Author Posts

September 28, 2015 at 9:40 am

Hi,

I've written this script as part of a company security to harden the corporate image. I would value your input on areas of improvement and techniques i should use or if its perfect !! 🙂

##Stage 1
#Disabled services
try {
$Services  = (
    Get-Service -ComputerName $ENV:COMPUTERNAME |
    Where { $_.Displayname -in @(

"Distributed Link Tracking Client",
"Family Safety",	
"Function Discovery Provider Host",
"Function Discovery Resource Publication",
"HomeGroup Listener",
"HomeGroup Provider",
"Internet Connection Sharing (ICS)",
"IP Helper",
"KtmRm for Distributed Transaction Coordinator",
"Microsoft iSCSI Initiator Service",
"Microsoft Keyboard Filter",
"Net.Tcp Port Sharing Service",
"Offline Files",
"Peer Name Resolution Protocol",
"Peer Networking Grouping",
"Peer Networking Identity Manager",
"PNRP Machine Name Publication Service",
"Quality Windows Audio Video Experience",
"Remote Access Auto Connection Manager",
"Remote Access Connection Manager",
"Remote Registry",
"Routing and Remote Access",
"Sensor Monitoring Service",
"Smart Card",
"SSDP Discovery",
"Telephony",
"UPnP Device Host",
"WebClient",
"Windows Connect Now - Config Registrar",
"Windows Media Player Network Sharing Service",
"WinHTTP Web Proxy Auto-Discovery Service" 
    ) } |

    set-Service -StartMode manual -PassThru )

$Services | 
ForEach-Object { write-host -ForegroundColor Green "$ENV:COMPUTERNAME : Successfully disabled the service $($_.name)."}
}
catch {
Write-Warning $_ }

##Stage 2
#Disable "Qos Packet Scheduler"
 try {
  if (Get-NetAdapterBinding -name "Ethernet*" -DisplayName "QoS Packet Scheduler" -OutVariable LANConnection) {
    Disable-NetAdapterBinding -name $LANConnection.name -DisplayName $LANConnection.displayname
    Write-Warning "$($LANConnection.displayname) was set to disabled on Network Adapter $($LANConnection.name)" }
 Else 
 { Write-Warning "Cannot find Ethernet Adapter" }
 }
 catch {
 Write-Warning -Message $_.Exception.message }  

 ##Stage 3
 #Create reg keys "DisabledComponents" and "UPnPMode"
Try {
$DCPath = "HKLM:SYSTEM\CurrentControlSet\Services\tcpip6\Parameters"
$Name = "DisabledComponents"
$Value = "255"
New-ItemProperty -Path $DCPath -Name $Name -Value $Value -PropertyType DWORD -force | Out-Null

$UPPatch = "HKLM:Software\Microsoft\DirectplayNATHelp\DPNHUPnP"
$Name2 = "UPnPMode"
$Value2 = "2"

New-ItemProperty -Path $UPPatch -Name $Name2 -Value $Value2 -PropertyType DWORD -force | Out-Null
 }
catch {
 Write-Warning -Message $_.Exception.message }

 ##Stage 3
 #Disable hidden devices

 #Disable 'remote Desktop Device Redirector Bus'
$RDDRB = (Get-CimInstance Win32_PNPEntity | Where caption -match 'Remote Desktop Device Redirector Bus').PNPDeviceID 
$ppid = "{0}{1}" -f '@',$RDDRB
$outputstring = (.\devcon.exe status $ppid) | Out-String

try {
if ([boolean]($outputstring | where { $_ -match "disabled" })) {
Write-Warning "Device 'remote Desktop Device Redirector Bus' is already Disabled" }
else
{ $Disable = (.\devcon.exe disable $ppid) | Out-String
  $Disable | where { $_ -match "Disabled" } 
  Write-Warning "Device 'remote Desktop Device Redirector Bus' has been disabled via current script" }
} 
Catch {
 Write-Warning -Message $_.Exception.message }

#Disable 'Microsoft Kernel Debug Network Adapter'
$MKDNA = (Get-CimInstance Win32_PNPEntity | Where caption -match 'Microsoft Kernel Debug Network Adapter').PNPDeviceID
$ppid2 = "{0}{1}" -f '@',$MKDNA
$outputstring = (.\devcon.exe status $ppid2) | Out-String

try {
if ([boolean]($outputstring | where { $_ -match "disabled" })) {
Write-Warning "Device 'Microsoft Kernel Debug Network Adapter' is already Disabled" }
else
{ $Disable2 = (.\devcon.exe disable $ppid2) | Out-String
  $Disable2 | where { $_ -match "Disabled" } 
  Write-Warning "Device 'Microsoft Kernel Debug Network Adapter' has been disabled via current script" }
} 
Catch {
 Write-Warning -Message $_.Exception.message }

 ##Stage 4
 #Set IGMPLevel to 'None'
  if ( (Get-NetIPv4Protocol).IGMPlevel -eq 'None' ) {
    write-host -ForegroundColor Cyan "No action required as IGMPlevel is already set to 'None'" }
else {
    Set-NetIPv4Protocol -IGMPLevel none -passthru -OutVariable result |Out-Null
    if ($result.IGMPLevel -eq 'None') { 
    write-host -ForegroundColor Yellow "PROCESSED: IGMPLevel has been set to 'None'" }
else {
    write-warning "FAILED: To change IGMPLevel"}
}

##Stage 5
#Disable dump file creation
Try {
$x = Get-CimInstance Win32_OSRecoveryConfiguration -Property DebugInfoType
if ($x.DebugInfoType -eq 0) 
    { Write-verbose "No Action Required"}
else
    {$x.DebugInfoType = "0"
    Write-Warning "Will set the debugging information to $($x.DebugInfoType)"
    Set-CimInstance -CimInstance $x -PassThru -OutVariable NewValue |out-null
    }
    if ($NewValue.DebugInfoType -eq 0) 
        {write-verbose "New value correctly set to $($NewValue.DebugInfoType)"}
    else
        {write-warning "Value has not been set !! Please check"}
}
catch {
Write-Warning -Message $_.Exception.message }

September 28, 2015 at 9:58 pm

Any tips Guys? Thank you.

September 29, 2015 at 1:28 am

I think the first rule I would apply is a general one and not solely PowerShell-related: Abstract the data from the process. Since this is a security-related requirement you are trying to meet, I don't know the greater process and control issues you are facing or how you ultimately intend to run this on systems.

If it must be atomic for deployment, then OK. Otherwise, I would take the list of services out of the script and make it a separate file that the script reads. That way, if the list needs to be altered in the future (and it will), you're not fiddlin' around with a working (preferably under configuration management) script.