Disable "Telnet Client" feature
This script disables the Telnet Client feature in Windows. The Telnet Client enables remote server connections. It is inherently insecure because it transmits all data, including sensitive credentials, in clear text without encryption. This lack of encryption makes it vulnerable to interception and misuse. Due to these security flaws, entities such as NIST, Department of Defense and Microsoft recommend removing or disabling this feature. Although this feature is disabled by default in newer ...
Disable anonymous access to named pipes and shares
This script restricts anonymous access to Named Pipes and Shares. It reduces security risks by preventing unauthorized access. Named Pipes allow programs on a computer or network to communicate with each other. Anonymous access lets users connect to services without a username or password, increasing the risk of unauthorized access. It configures the "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters!restrictnullsessaccess" registry setting to control null session access, which ...
Disable anonymous enumeration of shares
This script disables the anonymous enumeration of shares to prevent unauthorized users from listing account names and shared resources, which could serve as a roadmap for attackers. It configures the "HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA!restrictanonymous" registry key to ensure that such enumeration is blocked, improving system security against potential breaches.
Disable basic authentication in WinRM
This script configures the Windows Remote Management (WinRM) client to disable basic authentication. Basic authentication is a security protocol where a user provides a username and password in plain text for verification. It improves security by preventing the interception and misuse of plain text passwords. It achieves this by modifying the "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client!AllowBasic" registry key. While WinRM clients do not use Basic authentication by default, this s...
Disable hidden remote file access via administrative shares (breaks remote system management software)
This script improves your privacy and security by disabling Windows administrative shares, which are typically used for remote access to your computer's file system. Windows automatically creates hidden administrative shares, such as "C$" and "D$", that allow system administrators remote access to every disk volume on your computer. These shares are often targeted as potential attack vectors. Disabling administrative shares is generally a good practice for enhancing security. It is recommended b...
Disable unauthorized user account discovery (anonymous SAM enumeration)
This script increases your system's security by preventing unauthorized users from seeing account names in the Security Accounts Manager (SAM). The Security Accounts Manager (SAM) is a database in Windows that stores user account information and is critical for user authentication processes. When account names are exposed, attackers might use them for guessing passwords or tricking people into revealing sensitive information. This is a security action recommended by organizations like the Depart...
Disable Windows Remote Assistance feature
This script disables the Windows Remote Assistance feature to improve your system's privacy and security. Windows Remote Assistance allows a third party to remotely access your PC. This capability, known as Solicited Remote Assistance, enables another user to view or take control of your computer. Disabling Remote Assistance improves security by: Preventing others from remotely viewing or controlling your computer. • Reducing the risk of exploitation from RDP-related vulnerabilities. • Reducin...
Remove "RAS Connection Manager Administration Kit (CMAK)" capability
This script removes the "RAS Connection Manager Administration Kit (CMAK)" ("RasCMAK.Client") capability. CMAK is a tool that allows the creation of profiles for connecting to remote servers and networks. Though useful for remote connections, this capability might be unnecessary for many users. Removing it can simplify the system's network configuration and enhance security by reducing potential attack vectors. This capability is not included in the standard installation of Windows.