coordinator",
    "Microsoft iSCSI Initiator Service",
    "Microsoft Keyboard Filter",
    "Net.Tcp Port Sharing Service",
    "Offline Files",
    "Peer Name Resolution Protocol",
    "Peer Networking Grouping",
    "Peer Networking Identity Manager",
    "PNRP Machine Name Publication Service",
    "Quality Windows Audio Video Experience",
    "Remote Access Auto Connection Manager",
    "Remote Access Connection Manager",
    "Remote Registry",
    "Routing and Remote Access",
    "Sensor Monitoring Service",
    "Smart Card",
    "SSDP Discovery",
    "Telephony",
    "UPnP Device Host",
    "WebClient",
    "Windows Connect Now - Config Registrar",
    "Windows Media Player Network Sharing Service",
    "WinHTTP Web Proxy Auto-Discovery Service" 
        ) } |
    
        set-Service -StartMode manual -PassThru )
    
    $Services | 
    ForEach-Object { write-host -ForegroundColor Green "$ENV:COMPUTERNAME : Successfully disabled the service $($_.name)."}
    }
    catch {
    Write-Warning $_ }
    
    ##Stage 2
    #Disable "Qos Packet Scheduler"
     try {
      if (Get-NetAdapterBinding -name "Ethernet*" -DisplayName "QoS Packet Scheduler" -OutVariable LANConnection) {
        Disable-NetAdapterBinding -name $LANConnection.name -DisplayName $LANConnection.displayname
        Write-Warning "$($LANConnection.displayname) was set to disabled on Network Adapter $($LANConnection.name)" }
     Else 
     { Write-Warning "Cannot find Ethernet Adapter" }
     }
     catch {
     Write-Warning -Message $_.Exception.message }  
    
     ##Stage 3
     #Create reg keys "DisabledComponents" and "UPnPMode"
    Try {
    $DCPath = "HKLM:SYSTEM\CurrentControlSet\Services\tcpip6\Parameters"
    $Name = "DisabledComponents"
    $Value = "255"
    New-ItemProperty -Path $DCPath -Name $Name -Value $Value -PropertyType DWORD -force | Out-Null
    
    $UPPatch = "HKLM:Software\Microsoft\DirectplayNATHelp\DPNHUPnP"
    $Name2 = "UPnPMode"
    $Value2 = "2"
    
    New-ItemProperty -Path $UPPatch -Name $Name2 -Value $Value2 -PropertyType DWORD -force | Out-Null
     }
    catch {
     Write-Warning -Message $_.Exception.message }
    
     ##Stage 3
     #Disable hidden devices
    
     #Disable 'remote Desktop Device Redirector Bus'
    $RDDRB = (Get-CimInstance Win32_PNPEntity | Where caption -match 'Remote Desktop Device Redirector Bus').PNPDeviceID 
    $ppid = "{0}{1}" -f '@',$RDDRB
    $outputstring = (.\devcon.exe status $ppid) | Out-String
    
    try {
    if ([boolean]($outputstring | where { $_ -match "disabled" })) {
    Write-Warning "Device 'remote Desktop Device Redirector Bus' is already Disabled" }
    else
    { $Disable = (.\devcon.exe disable $ppid) | Out-String
      $Disable | where { $_ -match "Disabled" } 
      Write-Warning "Device 'remote Desktop Device Redirector Bus' has been disabled via current script" }
    } 
    Catch {
     Write-Warning -Message $_.Exception.message }
    
    #Disable 'Microsoft Kernel Debug Network Adapter'
    $MKDNA = (Get-CimInstance Win32_PNPEntity | Where caption -match 'Microsoft Kernel Debug Network Adapter').PNPDeviceID
    $ppid2 = "{0}{1}" -f '@',$MKDNA
    $outputstring = (.\devcon.exe status $ppid2) | Out-String
    
    try {
    if ([boolean]($outputstring | where { $_ -match "disabled" })) {
    Write-Warning "Device 'Microsoft Kernel Debug Network Adapter' is already Disabled" }
    else
    { $Disable2 = (.\devcon.exe disable $ppid2) | Out-String
      $Disable2 | where { $_ -match "Disabled" } 
      Write-Warning "Device 'Microsoft Kernel Debug Network Adapter' has been disabled via current script" }
    } 
    Catch {
     Write-Warning -Message $_.Exception.message }
    
     ##Stage 4
     #Set IGMPLevel to 'None'
      if ( (Get-NetIPv4Protocol).IGMPlevel -eq 'None' ) {
        write-host -ForegroundColor Cyan "No action required as IGMPlevel is already set to 'None'" }
    else {
        Set-NetIPv4Protocol -IGMPLevel none -passthru -OutVariable result |Out-Null
        if ($result.IGMPLevel -eq 'None') { 
        write-host -ForegroundColor Yellow "PROCESSED: IGMPLevel has been set to 'None'" }
    else {
        write-warning "FAILED: To change IGMPLevel"}
    }
    
    ##Stage 5
    #Disable dump file creation
    Try {
    $x = Get-CimInstance Win32_OSRecoveryConfiguration -Property DebugInfoType
    if ($x.DebugInfoType -eq 0) 
        { Write-verbose "No Action Required"}
    else
        {$x.DebugInfoType = "0"
        Write-Warning "Will set the debugging information to $($x.DebugInfoType)"
        Set-CimInstance -CimInstance $x -PassThru -OutVariable NewValue |out-null
        }
        if ($NewValue.DebugInfoType -eq 0) 
            {write-verbose "New value correctly set to $($NewValue.DebugInfoType)"}
        else
            {write-warning "Value has not been set !! Please check"}
    }
    catch {
    Write-Warning -Message $_.Exception.message }
    
  • #30205
    Profile photo of Graham Beer
    Graham Beer
    Participant

    Any tips Guys? Thank you.

  • #30207
    Profile photo of Bob McCoy
    Bob McCoy
    Participant

    I think the first rule I would apply is a general one and not solely PowerShell-related: Abstract the data from the process. Since this is a security-related requirement you are trying to meet, I don't know the greater process and control issues you are facing or how you ultimately intend to run this on systems.

    If it must be atomic for deployment, then OK. Otherwise, I would take the list of services out of the script and make it a separate file that the script reads. That way, if the list needs to be altered in the future (and it will), you're not fiddlin' around with a working (preferably under configuration management) script.

You must be logged in to reply to this topic.