Setup Idea Reduce Attack Surface: Eliminate Unneeded Network Protocols

Last updated
Jul 10, 2023
How it's used?
For home and private use
Operating system
Windows 11
On-device encryption
BitLocker Device Encryption for Windows
Log-in security
    • Hardware security key
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
    • Basic account password (insecure)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
On
Network firewall
Enabled
Real-time security
n/a
Firewall security
Microsoft Defender Firewall
About custom security
n/a
Periodic malware scanners
n/a
Malware sample testing
I do not participate in malware testing
Environment for malware testing
n/a
Browser(s) and extensions
n/a
Secure DNS
9.9.9.9, 1.1.1.1
Desktop VPN
n/a
Password manager
n/a
File and Photo backup
n/a
System recovery
n/a
Risk factors
    • Browsing to popular websites
    • Browsing the dark web
    • Working from home
    • Making audio/video calls
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Downloading software and files from reputable sites
    • Downloading software and files from unknown / untrusted / shady sites
    • Sharing and receiving files and torrents
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Streaming audio/video content from shady sites
Computer specs
n/a
Recommended for
  1. All types of users

Victor M

Level 10
Thread author
Verified
Well-known
Oct 3, 2022
468
Network protocols are grammar rules for bits and bytes to communicate with their counter part programs on another PC. And each has weaknesses. So unless your environment requires that a protocol must be used, we will want to disable all except the bare essentials. More protocols mean a larger attack surface.

The only protocols you really need are IPv4 and IPv6. IPv6 is optional. Since the creation of NAT routers, companies and government can now place their machines in private ip ranges. (192.168.x.x, 172.16-32.x.x, 10.x.x.x), which are not internet routable. So IPv6 is still not very popular, so it is an optional protocol.

NetBIOS over TCP/IP is not required because NetBIOS is already active without this option. Disabling NetBIOS over TCP/IP will limit NetBIOS traffic to the local subnet.

The Discovery protocols are used to provide a nice graphical map of your network. For home users, this is not needed, as there is only one router. You would only get to see a picture depicting your PCs connected to your router. For Domain users, this feature is automatically turned off once you join the domain.

File and Printer Sharing should only be enabled if you plan to share some of your folders on the network or if you want to share your locally connected printer over the network. If printer sharing is desired, it is better to get a printer that has networking built in, so that when attacked, they only gain access to a printer instead of your PC. Disable this feature unless absolutely required.

Client for MS Networks is the client part to File and Printer Sharing. And it also talks to Windows Servers. This is not needed if you don't map to folder shares on other PC's shared folder..

Go to Settings > Network & Internet > Advanced network settings > More network adapter options > Ethernet / Wifi setup both.

Uncheckmark the following:

Client for MS Networks
File and Printer Sharing for Microsoft Networks
QoS
Microsoft Network Adapter Multiplexor Protocol
Microsoft LLDP Protocol Driver
Link Layer Topology Discovery Mapper IO Driver
Link Layer Topology Discovery Responder
Internet protocol version 6 if your ISP doesn't support it

Select 'Internet Protocol version 4 (TCP IPv4), click Properties, click Advanced,

click 'DNS' tab, uncheckmark 'register this connections address in DNS'
click 'WINS' tab, select 'Disable NETBIOS over TCP/IP'
click 'WINS' tab, uncheck 'Enable LMHOSTS lookup'


There were several interim ipv4 to ipv6 tunneling technologies; 6to4, ISATAP, and DIrect Tunnel, but they have all been disabled now. These interim tunneling technologies are bad, in that they cannot be inspected by your hardware firewall.

Run 'Regedit',
Under the registry key HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters
right click on the right pane, create an New entry of type DWORD(32bit) called DisabledComponents,
Then double click on it and enter one of the following:

FF to disable all IPv6 components, except the IPv6 loopback interface, which can't be deactivated.

0x01 to disable only IPv6 all tunnel interfaces. These include Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6to4,and Teredo. If you have a IPv6 router, then you want to choose this one.

Note that the value "0" is the default setting.


=======================================================================================================
TLS 1.3, the new security protocol for HTTPS should be made the default.

Open RegEdit, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
Make a new key: "TLS 1.3"
Make a new item: "DisabledByDefault"=dword:00000000
Make a new item: "Enabled"=dword:00000001

=======================================================================================================

Disable IGMP

I have never seen this protocol used. When something is unused, it should be disabled.

Right click Start and select Terminal as Admin, and paste in this command:
Netsh interface ipv4 set global mldlevel=none

========================================================================================================

Disable Source Routing

TCP/IPv4 has a feature that allows an attacker to specify the exact path a packet will take to reach it's destination. It is seldom used and could allow an attacker to map out a network or reach machines which are normally out of reach from the internet. This is undesirable and can allow the attacker to reach, for example, your SIEM

Open regedit and go to this address: HKLM\System\CurrentControlSet\Services\TCPIP\Parameters and make a DWORD DisableSourceRouting and set it to 1.

========================================================================================================

Disable port 1900 UPnP

The intention of UPnP is ease of configuration, so such things as games can auto-configure the firewall to let other players from the internet join in. However, with users each poking holes into your firewall with UPnP, pretty soon it will be Swiss cheese and cease to function as a firewall. It is better to configure firewall rules manually so that each firewall rule is known and accounted for. If your hardware firewall or router has an option to disable UPnP, do so.

Regedit

HKLM\Software\Microsoft\DirectplayNATHelp\DPNHUPnP

right click on right pane, new dword:32 bit,named UPnPMode

Double click on that and set the value to 2.

==========================================================================================================

Disable SMB 1 protocol

SMB is the file sharing protocol used for File Sharing. There are 3 versions. Version 1 is the oldest one, and abused by the WanaCry Ransomware. Vversion 2 and 3 are combined, and deemed safe. However, unless used, it is recommended you disable the protocols.

Right click Start and click on Windows Terminal (Admin). Then type in the following:

disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
 
F

ForgottenSeer 97327

Thanks for your tips. I am a fan of less is more.

I had played with network hardening a little using MS group policy info. Based on this info I had set DisableIPSourceRouting to 2.
Since you are the expert, could you post your thoughts on setting it to 2 instead of 1?
1691578337839.png
 
Last edited by a moderator:
F

ForgottenSeer 97327

@Victor M

Additionally I applied the following hardening, Again based on the GPO info, what are your thoughts on these tweaks?


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnableICMPRedirect"=dword:00000000
"PerformRouterDiscovery"=dword:00000000
"SynAttackProtect"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC]
"NoDefaultExempt"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters]
"NoNameReleaseOnDemand"=dword:00000001

Thanks in advance for sharing your knowledge (y)
 

Victor M

Level 10
Thread author
Verified
Well-known
Oct 3, 2022
468
Hi @Max90

I stand corrected. It seems that DisableIPSourceRouting should be set to 2.

I did not know about these settings:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnableICMPRedirect"=dword:00000000
"PerformRouterDiscovery"=dword:00000000
"SynAttackProtect"=dword:00000001

Thanks for your info. Much appreciated.

IPSEC network encryption has to be set up in order to use. It requires a presharedkey (password) or machine certificates. Machine certificates will require a public key infrastructure (PKI), which is beyond most home users' capability. And presharedkey is considered insecure.

Netbt is NetBIOS over TCP/IP. Which is disabled at Settings > Network & Internet > Advanced network settings > More network adapter options for each adapter. But, defense in depth is always the best, and I thank you for your info.
 
Last edited:
F

ForgottenSeer 97327

Hi @Max90

I stand corrected. It seems that DisableIPSourceRouting should be set to 2.

I did not know about these settings:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnableICMPRedirect"=dword:00000000
"PerformRouterDiscovery"=dword:00000000
"SynAttackProtect"=dword:00000001

Thanks for your info. Much appreciated.

IPSEC network encryption has to be set up in order to use. It requires a presharedkey (password) or machine certificates. Machine certificates will require a public key infrastructure (PKI), which is beyond most home users' capability. And presharedkey is considered insecure.

Netbt is NetBIOS over TCP/IP. Which is disabled at Settings > Network & Internet > Advanced network settings > More network adapter options for each adapter. But, defense in depth is always the best, and I thank you for your info.
Thanks for your replay, I understand that only the first three are usefull for at home situationeel. As posted, I am just an enthousiast amateur who had found a network hardening guide of a governmental organization. I did not use baseline settings which I did not understand. I had alrady applied half of your hsrdening tips. I have now implemed most (eg no encription on my desktop).

Thank you very much for this guide and your explanation. I am a fan of less is more. Much appreciated.
 
Last edited by a moderator:

Victor M

Level 10
Thread author
Verified
Well-known
Oct 3, 2022
468
I did not use baseline settings which I did not understand
I assume you are talking about the MS Windows Security Baseline for 22H2. You can do a drive image, apply the Baseline Policy. Open GPEdit and filter for Configured items. Then you will see exactly what MS configured. And using the drive image you can back out of the changes if you don't like them.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top