Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Windows Registry Editor Version 5.00
- Create restore point. Save to reg file and import; I've done this on multiple fresh installations with no issues;
- TCPIP, AFD, Settings from: https://msdn.microsoft.com/en-us/library/ff648853.aspx
- Before running, besure to create a system restore point!
- Enable EnableWsd if you are having internet connectivity issues. It should be fine though!
- Harden TCPIP STACK, Max Security according to microsofts best practices.
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]
- "ForwardBroadcasts"=dword:00000000
- "EnableIPAutoConfigurationLimits"=dword:00000001
- "IPEnableRouter"=dword:00000000
- "EnableICMPRedirect"=dword:00000000
- "DeadGWDetectDefault"=dword:00000000
- "EnableWsd"=dword:00000000
- "TcpMaxDupAcks"=dword:00000002
- "EnablePMTUDiscovery"=dword:00000000
- "EnablePMTUBHDetect"=dword:00000000
- "IGMPLevel"=dword:00000000
- "QualifyingDestinationThreshold"=dword:00000003
- "TcpMaxPortsExhausted"=dword:00000005
- "TcpMaxHalfOpen"=dword:00000500
- "TcpMaxHalfOpenRetried"=dword:00000400
- "EnableMulticastForwarding"=dword:00000000
- "EnableAddrMaskReply"=dword:00000000
- "Enableconnectionratelimiting"=dword:00000001
- "DisableIPSourceRouting"=dword:00000002
- "EnableDeadGWDetect"=dword:00000000
- "SynAttackProtect"=dword:00000002
- "TcpMaxConnectResponseRetransmissions"=dword:00000002
- "TcpMaxDataRetransmissions"=dword:00000002
- Interface settings have precedence over TCP Parameters; Make sure duplicate entries have the same dword value.
- check for EnableDeadGWDetect, under each adapter, if it exists, set it to Zero
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces]
- The primary goal of the dynamic backlog scheme in Winsock was to alleviate the impact of Syn Attacks at Winsock layer. With the new NETIO stack on Vista/Windows 2008 and onwards the TcpIP syn-attack protection is built-in, the Winsock-level dynamic backlog scheme is not needed anymore and has been removed.
- AFD is short for Ancillary Function Driver, which dates back to the early days of Windows NT. It provides the "hooks" to make things like the TCP/IP NetBIOS Helper Service and the QOS RSVP Service work. "Ancillary Function Driver provides kernel-mode support for Winsock transport interface by extending the functionality of TDI"
- (There have been known vulnerabilities with AFD this in the past, but it is essential for Windows Firewall to function)
- #Harden AFD [unnecessary in windows 10]
- #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AFD\]
- #"start"=dword:00000001
- #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AFD\Parameters]
- #"DynamicBacklogGrowthDelta"=dword:00000010
- #"EnableDynamicBacklog"=dword:00000001
- #"MaximumDynamicBacklog"=dword:00020000
- #"MinimumDynamicBacklog"=dword:00000020
- The Peer Collaboration Infrastructure provides a peer network-based framework for collaborative serverless activities, such as network game matchmaking, conferencing, and other interactive multi-participant activities.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-PeopleNearMe/Operational]
- "Enabled"=dword:00000000
- Disable NetBIOS (disabling Netbios over TCPIP under adapter settings does not disable the following services)
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS]
- "start"=dword:00000004
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT]
- "start"=dword:00000004
- Avoid Security risks of IPv6, limit your protocal use to Hardened IPv4 as much as possible
- Disabled & Hardened TCPIP6 & Components
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6]
- "start"=dword:00000004
- Totally disabling TCPIp6
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters]
- "DisabledComponents"=dword:000000ff
- "DisableIPSourceRouting"=dword:00000002
- "EnableICSIPv6"=dword:00000000
- IPv6 Helper Service offers IPv6 connectivity over an IPv4 Network
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iphlpsvc]
- "start"=dword:00000004
- Disable Dhcpv6
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Dhcpv6-Client/Admin]
- "Enabled"=dword:00000000
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Dhcpv6-Client/Operational]
- "Enabled"=dword:00000000
- Teredo in Windows is a transition technology that allows communication between two IP protocols “IPv4” and “IPv6.” The protocols are present on the internet but sometimes need a transition technology like Teredo to communicate. But unfortunately, Teredo can cause DNS leaks (in vpn).
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tunnel]
- "start"=dword:00000004
- Harden NetBT (SMB1 has vulnerabilityes; hence usenewsmb)
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters]
- "EnableLMHOSTS"=dword:00000000
- "NoNameReleaseOnDemand"=dword:00000001
- "NbProvider"="_tcp"
- "UseNewSmb"=dword:00000001
- MR.X redirectors (like Intel Managments Ide-Redirector); came with or updated with the Jan 2018 Windows 7 Rollup security package featuring Spectre and Meltdown patches. Intel ME is much more dangerous than spectre and meltown. Make sure you watch these videos on AMT/ Intel ME redirectors: https://www.youtube.com/results?search_query=intel+ide+redirection
- LanmanWorkstation depends on mrxsmb10 and mrxsmb20 redirectors;
- MR. X Windows NT Web Dav Mini Redirector
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV]
- "Start"dword:=00000004
- MR. X Windows NT SMB Mini Redirector
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb]
- "Start"dword:=00000004
- MR. X Loghorn SMB Downlevel Sub Redirector (thats some deep Loghorn goin where now)
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10]
- "Start"dword:=00000004
- MR. X Loghorn SMB 2.0 Redirector
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb20]
- "Start"dword:=00000004
- Microsoft NCSI & Cryptographic Services, CryptoAPI Queries Microsoft immediately as NIC authenticates with router/server.
- "Ever wonder how Microsoft knows whether the computer is connected locally or not, and if it has an Internet connection? Thank Network Awareness, specifically NCSI. It is hard at work providing information on:
- Connectivity to an intranet.
- Connectivity to the Internet (Including the ability to send a DNS query and obtain the correct resolution of a DNS name).
- How?
- I found out how NCSI works by reading this Super User Community blog. Network Awareness checks the following at the beginning of each network connection:
- "NCSI performs a DNS lookup on www.msftncsi.com.
- It then requests http://www.msftncsi.com/ncsi.txt.
- This file is a plain-text file containing the phrase ‘Microsoft NCSI'.
- If everything goes well, NCSI receives a 200 OK response header with the proper text.
- The above exchange is what Shelley found during her packet sniffing. Actually, that is the only way one could find out it was happening." Source https://www.techrepublic.com/blog/data-center/what-do-microsoft-and-ncsi-have-in-common/
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-NCSI/Operational
- Activates DNSprobe; even has a dedicated ip in registry; Via Wireshark the DNS response comes back pointing to microsoft webservers. The DNS response includes extra IP routing tables to access MS services via cloud services akami; (cloud servers are netoriously insecure and a vector for botnet AI or targeted attacks via spoofing MITM) I then connected to a local akami server close to home and exchanged data; queried and CryptoAPI downloaded file called: ncsi.txt. Very intrusive and annoying. A prime candidate for spoofing/MITM with fake credentials and exploiting potential vulneratbilities in the API with forged credentials; and a constant call home to big brother 'microsoft' every few minutes; happens for each executable file downloaded, querys to websites for certificates (even in firefox and chrome -> this was my experience), and when installing and executing signed software. Microsoft will have a record of all of these activities. This is deeply invasive. Disabling NCIS querys via the official registry entry "EnableActiveProbing" does not stop it either. Procmon wont even provide distinct registry changes for the following settings, you have to manually disable the following three settings in internet explorers settings; click start: type "internet options": click advanced, scroll to the bottom; uncheck "check for publisher's certificate revocation" "check for server certificate revocation" and "check for signatures on downloaded programs." Wow, internet explorer and the cryptoapi are a deeply embedded part of the desktop environment, and online browsing, even with third party web browsers.
- Disabling this, your network status indicator may show you are not connected to the internet, when in fact you are.
- NCIS Example protocal transmission:
- GET /ncsi.txt HTTP/1.1
- Connection: Close
- User-Agent: Microsoft NCSI
- Host: www.msftncsi.com
- Disable Microsoft NCIS DNS probe; Can be very persistent so I disabled it across all controlsets (each controlset records a copy of previously successful boot registry parameters, over 1-2-3 or 4 sessions) It is wise to backup these paramaters if you for whatever reason, choose or require reverting to previous settings.
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet]
- "PassivePollPeriod"=dword:00000005
- "StaleThreshold"=dword:0000001e
- "WebTimeout"=dword:00000023
- "EnableActiveProbing"=dword:00000000
- "ActiveDnsProbeContent"="0.0.0.0"
- "ActiveDnsProbeContentV6"="0.0.0.0"
- "ActiveDnsProbeHost"="0.0.0.0"
- "ActiveWebProbeHostV6"="0.0.0.0"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc\Parameters\Internet]
- "PassivePollPeriod"=dword:00000005
- "StaleThreshold"=dword:0000001e
- "WebTimeout"=dword:00000023
- "EnableActiveProbing"=dword:00000000
- "ActiveDnsProbeContent"="0.0.0.0"
- "ActiveDnsProbeContentV6"="0.0.0.0"
- "ActiveDnsProbeHost"="0.0.0.0"
- "ActiveWebProbeHostV6"="0.0.0.0"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\NlaSvc\Parameters\Internet]
- "PassivePollPeriod"=dword:00000005
- "StaleThreshold"=dword:0000001e
- "WebTimeout"=dword:00000023
- "EnableActiveProbing"=dword:00000000
- "ActiveDnsProbeContent"="0.0.0.0"
- "ActiveDnsProbeContentV6"="0.0.0.0"
- "ActiveDnsProbeHost"="0.0.0.0"
- "ActiveWebProbeHostV6"="0.0.0.0"
- There is another key here.
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-NCSI/Operational]
- "Enabled"=dword:00000000
- HTTP Server
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP]
- "start"=dword:00000004
- ndiswan.sys MS_ndiswan (Remote Access NDIS WAN Driver (read netrast.inf) (lan = local area network, (local network) Wan = wide area network (internet) https://www.diffen.com/difference/LAN_vs_WAN)- Network Adapters, WAN Miniport (IP) Ndis is critical component of Windows internet connectivity; disabling service "ndis" causes BSOD. Disabling the ndiswan component of NDIS will not cause BSOD.
- #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nidiswan]
- #"Start"=dword:00000004
- Kernel Legacy TDI Translation Layer; The TDX component creates several device objects that represent various TDI
- client– accessible protocols: \Device\Tcp6, \Device\Tcp, \Device\Udp6, \Device\Udp, \Device\Rawip,
- and \Device\Tdx. NECESSARY FOR WINDOWS FIREWALL!
- #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\tdx]
- #"Start"=dword:00000001
- #Windows Socket 2.0 Non-IFS Service Provider Support Environment (Windows 7 Default normally set to disabled, was enabled due to combofix which is the best free anti rootkit software available)
- #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ws2ifsl]
- #"Start"=dword:00000004
- #MS_wanarp (3) (WAN Remote Access IP ARP Driver) (read Netrast.inf)
- #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wanarp]
- #"Start"=dword:00000004
- MS_wanarpv6 (3) (Remote Access IP ARP Driver) (read Netrast.inf)
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wanarpv6]
- "Start"=dword:00000004
- Server Network Driver
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srvnet]
- "Start"=dword:00000004
- SMB 1.0 Server Driver (SMB 1, known to be vulnerable)
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srv]
- "Start"=dword:00000004
- SMB 2.0 Server Driver
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\srv2]
- "Start"=dword:00000004
- #Delete Windows Mediaplayer TcpIP Virtual NetworkInterface/Adapter
- #[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\00-00-00-00-00-00]
- The following may be ok to leave running, I don't know entirely. My internet and computer seems to run fine without them. Remove the # mask to disable them also
- MS_NDIS Usermode I/O Protocol
- #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Ndisuio]
- #"start"=dword:00000004
- ndistapi.sys Wan Miniport (IP) MS_NDIST Connection Wrapper (I noticed a slight delay in boot time disabling this) Don't forget to unmask if you wish to disable.
- #[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ndistapi]
- #"Start"=dword:00000004
- NDIS was developed by Microsoft and 3COM. Novell offers a similar device driver for NetWare called Open Data-Link Interface (ODI).
- NDIS, Short for Network Driver Interface Specification, a Windows device driver interface that enables a single network interface card (NIC) to support multiple network protocols via Driver Wrapper. For example, with NDIS a single NIC can support both TCP/IP and IPX connections. (IPX: "Internetwork Packet Exchange. A networking protocol used by the Novell NetWare operating systems. Like UDP/IP, IPX (network layer protocal) is a datagram protocol used for connectionless communications. Higher-level protocols, such as SPX and NCP, (transport layer protocal) are used for additional error recovery services. NDIS can also be used by some ISDN adapters. (ISDN, Abbreviation of integrated services digital network, an international communications standard for sending voice, video, and data over digital telephone lines or normal telephone wires. ISDN supports data transfer rates of 64 Kbps (64,000 bits per second).) NDIS includes a protocol manager that accepts requests from the network driver (at the transport layer) and passes these requests to the NIC (at the data link layer). So multiple NDIS-conforming network drivers can co-exist. Also, if a computer contains multiple NICs because it is connected to more than one network, NDIS can route traffic to the correct card.
- Disabling ndiswan or wanarp may have caused slower page loading on websites.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement