From e747ee5cbc7cf5f0fe28a87fe7d02457d777373e Mon Sep 17 00:00:00 2001 From: undergroundwires Date: Thu, 7 Dec 2023 12:59:37 +0100 Subject: [PATCH] win: document and discourage admin shares #249 - Reduce recommendation level from "Standard" to "Strict" due to its potential breaking behavior. - Add detailed documentation. - Simplify script title for broader accessibility while maintaining technical accuracy. - Note potential impact on remote system management in the script title. - Adjust revert code align with recent Windows OS version. --- src/application/collections/windows.yaml | 41 ++++++++++++++++++++---- 1 file changed, 34 insertions(+), 7 deletions(-) diff --git a/src/application/collections/windows.yaml b/src/application/collections/windows.yaml index e20979ae..c366fe47 100644 --- a/src/application/collections/windows.yaml +++ b/src/application/collections/windows.yaml @@ -4249,7 +4249,7 @@ actions: serviceName: gupdatem # Check: (Get-Service -Name gupdatem).StartType defaultStartupMode: Automatic # Allowed values: Automatic | Manual - - name: Disable Google automatic updates scheduled tasks (may break Google Credential Provider) + name: Disable Google automatic updates scheduled tasks (breaks Google Credential Provider) recommend: strict docs: |- This script disables the scheduled tasks used by Google to automatically update its software on Windows. @@ -4611,6 +4611,38 @@ actions: This category encompasses a range of scripts designed to improve the security of your system by enforcing security best practices. These scripts help protect your system against various types of cyber threats and unauthorized access. children: + - + name: Disable hidden remote file access via administrative shares (breaks remote system management software) + recommend: strict + docs: |- + This script improves your privacy and security by disabling Windows administrative shares, + which are typically used for remote access to your computer's file system. + + Windows automatically creates hidden administrative shares, such as `C$` and `D$`, that allow system administrators remote access to + every disk volume on your computer [1] [2]. These shares are often targeted as potential attack vectors [3]. + + Disabling administrative shares is generally a good practice for enhancing security. It is recommended by various security standards + and compliance frameworks, including some government standards [3], PCI-DSS [4], and CIS [2]. It reduces the system's vulnerability + to unauthorized remote access. + + These shares are often used for system administrators to perform tasks like software installation and vulnerability scanning + remotely [1]. Disabling them may limit remote management capabilities. This might require setting up network shares manually + for specific folders or drives, which is more secure but requires additional effort. + + Some software, such as Microsoft Systems Management Server (SMS) [2], Microsoft Operations Manager [2], Microsoft PsTools [5], + and certain third-party network backup applications [2], rely on administrative shares. Therefore, disabling these shares could + disrupt their functionality. + + > **Caution**: Disabling administrative shares can impact remote management software and may interrupt the ability to remotely control + > machines. Consider your operational and security needs before making this change. + + [1]: https://web.archive.org/web/20230831114315/https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/remove-administrative-shares "Remove administrative shares - Windows Server | Microsoft Learn | learn.microsoft.com" + [2]: https://web.archive.org/web/20231206152703/http://www.itref.ir/uploads/editor/1edad0.pdf "CIS Microsoft Windows 8 Benchmark | itref.ir" + [3]: https://web.archive.org/web/20230831124304/https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/Business-Partner-System-Security-Manual-BPSSM.pdf "CMS Manual System | Pub 100-17 Medicare Business Partners | Department of Health & Human Services (DHHS) & Centers for Medicare & Medicaid Services (CMS) | cms.gov" + [4]: https://web.archive.org/web/20230831124324/https://www.unifiedcompliance.com/products/search-authority-documents/authority-document/1071/ "Payment Card Organizations > PCI Security Standards Council | Unified Compliance | www.unifiedcompliance.com" + [5]: https://github.com/undergroundwires/privacy.sexy/issues/249 "Disabling administrative shares breaks PsTools | undergroundwires/privacy.sexy | github.com" + code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f + revertCode: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /f # Key does not exist since Windows 11 22H2 - category: Enable protection against Meltdown and Spectre docs: https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot @@ -4632,12 +4664,7 @@ actions: name: Mitigate Spectre Variant 2 and Meltdown in Hyper-V code: reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f revertCode: reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /f - - - name: Disable administrative shares - recommend: standard - code: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f - revertCode: reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 1 /f - - + - name: Enable Data Execution Prevention (DEP) code: |- reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "NoDataExecutionPrevention" /t REG_DWORD /d 0 /f