- Oct 3, 2022
- 576
Network protocols are grammar rules for bits and bytes to communicate with their counter part programs on another PC. And each has weaknesses. So unless your environment requires that a protocol must be used, we will want to disable all except the bare essentials. More protocols mean a larger attack surface.
The only protocols you really need are IPv4 and IPv6. IPv6 is optional. Since the creation of NAT routers, companies and government can now place their machines in private ip ranges. (192.168.x.x, 172.16-32.x.x, 10.x.x.x), which are not internet routable. So IPv6 is still not very popular, so it is an optional protocol.
NetBIOS over TCP/IP is not required because NetBIOS is already active without this option. Disabling NetBIOS over TCP/IP will limit NetBIOS traffic to the local subnet.
The Discovery protocols are used to provide a nice graphical map of your network. For home users, this is not needed, as there is only one router. You would only get to see a picture depicting your PCs connected to your router. For Domain users, this feature is automatically turned off once you join the domain.
File and Printer Sharing should only be enabled if you plan to share some of your folders on the network or if you want to share your locally connected printer over the network. If printer sharing is desired, it is better to get a printer that has networking built in, so that when attacked, they only gain access to a printer instead of your PC. Disable this feature unless absolutely required.
Client for MS Networks is the client part to File and Printer Sharing. And it also talks to Windows Servers. This is not needed if you don't map to folder shares on other PC's shared folder..
Go to Settings > Network & Internet > Advanced network settings > More network adapter options > Ethernet / Wifi setup both.
Uncheckmark the following:
Client for MS Networks
File and Printer Sharing for Microsoft Networks
QoS
Microsoft Network Adapter Multiplexor Protocol
Microsoft LLDP Protocol Driver
Link Layer Topology Discovery Mapper IO Driver
Link Layer Topology Discovery Responder
Internet protocol version 6 if your ISP doesn't support it
Select 'Internet Protocol version 4 (TCP IPv4), click Properties, click Advanced,
click 'DNS' tab, uncheckmark 'register this connections address in DNS'
click 'WINS' tab, select 'Disable NETBIOS over TCP/IP'
click 'WINS' tab, uncheck 'Enable LMHOSTS lookup'
There were several interim ipv4 to ipv6 tunneling technologies; 6to4, ISATAP, and DIrect Tunnel, but they have all been disabled now. These interim tunneling technologies are bad, in that they cannot be inspected by your hardware firewall.
Run 'Regedit',
Under the registry key HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters
right click on the right pane, create an New entry of type DWORD(32bit) called DisabledComponents,
Then double click on it and enter one of the following:
FF to disable all IPv6 components, except the IPv6 loopback interface, which can't be deactivated.
0x01 to disable only IPv6 all tunnel interfaces. These include Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6to4,and Teredo. If you have a IPv6 router, then you want to choose this one.
Note that the value "0" is the default setting.
=======================================================================================================
TLS 1.3, the new security protocol for HTTPS should be made the default.
Open RegEdit, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
Make a new key: "TLS 1.3"
Make a new item: "DisabledByDefault"=dword:00000000
Make a new item: "Enabled"=dword:00000001
=======================================================================================================
Disable IGMP
I have never seen this protocol used. When something is unused, it should be disabled.
Right click Start and select Terminal as Admin, and paste in this command:
Netsh interface ipv4 set global mldlevel=none
========================================================================================================
Disable Source Routing
TCP/IPv4 has a feature that allows an attacker to specify the exact path a packet will take to reach it's destination. It is seldom used and could allow an attacker to map out a network or reach machines which are normally out of reach from the internet. This is undesirable and can allow the attacker to reach, for example, your SIEM
Open regedit and go to this address: HKLM\System\CurrentControlSet\Services\TCPIP\Parameters and make a DWORD DisableSourceRouting and set it to 1.
========================================================================================================
Disable port 1900 UPnP
The intention of UPnP is ease of configuration, so such things as games can auto-configure the firewall to let other players from the internet join in. However, with users each poking holes into your firewall with UPnP, pretty soon it will be Swiss cheese and cease to function as a firewall. It is better to configure firewall rules manually so that each firewall rule is known and accounted for. If your hardware firewall or router has an option to disable UPnP, do so.
Regedit
HKLM\Software\Microsoft\DirectplayNATHelp\DPNHUPnP
right click on right pane, new dword:32 bit,named UPnPMode
Double click on that and set the value to 2.
==========================================================================================================
Disable SMB 1 protocol
SMB is the file sharing protocol used for File Sharing. There are 3 versions. Version 1 is the oldest one, and abused by the WanaCry Ransomware. Vversion 2 and 3 are combined, and deemed safe. However, unless used, it is recommended you disable the protocols.
Right click Start and click on Windows Terminal (Admin). Then type in the following:
disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
The only protocols you really need are IPv4 and IPv6. IPv6 is optional. Since the creation of NAT routers, companies and government can now place their machines in private ip ranges. (192.168.x.x, 172.16-32.x.x, 10.x.x.x), which are not internet routable. So IPv6 is still not very popular, so it is an optional protocol.
NetBIOS over TCP/IP is not required because NetBIOS is already active without this option. Disabling NetBIOS over TCP/IP will limit NetBIOS traffic to the local subnet.
The Discovery protocols are used to provide a nice graphical map of your network. For home users, this is not needed, as there is only one router. You would only get to see a picture depicting your PCs connected to your router. For Domain users, this feature is automatically turned off once you join the domain.
File and Printer Sharing should only be enabled if you plan to share some of your folders on the network or if you want to share your locally connected printer over the network. If printer sharing is desired, it is better to get a printer that has networking built in, so that when attacked, they only gain access to a printer instead of your PC. Disable this feature unless absolutely required.
Client for MS Networks is the client part to File and Printer Sharing. And it also talks to Windows Servers. This is not needed if you don't map to folder shares on other PC's shared folder..
Go to Settings > Network & Internet > Advanced network settings > More network adapter options > Ethernet / Wifi setup both.
Uncheckmark the following:
Client for MS Networks
File and Printer Sharing for Microsoft Networks
QoS
Microsoft Network Adapter Multiplexor Protocol
Microsoft LLDP Protocol Driver
Link Layer Topology Discovery Mapper IO Driver
Link Layer Topology Discovery Responder
Internet protocol version 6 if your ISP doesn't support it
Select 'Internet Protocol version 4 (TCP IPv4), click Properties, click Advanced,
click 'DNS' tab, uncheckmark 'register this connections address in DNS'
click 'WINS' tab, select 'Disable NETBIOS over TCP/IP'
click 'WINS' tab, uncheck 'Enable LMHOSTS lookup'
There were several interim ipv4 to ipv6 tunneling technologies; 6to4, ISATAP, and DIrect Tunnel, but they have all been disabled now. These interim tunneling technologies are bad, in that they cannot be inspected by your hardware firewall.
Run 'Regedit',
Under the registry key HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters
right click on the right pane, create an New entry of type DWORD(32bit) called DisabledComponents,
Then double click on it and enter one of the following:
FF to disable all IPv6 components, except the IPv6 loopback interface, which can't be deactivated.
0x01 to disable only IPv6 all tunnel interfaces. These include Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6to4,and Teredo. If you have a IPv6 router, then you want to choose this one.
Note that the value "0" is the default setting.
=======================================================================================================
TLS 1.3, the new security protocol for HTTPS should be made the default.
Open RegEdit, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
Make a new key: "TLS 1.3"
Make a new item: "DisabledByDefault"=dword:00000000
Make a new item: "Enabled"=dword:00000001
=======================================================================================================
Disable IGMP
I have never seen this protocol used. When something is unused, it should be disabled.
Right click Start and select Terminal as Admin, and paste in this command:
Netsh interface ipv4 set global mldlevel=none
========================================================================================================
Disable Source Routing
TCP/IPv4 has a feature that allows an attacker to specify the exact path a packet will take to reach it's destination. It is seldom used and could allow an attacker to map out a network or reach machines which are normally out of reach from the internet. This is undesirable and can allow the attacker to reach, for example, your SIEM
Open regedit and go to this address: HKLM\System\CurrentControlSet\Services\TCPIP\Parameters and make a DWORD DisableSourceRouting and set it to 1.
========================================================================================================
Disable port 1900 UPnP
The intention of UPnP is ease of configuration, so such things as games can auto-configure the firewall to let other players from the internet join in. However, with users each poking holes into your firewall with UPnP, pretty soon it will be Swiss cheese and cease to function as a firewall. It is better to configure firewall rules manually so that each firewall rule is known and accounted for. If your hardware firewall or router has an option to disable UPnP, do so.
Regedit
HKLM\Software\Microsoft\DirectplayNATHelp\DPNHUPnP
right click on right pane, new dword:32 bit,named UPnPMode
Double click on that and set the value to 2.
==========================================================================================================
Disable SMB 1 protocol
SMB is the file sharing protocol used for File Sharing. There are 3 versions. Version 1 is the oldest one, and abused by the WanaCry Ransomware. Vversion 2 and 3 are combined, and deemed safe. However, unless used, it is recommended you disable the protocols.
Right click Start and click on Windows Terminal (Admin). Then type in the following:
disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
