Skip to main content

84 docs tagged with "security-improvements"

View all tags

Configure macOS Application Firewall

This category configures macOS using 5 scripts. These scripts are organized in 1 categories. The category includes 3 subscripts and 1 subcategories that include more scripts and categories.

Disable "Net.TCP Port Sharing" feature

This script disables the "Net.TCP Port Sharing" feature. This feature is part of Windows Communication Foundation (WCF). This feature enables multiple WCF applications to share the same TCP port. It manages incoming connections and routes them to the appropriate application based on the destination address found in the message stream. This increases the system's attack surface: access by attackers if compromised. When applications share the same port, more applications are exposed to network tra...

Disable "SMB Direct" feature

This script disables "SMB Direct" feature. SMB Direct improves file transfer speeds across networks by utilizing network adapters that are Remote Direct Memory Access (RDMA) capable. Although not inherently insecure, maintaining unnecessary software can increase the attack surface, especially if the underlying RDMA hardware has vulnerabilities. Overview of default feature statuses - | | | | ---- | --- | | Feature name | "SMB Direct" | | Display name | SMB Direct | | Description | ...

Disable "Telnet Client" feature

This script disables the Telnet Client feature in Windows. The Telnet Client enables remote server connections. It is inherently insecure because it transmits all data, including sensitive credentials, in clear text without encryption. This lack of encryption makes it vulnerable to interception and misuse. Due to these security flaws, entities such as NIST, Department of Defense and Microsoft recommend removing or disabling this feature. Although this feature is disabled by default in newer ...

Disable "TFTP Client" feature

This script disables the "TFTP Client" feature. The TFTP Client supports file transfers using the Trivial File Transfer Protocol (TFTP). TFTP protocol is insecure because it lacks authentication and encryption capabilities. This makes data transferred via TFTP vulnerable to eavesdropping and tampering. Although TFTP's simplicity can be advantageous in certain contexts, such as configuring network devices, its security risks generally outweigh these benefits. Disabling it helps mitigate the ris...

Disable anonymous access to named pipes and shares

This script restricts anonymous access to Named Pipes and Shares. It reduces security risks by preventing unauthorized access. Named Pipes allow programs on a computer or network to communicate with each other. Anonymous access lets users connect to services without a username or password, increasing the risk of unauthorized access. It configures the "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters!restrictnullsessaccess" registry setting to control null session access, which ...

Disable anonymous enumeration of shares

This script disables the anonymous enumeration of shares to prevent unauthorized users from listing account names and shared resources, which could serve as a roadmap for attackers. It configures the "HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA!restrictanonymous" registry key to ensure that such enumeration is blocked, improving system security against potential breaches.

Disable AutoPlay and AutoRun

This script configures Windows using Batch (batchfile).It can be restored. It runs ":: Set the registry value:...".

Disable background clipboard data collection ("cbdhsvc") (breaks clipboard history and sync)

This script disables "cbdhsvc" also known as "Clipboard User Service". This service is responsible for clipboard history and synchronization across devices. Microsoft acknowledges that disabling this service does not adversely affect the system's core functionality. Disabling this service enhances your security by reducing your system's vulnerability surface. This service has been historically susceptible to vulnerabilities such as Privilege Escalation vulnerability. Turning off "cbdhsvc" also h...

Disable basic authentication in WinRM

This script configures the Windows Remote Management (WinRM) client to disable basic authentication. Basic authentication is a security protocol where a user provides a username and password in plain text for verification. It improves security by preventing the interception and misuse of plain text passwords. It achieves this by modifying the "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client!AllowBasic" registry key. While WinRM clients do not use Basic authentication by default, this s...

Disable captive portal detection

This script enhances your privacy and security by disabling automatic detection of captive portals, preventing unintended network connections. However, this change requires users to manually open a web browser to access such networks. Overview of captive portals - Captive portals are also known as subscription or Wi-Fi Hotspot networks. These are common in public places like coffee shops, hotels, and airports. These portals redirect users to specific webpages where they must log in. Typicall...

Disable clipboard data collection

This category includes scripts that focus on disabling various aspects of clipboard data collection in Windows. The clipboard is a critical component of the operating system, often containing sensitive data such as usernames, passwords, and other personal information. However, features such as clipboard history and device synchronization can significantly increase privacy and security risks. By default, Windows tends to store clipboard data in an unencrypted format, making it easily accessible t...

Disable clipboard history

This script deactivates the clipboard history feature in Windows, a feature that is enabled by default. Regularly, users copy sensitive data such as usernames and passwords to their clipboard, making clipboard history valuable to attackers for gathering information for post-exploitation activities like lateral movement. Microsoft introduced clipboard history in the Windows 10 October 2018 Update, offering enhanced functionality, including multi-device sync and customizable history management. De...

Disable Cloud Clipboard (breaks clipboard sync)

This script disables the Cloud Clipboard feature, also known as the cross-device clipboard. The Cloud Clipboard, introduced in the Windows 10 October 2018 Update, synchronizes clipboard contents across Windows devices. While this feature enhances usability, it can pose a privacy risk as sensitive information like passwords or credit card details might be inadvertently synchronized and stored on Microsoft servers. Disabling Cloud Clipboard is recommended in secure environments where clipboard dat...

Disable hidden remote file access via administrative shares (breaks remote system management software)

This script improves your privacy and security by disabling Windows administrative shares, which are typically used for remote access to your computer's file system. Windows automatically creates hidden administrative shares, such as "C$" and "D$", that allow system administrators remote access to every disk volume on your computer. These shares are often targeted as potential attack vectors. Disabling administrative shares is generally a good practice for enhancing security. It is recommended b...

Disable insecure "DES" cipher

This script disables the "DES 56/56" cipher, also known as DES 56 or 56-bit DES. This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. Authorities like Microsoft, NIST (FIPS), CIS, Federal Office for Information Security (BSI), OWASP, and NSA (National Security Agency) consider this cipher weak and either discou...

Disable insecure "DTLS 1.0" protocol

This script disables the DTLS 1.0 protocol. This protocol is identified as "DTLS 1.0" on Windows. It is enabled by default. DTLS (Datagram Transport Layer Security) provides secure communication over the UDP protocol. Based on the TLS protocol, DTLS offers equivalent security measures. Common uses include online gaming, DNS lookups, and VPN services. It is considered insecure and has been deprecated by Microsoft due to its vulnerabilities. It's based on TLS 1.1, which is also deprecated and in...

Disable insecure "LM & NTLM" protocols

This script improves security by setting the LanMan authentication level to send NTLMv2 responses only, refusing LM and NTLM, which are older and less secure methods. While Kerberos v5 is the default authentication protocol for domain accounts, NTLM is still used for compatibility with older systems and for authenticating logons to standalone computers. The script modifies the "HKLM\\System\\CurrentControlSet\\Control\\Lsa!LmCompatibilityLevel" registry key to enforce this security measure.

Disable insecure "MD5" hash

This script disables the use of the "MD5" hash algorithm during the SSL/TLS handshake process. This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. This algorithm is vulnerable to collision attacks. This vulnerability enables attackers to spoof content, perform phishing, or execute man-in-the-middle attacks. Conseq...

Disable insecure "NetBios" protocol

This script enhances your network's security by turning off NetBIOS over TCP/IP for all network interfaces. NetBIOS is a protocol primarily used for backward compatibility with older Windows systems. NetBIOS and LLMNR are susceptible to hacking techniques like spoofing and man-in-the-middle attacks, risking your credentials and unauthorized network access. NetBIOS was initially created for communication between applications in small networks. Its lack of authentication makes it easy for attacker...

Disable insecure "NULL" cipher

This script disables the "NULL" cipher. This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. This algorithm provides no encryption, leaving data completely unprotected. Authorities like Microsoft, NIST (FIPS), CIS, and Federal Office for Information Security (BSI), NSA (National Security Agency) classify this algor...

Disable insecure "RC2" ciphers

This script disables RC2 ciphers. This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. Authorities like Microsoft, NIST (FIPS), CIS, Federal Office for Information Security (BSI), OWASP, and NSA (National Security Agency) classify this algorithm as weak and recommend against its use. By disabling RC2, the script en...

Disable insecure "RC4" ciphers

This script disables the RC4 ciphers. This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. Authorities like Microsoft, NIST (FIPS), CIS, Federal Office for Information Security (BSI), OWASP, and NSA (National Security Agency) classify this algorithm as weak and recommend against its use. This script disables these ...

Disable insecure "SHA-1" hash

This script disables "SHA" hash algorithm, also known as Secure Hash Algorithm (SHA-1). This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. This algorithm is vulnerable to collision attacks. This vulnerability enables attackers to spoof content, perform phishing, or execute man-in-the-middle attacks. Consequentl...

Disable insecure "SMBv1" protocol

This script improves network security by disabling the outdated SMBv1 protocol. SMBv1, or Server Message Block version 1, is an outdated network protocol developed for file and printer sharing across networks. This protocol is well-known for its vulnerabilities to cyber attacks. Microsoft deprecated SMBv1 in 2014. Since 2007, newer and more secure versions of this protocol have replaced SMBv1 in modern versions of Windows. It is still enabled by default in older Windows versions. Microso...

Disable insecure "SSL 2.0" protocol

This script disables the SSL 2.0 protocol. This protocol is identified as "SSL 2.0" on Windows, and also known as SSL2. Modern Windows systems no longer include SSL 2.0 due to its security flaws. It was previously enabled by default, posing significant security risks from well-known vulnerabilities. Authorities like NIST (FIPS), NSA (National Security Agency), PCI Security Standards Council, IETF, and Federal Office for Information Security (BSI) recommend disabling this insecure and obsolete ...

Disable insecure "SSL 3.0" protocol

This script disables the SSL 3.0. This protocol is identified as "SSL 3.0" on Windows, and also known as SSL3 or SSLv3. Modern Windows systems disable SSL 3.0 by default due to its security flaws. It was previously enabled by default, posing significant security risks from well-known vulnerabilities, including the POODLE and BEAST attacks. Authorities like NIST (FIPS), IETF, Apple, PCI Security Standards Council, Federal Office for Information Security (BSI), Office of the Chief Information ...

Disable insecure "TLS 1.0" protocol

This script disables the TLS 1.0 protocol. This protocol is identified as "TLS 1.0" on Windows. Although deprecated and unsupported in newer Windows versions, it remains enabled by default in older versions. This protocol has well-documented security vulnerabilities, including security attacks such as BEAST and Klima. Major browsers, including Safari, Firefox, Chrome and Edge, now disable this protocol by default. Authorities like NIST (FIPS), IETF, NSA (National Security Agency), Apple, Mozilla...

Disable insecure "TLS 1.1" protocol

This protocol is identified as "TLS 1.1" on Windows. Although deprecated and unsupported in newer Windows versions, it remains enabled by default in older versions. This protocol contains fundamental well-documented security vulnerabilities. Major browsers, including Safari, Firefox, Chrome and Edge, now disable this protocol by default. Authorities like NIST (FIPS), IETF, NSA (National Security Agency), Apple, Mozilla, Microsoft, Google, PCI Security Standards Council, Federal Office for Inform...

Disable insecure "Triple DES" cipher

This script disables the "Triple DES 168" ("Triple DES 168/168" before Windows Vista) cipher, also known as 3DES, The Triple Data Encryption Algorithm (TDEA) and TDES. This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. Authorities like Apple, NIST Federal Office for Information Security (BSI), NSA (Nation...

Disable insecure ciphers

This category improves network security by disabling outdated and less secure cipher suites. Cipher suites are sets of cryptographic algorithms used to secure network connections. They include ciphers, known as bulk encryption algorithms or simply bulk ciphers. Ciphers encrypt messages exchanged between clients and servers. Using outdated cipher suites exposes data to risks of interception and tampering during transmission. Disabling insecure ciphers meets security standards set ...

Disable insecure connections

This category includes scripts designed to enhance users' security and privacy by disabling outdated or vulnerable connections across the system. It safeguards data against interception, unauthorized access, and attacks that exploit outdated technology vulnerabilities, including man-in-the-middle attacks and data breaches. By disabling these insecure connections, these scripts follow cybersecurity best practices and recommendations. Although Windows supports insecure connections for compatibilit...

Disable insecure connections from .NET apps

This script improves security by enforcing secure network connections across all .NET applications. By setting the "SchUseStrongCrypto" configuration, it prevents the use of outdated and insecure connections, including: Protocols weaker than TLS 1.1 and TLS 1.2. • Cipher algorithms such as RC4, NULL, DES, and export suites. • Hash algorithms like MD5. Authorities like Microsoft, and Department of Defense (DoD) recommend this configuration as part of their security guidelines. This script applies...

Disable insecure hashes

This category includes scripts to disable insecure hash algorithms during cryptographic operations. Hash algorithms are essential for internet security, electronic banking, and document signing. Insecure hashes, however, are susceptible to collision attacks. This vulnerability enables attackers to spoof content, perform phishing, or execute man-in-the-middle attacks. Consequently, an attacker could intercept or modify data transmitted over what is believed to be a secure connection, without bein...

Disable insecure protocols

This category focuses on enhancing user privacy by disabling legacy and insecure communication protocols. It targets protocols that expose users to security vulnerabilities due to their outdated nature. Retaining obsolete protocols creates a false sense of security because they may seem secure but are vulnerable to exploitation. Authorities like NIST (FIPS), NSA (National Security Agency), Office of the Chief Information Security Officer, Microsoft, Mozilla, PCI Security Standards Council, the C...

Disable insecure remote administration access

This category improves security by disabling insecure remote administration features. Organizations use remote administration tools to manage multiple systems from a central location, performing tasks such as software updates, system checks, and configuration changes. However, if not properly secured, unauthorized users could exploit these tools to access sensitive data or control systems. This category addresses such vulnerabilities by disabling outdated or insecure remote access methods, thus ...

Disable insecure renegotiation

This script enhances your security by reducing risks associated with secure communications. By running this script, you proactively enhance your online privacy and secure against well-known TLS vulnerabilities. TLS secures internet communications. It allows parties such as browsers and websites to update their encryption settings through renegotiation. Without safeguards, attackers could intercept and compromise these communications. Insecure renegotiation can let attackers hijack communicat...

Disable insecure telnet protocol

This script configures macOS using Bash (Shell script).It can be restored. It runs "sudo launchctl disable system/com.apple.telnetd".

Disable non-essential network components

This category focuses on disabling or removal of specific networking features. These are generally considered unnecessary or less secure for most users. Disabling these features contributes to a more secure and privacy-focused environment by eliminating potential vulnerabilities and reducing the system's attack surface. These features may utilize outdated protocols or lack robust encryption and authentication methods, making them vulnerable to cyberattacks. If these features are not essential fo...

Disable the insecure TFTP service

This script configures macOS using Bash (Shell script).It can be restored. It runs "sudo launchctl disable 'system/com.apple.tftpd'".

Disable unauthorized user account discovery (anonymous SAM enumeration)

This script increases your system's security by preventing unauthorized users from seeing account names in the Security Accounts Manager (SAM). The Security Accounts Manager (SAM) is a database in Windows that stores user account information and is critical for user authentication processes. When account names are exposed, attackers might use them for guessing passwords or tricking people into revealing sensitive information. This is a security action recommended by organizations like the Depart...

Disable Windows Remote Assistance feature

This script disables the Windows Remote Assistance feature to improve your system's privacy and security. Windows Remote Assistance allows a third party to remotely access your PC. This capability, known as Solicited Remote Assistance, enables another user to view or take control of your computer. Disabling Remote Assistance improves security by: Preventing others from remotely viewing or controlling your computer. • Reducing the risk of exploitation from RDP-related vulnerabilities. • Reducin...

Enable application firewall

This script configures macOS using Bash (Shell script).It can be restored. It runs "/usr/libexec/ApplicationFirewall/socketfilterfw...".

Enable firewall logging

This script configures macOS using Bash (Shell script).It can be restored. It runs "/usr/libexec/ApplicationFirewall/socketfilterfw...".

Enable secure "DTLS 1.2" protocol

This script enables the DTLS 1.2 protocol. This protocol is identified as "DTLS 1.2" on Windows. DTLS (Datagram Transport Layer Security) provides secure communication over the UDP protocol. Based on the TLS protocol, DTLS offers equivalent security measures. Common uses include online gaming, DNS lookups, and VPN services. Despite being superseded by the more secure DTLS 1.3, DTLS 1.2 is still approved by authorities like NIST, NSA, and the German Federal Office for Information Security. DTLS...

Enable secure "TLS 1.3" protocol

This script enables the TLS 1.3 protocol. This protocol is identified as "TLS 1.3" on Windows. TLS 1.3 is the latest and most secure version of the TLS protocol. It is supported starting with Windows 11 and Windows Server 2022. On these systems, TLS 1.3 is enabled by default. Authorities like NSA (National Security Agency), Federal Office for Information Security (BSI), The Center for Internet Security, NIST, Microsoft, Mozilla, and Apple recommend using this protocol for its enhanced security. ...

Enable secure connections

This category configures essential security settings to protect network communications. Newer security standards offer improved protection against vulnerabilities found in older versions. Scripts within this category enhance your privacy and security by enabling these standards to maintain the integrity of network communications.

Enable secure connections for legacy .NET apps

This script provides secure connections for older .NET Framework applications. It enables the automatic adoption of newer, more secure protocols as supported by the operating system. If the operating system supports newer TLS versions, applications will automatically use these without any need for modifications to the application code or .NET Framework settings. For example, this configuration enables .NET Framework 3.5 applications, which do not natively support TLS 1.2, to adopt TLS 1.2. This ...

Enable security against PowerShell 2.0 downgrade attacks

See: The Windows PowerShell 2.0 feature must be disabled on the system. | stigviewer.com Overview of default feature statuses - "MicrosoftWindowsPowerShellV2": | | | | ---- | --- | | Feature name | "MicrosoftWindowsPowerShellV2" | | Display name | Windows PowerShell 2.0 Engine | | Description | Adds or Removes Windows PowerShell 2.0 Engine | | Default (Windows 11...

Enable stealth mode

This script configures macOS using Bash (Shell script).It can be restored. It runs "/usr/libexec/ApplicationFirewall/socketfilterfw...".

Enable strong Diffie-Hellman key requirement

This script improves your security by setting the "Diffie-Hellman" key exchange to a minimum of 2048 bits. This is a secure way to exchange keys over public networks. This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. By default, modern Windows versions use a 2048-bit size for Diffie-Hellman key exchanges. Sizes ...

Enable strong RSA key requirement (breaks Hyper-V VMs)

This script improves your security by enforcing a minimum of 2048 bits for RSA encryption keys ("PKCS"). RSA encryption keys play a crucial role in securing communications over the internet. The Public-Key Cryptography Standards (PKCS) define how to use RSA keys for secure communication encryption. Using keys that are too weak can expose your data to unauthorized access. This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure conne...

Enable strong secret key requirements

This category contains scripts that enhance system security by implementing stronger encryption key lengths. Stronger keys help prevent unauthorized data access and potential leaks. These scripts aim to protect your data when sent over network (Internet), making sure your security matches up with the latest guidelines and practices.

Improve network security

This category is dedicated to improving network security. It aims to minimize vulnerabilities by offering various settings that improve the integrity and confidentiality of data transmitted over the network. It features a range of measures to protect data transmission from unauthorized access, interception, and other cyber threats to maintain a secure and private communication environment. By improving network security, you secure your system and data from attackers, ISPs, VPN companies, and sta...

Remove "RAS Connection Manager Administration Kit (CMAK)" capability

This script removes the "RAS Connection Manager Administration Kit (CMAK)" ("RasCMAK.Client") capability. CMAK is a tool that allows the creation of profiles for connecting to remote servers and networks. Though useful for remote connections, this capability might be unnecessary for many users. Removing it can simplify the system's network configuration and enhance security by reducing potential attack vectors. This capability is not included in the standard installation of Windows.

Remove "RIP Listener" capability

This script removes the "RIP Listener" ("RIP.Listener") capability. The RIP Listener listens for route updates from routers using the Routing Information Protocol version 1 (RIPV1). RIPV1 is an older protocol that might be redundant in modern networks, despite its specific utilities. Removing this feature can contribute to a more secure system by eliminating unnecessary network listening capabilities. This capability is not included in the standard installation of Windows.

Remove "Simple Network Management Protocol (SNMP)" capability

This script removes the "Simple Network Management Protocol (SNMP)" ("SNMP.Client") capability. SNMP is used for monitoring and managing network devices. While it provides valuable information for network administration, it may not be essential for all users and can expose the system to additional network traffic and potential vulnerabilities. This capability is not included in the standard installation of Windows.

Remove "SNMP WMI Provider" capability

This script removes the "SNMP WMI Provider" ("WMI-SNMP-Provider.Client") capability. This feature enables Windows Management Instrumentation (WMI) clients to access SNMP information. SNMP is used for monitoring and managing network devices. Integrating SNMP data into WMI, this capability may be extraneous for those not needing SNMP monitoring. Removing this capability can simplify the system's management interfaces and improve its security posture by limiting the ways in which network informatio...