API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 22nd, 2018
225
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.50 KB | None | 0 0
raw download clone embed print report
  1. Windows Registry Editor Version 5.00
  2.  
  3. Create restore point. Save to reg file and import; I've done this on multiple fresh installations with no issues;
  4.  
  5. TCPIP, AFD, Settings from: https://msdn.microsoft.com/en-us/library/ff648853.aspx
  6. Before running, besure to create a system restore point!
  7.  
  8. Enable EnableWsd if you are having internet connectivity issues. It should be fine though!
  9.  
  10. Harden TCPIP STACK, Max Security according to microsofts best practices.
  11. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]
  12. "ForwardBroadcasts"=dword:00000000
  13. "EnableIPAutoConfigurationLimits"=dword:00000001
  14. "IPEnableRouter"=dword:00000000
  15. "EnableICMPRedirect"=dword:00000000
  16. "DeadGWDetectDefault"=dword:00000000
  17. "EnableWsd"=dword:00000000
  18. "TcpMaxDupAcks"=dword:00000002
  19. "EnablePMTUDiscovery"=dword:00000000
  20. "EnablePMTUBHDetect"=dword:00000000
  21. "IGMPLevel"=dword:00000000
  22. "QualifyingDestinationThreshold"=dword:00000003
  23. "TcpMaxPortsExhausted"=dword:00000005
  24. "TcpMaxHalfOpen"=dword:00000500
  25. "TcpMaxHalfOpenRetried"=dword:00000400
  26. "EnableMulticastForwarding"=dword:00000000
  27. "EnableAddrMaskReply"=dword:00000000
  28. "Enableconnectionratelimiting"=dword:00000001
  29. "DisableIPSourceRouting"=dword:00000002
  30. "EnableDeadGWDetect"=dword:00000000
  31. "SynAttackProtect"=dword:00000002
  32. "TcpMaxConnectResponseRetransmissions"=dword:00000002
  33. "TcpMaxDataRetransmissions"=dword:00000002
  34.  
  35. Interface settings have precedence over TCP Parameters; Make sure duplicate entries have the same dword value.
  36. check for EnableDeadGWDetect, under each adapter, if it exists, set it to Zero
  37. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces]
  38.  
  39. The primary goal of the dynamic backlog scheme in Winsock was to alleviate the impact of Syn Attacks at Winsock layer. With the new NETIO stack on Vista/Windows 2008 and onwards the TcpIP syn-attack protection is built-in, the Winsock-level dynamic backlog scheme is not needed anymore and has been removed.
  40. AFD is short for Ancillary Function Driver, which dates back to the early days of Windows NT. It provides the "hooks" to make things like the TCP/IP NetBIOS Helper Service and the QOS RSVP Service work. "Ancillary Function Driver provides kernel-mode support for Winsock transport interface by extending the functionality of TDI"
  41. (There have been known vulnerabilities with AFD this in the past, but it is essential for Windows Firewall to function)
  42.  
  43. #Harden AFD [unnecessary in windows 10]
  44. #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AFD\]
  45. #"start"=dword:00000001
  46. #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AFD\Parameters]
  47. #"DynamicBacklogGrowthDelta"=dword:00000010
  48. #"EnableDynamicBacklog"=dword:00000001
  49. #"MaximumDynamicBacklog"=dword:00020000
  50. #"MinimumDynamicBacklog"=dword:00000020
  51.  
  52. The Peer Collaboration Infrastructure provides a peer network-based framework for collaborative serverless activities, such as network game matchmaking, conferencing, and other interactive multi-participant activities.
  53.  
  54. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-PeopleNearMe/Operational]
  55. "Enabled"=dword:00000000
  56.  
  57. Disable NetBIOS (disabling Netbios over TCPIP under adapter settings does not disable the following services)
  58. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS]
  59. "start"=dword:00000004
  60. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT]
  61. "start"=dword:00000004
  62.  
  63. Avoid Security risks of IPv6, limit your protocal use to Hardened IPv4 as much as possible
  64. Disabled & Hardened TCPIP6 & Components
  65. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6]
  66. "start"=dword:00000004
  67.  
  68. Totally disabling TCPIp6
  69. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters]
  70. "DisabledComponents"=dword:000000ff
  71. "DisableIPSourceRouting"=dword:00000002
  72. "EnableICSIPv6"=dword:00000000
  73.  
  74. IPv6 Helper Service offers IPv6 connectivity over an IPv4 Network
  75. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iphlpsvc]
  76. "start"=dword:00000004
  77.  
  78. Disable Dhcpv6
  79. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Dhcpv6-Client/Admin]
  80. "Enabled"=dword:00000000
  81. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Dhcpv6-Client/Operational]
  82. "Enabled"=dword:00000000
  83.  
  84. Teredo in Windows is a transition technology that allows communication between two IP protocols “IPv4” and “IPv6.” The protocols are present on the internet but sometimes need a transition technology like Teredo to communicate. But unfortunately, Teredo can cause DNS leaks (in vpn).
  85. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tunnel]
  86. "start"=dword:00000004
  87.  
  88. Harden NetBT (SMB1 has vulnerabilityes; hence usenewsmb)
  89. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters]
  90. "EnableLMHOSTS"=dword:00000000
  91. "NoNameReleaseOnDemand"=dword:00000001
  92. "NbProvider"="_tcp"
  93. "UseNewSmb"=dword:00000001
  94.  
  95. MR.X redirectors (like Intel Managments Ide-Redirector); came with or updated with the Jan 2018 Windows 7 Rollup security package featuring Spectre and Meltdown patches. Intel ME is much more dangerous than spectre and meltown. Make sure you watch these videos on AMT/ Intel ME redirectors: https://www.youtube.com/results?search_query=intel+ide+redirection
  96. LanmanWorkstation depends on mrxsmb10 and mrxsmb20 redirectors;
  97.  
  98. MR. X Windows NT Web Dav Mini Redirector
  99. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV]
  100. "Start"dword:=00000004
  101.  
  102. MR. X Windows NT SMB Mini Redirector
  103. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb]
  104. "Start"dword:=00000004
  105.  
  106. MR. X Loghorn SMB Downlevel Sub Redirector (thats some deep Loghorn goin where now)
  107. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10]
  108. "Start"dword:=00000004
  109.  
  110. MR. X Loghorn SMB 2.0 Redirector
  111. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb20]
  112. "Start"dword:=00000004
  113.  
  114. Microsoft NCSI & Cryptographic Services, CryptoAPI Queries Microsoft immediately as NIC authenticates with router/server.
  115.  
  116. "Ever wonder how Microsoft knows whether the computer is connected locally or not, and if it has an Internet connection? Thank Network Awareness, specifically NCSI. It is hard at work providing information on:
  117.  
  118. Connectivity to an intranet.
  119. Connectivity to the Internet (Including the ability to send a DNS query and obtain the correct resolution of a DNS name).
  120. How?
  121.  
  122. I found out how NCSI works by reading this Super User Community blog. Network Awareness checks the following at the beginning of each network connection:
  123.  
  124. "NCSI performs a DNS lookup on www.msftncsi.com.
  125. It then requests http://www.msftncsi.com/ncsi.txt.
  126. This file is a plain-text file containing the phrase ‘Microsoft NCSI'.
  127. If everything goes well, NCSI receives a 200 OK response header with the proper text.
  128.  
  129. The above exchange is what Shelley found during her packet sniffing. Actually, that is the only way one could find out it was happening." Source https://www.techrepublic.com/blog/data-center/what-do-microsoft-and-ncsi-have-in-common/
  130.  
  131. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-NCSI/Operational
  132.  
  133. Activates DNSprobe; even has a dedicated ip in registry; Via Wireshark the DNS response comes back pointing to microsoft webservers. The DNS response includes extra IP routing tables to access MS services via cloud services akami; (cloud servers are netoriously insecure and a vector for botnet AI or targeted attacks via spoofing MITM) I then connected to a local akami server close to home and exchanged data; queried and CryptoAPI downloaded file called: ncsi.txt. Very intrusive and annoying. A prime candidate for spoofing/MITM with fake credentials and exploiting potential vulneratbilities in the API with forged credentials; and a constant call home to big brother 'microsoft' every few minutes; happens for each executable file downloaded, querys to websites for certificates (even in firefox and chrome -> this was my experience), and when installing and executing signed software. Microsoft will have a record of all of these activities. This is deeply invasive. Disabling NCIS querys via the official registry entry "EnableActiveProbing" does not stop it either. Procmon wont even provide distinct registry changes for the following settings, you have to manually disable the following three settings in internet explorers settings; click start: type "internet options": click advanced, scroll to the bottom; uncheck "check for publisher's certificate revocation" "check for server certificate revocation" and "check for signatures on downloaded programs." Wow, internet explorer and the cryptoapi are a deeply embedded part of the desktop environment, and online browsing, even with third party web browsers.
  134.  
  135. Disabling this, your network status indicator may show you are not connected to the internet, when in fact you are.
  136. NCIS Example protocal transmission:
  137.  
  138. GET /ncsi.txt HTTP/1.1
  139. Connection: Close
  140. User-Agent: Microsoft NCSI
  141. Host: www.msftncsi.com
  142.  
  143. Disable Microsoft NCIS DNS probe; Can be very persistent so I disabled it across all controlsets (each controlset records a copy of previously successful boot registry parameters, over 1-2-3 or 4 sessions) It is wise to backup these paramaters if you for whatever reason, choose or require reverting to previous settings.
  144.  
  145. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet]
  146. "PassivePollPeriod"=dword:00000005
  147. "StaleThreshold"=dword:0000001e
  148. "WebTimeout"=dword:00000023
  149. "EnableActiveProbing"=dword:00000000
  150. "ActiveDnsProbeContent"="0.0.0.0"
  151. "ActiveDnsProbeContentV6"="0.0.0.0"
  152. "ActiveDnsProbeHost"="0.0.0.0"
  153. "ActiveWebProbeHostV6"="0.0.0.0"
  154.  
  155. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc\Parameters\Internet]
  156. "PassivePollPeriod"=dword:00000005
  157. "StaleThreshold"=dword:0000001e
  158. "WebTimeout"=dword:00000023
  159. "EnableActiveProbing"=dword:00000000
  160. "ActiveDnsProbeContent"="0.0.0.0"
  161. "ActiveDnsProbeContentV6"="0.0.0.0"
  162. "ActiveDnsProbeHost"="0.0.0.0"
  163. "ActiveWebProbeHostV6"="0.0.0.0"
  164.  
  165. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\NlaSvc\Parameters\Internet]
  166. "PassivePollPeriod"=dword:00000005
  167. "StaleThreshold"=dword:0000001e
  168. "WebTimeout"=dword:00000023
  169. "EnableActiveProbing"=dword:00000000
  170. "ActiveDnsProbeContent"="0.0.0.0"
  171. "ActiveDnsProbeContentV6"="0.0.0.0"
  172. "ActiveDnsProbeHost"="0.0.0.0"
  173. "ActiveWebProbeHostV6"="0.0.0.0"
  174.  
  175. There is another key here.
  176. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-NCSI/Operational]
  177. "Enabled"=dword:00000000
  178.  
  179. HTTP Server
  180. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP]
  181. "start"=dword:00000004
  182.  
  183. ndiswan.sys MS_ndiswan (Remote Access NDIS WAN Driver (read netrast.inf) (lan = local area network, (local network) Wan = wide area network (internet) https://www.diffen.com/difference/LAN_vs_WAN)- Network Adapters, WAN Miniport (IP) Ndis is critical component of Windows internet connectivity; disabling service "ndis" causes BSOD. Disabling the ndiswan component of NDIS will not cause BSOD.
  184. #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nidiswan]
  185. #"Start"=dword:00000004
  186.  
  187. Kernel Legacy TDI Translation Layer; The TDX component creates several device objects that represent various TDI
  188. client– accessible protocols: \Device\Tcp6, \Device\Tcp, \Device\Udp6, \Device\Udp, \Device\Rawip,
  189. and \Device\Tdx. NECESSARY FOR WINDOWS FIREWALL!
  190. #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tdx]
  191. #"Start"=dword:00000001
  192.  
  193. #Windows Socket 2.0 Non-IFS Service Provider Support Environment (Windows 7 Default normally set to disabled, was enabled due to combofix which is the best free anti rootkit software available)
  194. #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ws2ifsl]
  195. #"Start"=dword:00000004
  196.  
  197. #MS_wanarp (3) (WAN Remote Access IP ARP Driver) (read Netrast.inf)
  198. #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wanarp]
  199. #"Start"=dword:00000004
  200.  
  201. MS_wanarpv6 (3) (Remote Access IP ARP Driver) (read Netrast.inf)
  202. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wanarpv6]
  203. "Start"=dword:00000004
  204.  
  205. Server Network Driver
  206. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srvnet]
  207. "Start"=dword:00000004
  208.  
  209. SMB 1.0 Server Driver (SMB 1, known to be vulnerable)
  210. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srv]
  211. "Start"=dword:00000004
  212.  
  213. SMB 2.0 Server Driver
  214. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srv2]
  215. "Start"=dword:00000004
  216.  
  217.  
  218. #Delete Windows Mediaplayer TcpIP Virtual NetworkInterface/Adapter
  219. #[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\00-00-00-00-00-00]
  220.  
  221. The following may be ok to leave running, I don't know entirely. My internet and computer seems to run fine without them. Remove the # mask to disable them also
  222.  
  223. MS_NDIS Usermode I/O Protocol
  224. #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Ndisuio]
  225. #"start"=dword:00000004
  226.  
  227. ndistapi.sys Wan Miniport (IP) MS_NDIST Connection Wrapper (I noticed a slight delay in boot time disabling this) Don't forget to unmask if you wish to disable.
  228. #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndistapi]
  229. #"Start"=dword:00000004
  230.  
  231. NDIS was developed by Microsoft and 3COM. Novell offers a similar device driver for NetWare called Open Data-Link Interface (ODI).
  232.  
  233. NDIS, Short for Network Driver Interface Specification, a Windows device driver interface that enables a single network interface card (NIC) to support multiple network protocols via Driver Wrapper. For example, with NDIS a single NIC can support both TCP/IP and IPX connections. (IPX: "Internetwork Packet Exchange. A networking protocol used by the Novell NetWare operating systems. Like UDP/IP, IPX (network layer protocal) is a datagram protocol used for connectionless communications. Higher-level protocols, such as SPX and NCP, (transport layer protocal) are used for additional error recovery services. NDIS can also be used by some ISDN adapters. (ISDN, Abbreviation of integrated services digital network, an international communications standard for sending voice, video, and data over digital telephone lines or normal telephone wires. ISDN supports data transfer rates of 64 Kbps (64,000 bits per second).) NDIS includes a protocol manager that accepts requests from the network driver (at the transport layer) and passes these requests to the NIC (at the data link layer). So multiple NDIS-conforming network drivers can co-exist. Also, if a computer contains multiple NICs because it is connected to more than one network, NDIS can route traffic to the correct card.
  234.  
  235.  
  236. Disabling ndiswan or wanarp may have caused slower page loading on websites.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!