| # ============================================================ | |
| # SECURITY HARDENING - Block External Threats | |
| # ============================================================ | |
| $isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) | |
| if (-not $isAdmin) { | |
| Write-Host "[ERROR] Run as Administrator!" -ForegroundColor Red | |
| exit 1 | |
| } | |
| Write-Host "`n=== SECURITY HARDENING START ===" -ForegroundColor Cyan | |
| # 1. BLOCK USB STORAGE | |
| Write-Host "`n[1] Blocking USB Storage..." -ForegroundColor Yellow | |
| $usbPath = "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" | |
| if (Test-Path $usbPath) { | |
| Set-ItemProperty -Path $usbPath -Name "Start" -Value 4 -Force | |
| Write-Host " [OK] USBSTOR blocked" -ForegroundColor Green | |
| } | |
| $removablePath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices" | |
| if (-not (Test-Path $removablePath)) { | |
| New-Item -Path $removablePath -Force | Out-Null | |
| } | |
| Set-ItemProperty -Path $removablePath -Name "Deny_All" -Value 1 -Type DWord -Force | |
| Set-ItemProperty -Path $removablePath -Name "Deny_Read" -Value 1 -Type DWord -Force | |
| Set-ItemProperty -Path $removablePath -Name "Deny_Write" -Value 1 -Type DWord -Force | |
| Write-Host " [OK] Removable storage access denied" -ForegroundColor Green | |
| # 2. DISABLE AUTOPLAY | |
| Write-Host "`n[2] Disabling AutoPlay..." -ForegroundColor Yellow | |
| $apPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" | |
| if (-not (Test-Path $apPath)) { | |
| New-Item -Path $apPath -Force | Out-Null | |
| } | |
| Set-ItemProperty -Path $apPath -Name "NoDriveTypeAutoRun" -Value 0xFF -Type DWord -Force | |
| Set-ItemProperty -Path $apPath -Name "NoAutorun" -Value 1 -Type DWord -Force | |
| Write-Host " [OK] AutoPlay disabled" -ForegroundColor Green | |
| # 3. FIREWALL - BLOCK ALL INBOUND | |
| Write-Host "`n[3] Configuring Firewall..." -ForegroundColor Yellow | |
| Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True | |
| Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultInboundAction Block -DefaultOutboundAction Allow -AllowUnicastResponseToMulticast False | |
| Write-Host " [OK] Firewall enabled, inbound blocked" -ForegroundColor Green | |
| # Block dangerous ports | |
| $ports = @(135,137,138,139,445,3389,5900,23,21,161,162,1433,3306,5432) | |
| foreach ($p in $ports) { | |
| $name = "Block-Port-$p" | |
| $exists = Get-NetFirewallRule -DisplayName $name -ErrorAction SilentlyContinue | |
| if (-not $exists) { | |
| New-NetFirewallRule -DisplayName $name -Direction Inbound -Protocol TCP -LocalPort $p -Action Block -Profile Any | Out-Null | |
| } | |
| } | |
| Write-Host " [OK] Dangerous ports blocked: $ports" -ForegroundColor Green | |
| # Block ICMP | |
| New-NetFirewallRule -DisplayName "Block-ICMPv4" -Direction Inbound -Protocol ICMPv4 -Action Block -Profile Any -ErrorAction SilentlyContinue | Out-Null | |
| New-NetFirewallRule -DisplayName "Block-ICMPv6" -Direction Inbound -Protocol ICMPv6 -Action Block -Profile Any -ErrorAction SilentlyContinue | Out-Null | |
| Write-Host " [OK] ICMP blocked" -ForegroundColor Green | |
| # 4. DISABLE BLUETOOTH | |
| Write-Host "`n[4] Disabling Bluetooth..." -ForegroundColor Yellow | |
| $btSvcs = @("bthserv") | |
| foreach ($s in $btSvcs) { | |
| $svc = Get-Service -Name $s -ErrorAction SilentlyContinue | |
| if ($svc) { | |
| Stop-Service -Name $s -Force -ErrorAction SilentlyContinue | |
| Set-Service -Name $s -StartupType Disabled -ErrorAction SilentlyContinue | |
| Write-Host " [OK] Service $s disabled" -ForegroundColor Green | |
| } | |
| } | |
| $btReg = "HKLM:\SYSTEM\CurrentControlSet\Services\BTHUSB" | |
| if (Test-Path $btReg) { | |
| Set-ItemProperty -Path $btReg -Name "Start" -Value 4 -Force | |
| Write-Host " [OK] Bluetooth driver blocked" -ForegroundColor Green | |
| } | |
| # 5. DISABLE REMOTE ACCESS | |
| Write-Host "`n[5] Disabling Remote Access..." -ForegroundColor Yellow | |
| $rr = Get-Service -Name "RemoteRegistry" -ErrorAction SilentlyContinue | |
| if ($rr) { | |
| Stop-Service -Name "RemoteRegistry" -Force -ErrorAction SilentlyContinue | |
| Set-Service -Name "RemoteRegistry" -StartupType Disabled | |
| Write-Host " [OK] Remote Registry disabled" -ForegroundColor Green | |
| } | |
| $rdpPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" | |
| if (Test-Path $rdpPath) { | |
| Set-ItemProperty -Path $rdpPath -Name "fDenyTSConnections" -Value 1 -Force | |
| Write-Host " [OK] Remote Desktop disabled" -ForegroundColor Green | |
| } | |
| # 6. DISABLE NETWORK DISCOVERY SERVICES | |
| Write-Host "`n[6] Disabling network discovery services..." -ForegroundColor Yellow | |
| $badSvcs = @("SSDPSRV", "upnphost", "lmhosts", "Fax", "WMPNetworkSvc") | |
| foreach ($s in $badSvcs) { | |
| $svc = Get-Service -Name $s -ErrorAction SilentlyContinue | |
| if ($svc -and $svc.Status -eq "Running") { | |
| Stop-Service -Name $s -Force -ErrorAction SilentlyContinue | |
| Set-Service -Name $s -StartupType Disabled -ErrorAction SilentlyContinue | |
| Write-Host " [OK] Service $s stopped" -ForegroundColor Green | |
| } | |
| } | |
| # 7. WINDOWS DEFENDER MAX SECURITY | |
| Write-Host "`n[7] Enabling Windows Defender max security..." -ForegroundColor Yellow | |
| Set-MpPreference -DisableRealtimeMonitoring $false | |
| Write-Host " [OK] Real-time protection ON" -ForegroundColor Green | |
| Set-MpPreference -MAPSReporting Advanced | |
| Write-Host " [OK] Cloud protection ON" -ForegroundColor Green | |
| Set-MpPreference -DisableBehaviorMonitoring $false | |
| Write-Host " [OK] Behavior monitoring ON" -ForegroundColor Green | |
| Set-MpPreference -PUAProtection Enabled | |
| Write-Host " [OK] PUA protection ON" -ForegroundColor Green | |
| Set-MpPreference -EnableControlledFolderAccess Enabled | |
| Write-Host " [OK] Ransomware protection ON" -ForegroundColor Green | |
| Set-MpPreference -EnableNetworkProtection Enabled | |
| Write-Host " [OK] Network protection ON" -ForegroundColor Green | |
| Set-MpPreference -DisableRemovableDriveScanning $false | |
| Write-Host " [OK] Removable drive scanning ON" -ForegroundColor Green | |
| # DONE | |
| Write-Host "`n=== HARDENING COMPLETE ===" -ForegroundColor Cyan | |
| Write-Host "" | |
| Write-Host "Summary:" -ForegroundColor White | |
| Write-Host " [OK] USB Storage - BLOCKED" -ForegroundColor Green | |
| Write-Host " [OK] AutoPlay - DISABLED" -ForegroundColor Green | |
| Write-Host " [OK] Firewall - INBOUND BLOCKED" -ForegroundColor Green | |
| Write-Host " [OK] Dangerous ports - BLOCKED" -ForegroundColor Green | |
| Write-Host " [OK] Bluetooth - DISABLED" -ForegroundColor Green | |
| Write-Host " [OK] Remote Desktop - DISABLED" -ForegroundColor Green | |
| Write-Host " [OK] Remote Registry - DISABLED" -ForegroundColor Green | |
| Write-Host " [OK] Network discovery - DISABLED" -ForegroundColor Green | |
| Write-Host " [OK] Windows Defender - MAX SECURITY" -ForegroundColor Green | |
| Write-Host "" | |
| Write-Host "RESTART REQUIRED for all changes to take effect." -ForegroundColor Yellow | |
| Write-Host "" | |
| $resp = Read-Host "Restart now? (Y/N)" | |
| if ($resp -eq "Y" -or $resp -eq "y") { | |
| Write-Host "Restarting in 5 seconds..." -ForegroundColor Yellow | |
| Start-Sleep -Seconds 5 | |
| Restart-Computer | |
| } else { | |
| Write-Host "Please restart manually." -ForegroundColor Cyan | |
| } | |
Xet Storage Details
- Size:
- 6.96 kB
- Xet hash:
- cff2b7eb7b4484c539f2d8ac9d55961628a54197d9b7d15215c5f51b945bd31a
·
Xet efficiently stores files, intelligently splitting them into unique chunks and accelerating uploads and downloads. More info.