mirror of
https://github.com/NexusOne23/noid-privacy.git
synced 2026-02-07 12:11:53 +01:00
217 lines
8.9 KiB
PowerShell
217 lines
8.9 KiB
PowerShell
|
function Stop-RiskyServices {
|
||
|
|
<#
|
||
|
|
.SYNOPSIS
|
||
|
|
Stop and disable risky network services
|
||
|
|
|
||
|
|
.DESCRIPTION
|
||
|
|
Stops and disables network services that pose security risks:
|
||
|
|
|
||
|
|
- SSDPSRV (SSDP Discovery) - Port 1900 UDP
|
||
|
|
- upnphost (UPnP Device Host) - Port 2869 TCP
|
||
|
|
- lmhosts (TCP/IP NetBIOS Helper) - Port 139 TCP
|
||
|
|
|
||
|
|
Defense in Depth: Firewall blocks external access, but services
|
||
|
|
still run and listen locally. Stopping services completely closes ports.
|
||
|
|
|
||
|
|
Service Dependencies:
|
||
|
|
upnphost depends on SSDPSRV, so upnphost must be stopped FIRST.
|
||
|
|
|
||
|
|
.EXAMPLE
|
||
|
|
Stop-RiskyServices
|
||
|
|
Stops all risky network services
|
||
|
|
|
||
|
|
.NOTES
|
||
|
|
Impact:
|
||
|
|
- Smart home device auto-discovery may not work
|
||
|
|
- DLNA/casting features may require manual configuration
|
||
|
|
- NetBIOS name resolution disabled (already disabled via registry)
|
||
|
|
#>
|
||
|
|
[CmdletBinding()]
|
||
|
|
param()
|
||
|
|
|
||
|
|
try {
|
||
|
|
Write-Log -Level INFO -Message "Stopping risky network services..." -Module "AdvancedSecurity"
|
||
|
|
|
||
|
|
$services = @(
|
||
|
|
@{
|
||
|
|
Name = "upnphost"
|
||
|
|
DisplayName = "UPnP Device Host"
|
||
|
|
Port = 2869
|
||
|
|
Protocol = "TCP"
|
||
|
|
Risk = "MEDIUM"
|
||
|
|
Impact = "DLNA/casting features may require manual configuration"
|
||
|
|
},
|
||
|
|
@{
|
||
|
|
Name = "SSDPSRV"
|
||
|
|
DisplayName = "SSDP Discovery"
|
||
|
|
Port = 1900
|
||
|
|
Protocol = "UDP"
|
||
|
|
Risk = "MEDIUM"
|
||
|
|
Impact = "Smart home device auto-discovery may not work"
|
||
|
|
},
|
||
|
|
@{
|
||
|
|
Name = "lmhosts"
|
||
|
|
DisplayName = "TCP/IP NetBIOS Helper"
|
||
|
|
Port = 139
|
||
|
|
Protocol = "TCP"
|
||
|
|
Risk = "MEDIUM"
|
||
|
|
Impact = "NetBIOS name resolution disabled"
|
||
|
|
}
|
||
|
|
# Note: Computer Browser (Browser) service is DEPRECATED in Win10/11
|
||
|
|
# It's tied to SMB1 which is not installed by default
|
||
|
|
# Removing from list to avoid errors on modern systems
|
||
|
|
)
|
||
|
|
|
||
|
|
# Backup service states
|
||
|
|
Write-Log -Level INFO -Message "Backing up service states..." -Module "AdvancedSecurity"
|
||
|
|
|
||
|
|
$serviceBackup = @{}
|
||
|
|
foreach ($svc in $services) {
|
||
|
|
$service = Get-Service -Name $svc.Name -ErrorAction SilentlyContinue
|
||
|
|
if ($service) {
|
||
|
|
$serviceBackup[$svc.Name] = @{
|
||
|
|
Status = $service.Status.ToString()
|
||
|
|
StartType = $service.StartType.ToString()
|
||
|
|
DisplayName = $service.DisplayName
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
$backupData = @{
|
||
|
|
Services = $serviceBackup
|
||
|
|
BackupDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
|
||
|
|
}
|
||
|
|
$backupJson = $backupData | ConvertTo-Json -Depth 10
|
||
|
|
Register-Backup -Type "Services_State" -Data $backupJson -Name "RiskyServices"
|
||
|
|
|
||
|
|
Write-Log -Level SUCCESS -Message "Backed up state of $($serviceBackup.Count) services" -Module "AdvancedSecurity"
|
||
|
|
|
||
|
|
# Stop and disable services
|
||
|
|
$stoppedCount = 0
|
||
|
|
$errors = @()
|
||
|
|
|
||
|
|
# CRITICAL: Stop upnphost FIRST (it depends on SSDPSRV)
|
||
|
|
foreach ($svc in $services) {
|
||
|
|
Write-Log -Level INFO -Message "Processing service: $($svc.DisplayName) ($($svc.Name))..." -Module "AdvancedSecurity"
|
||
|
|
|
||
|
|
$service = Get-Service -Name $svc.Name -ErrorAction SilentlyContinue
|
||
|
|
|
||
|
|
if (-not $service) {
|
||
|
|
Write-Log -Level INFO -Message "Service $($svc.Name) not found (may not be installed)" -Module "AdvancedSecurity"
|
||
|
|
continue
|
||
|
|
}
|
||
|
|
|
||
|
|
try {
|
||
|
|
# Stop service if running
|
||
|
|
if ($service.Status -eq 'Running') {
|
||
|
|
Write-Log -Level INFO -Message "Stopping $($svc.Name)..." -Module "AdvancedSecurity"
|
||
|
|
Stop-Service -Name $svc.Name -Force -ErrorAction Stop
|
||
|
|
Write-Log -Level SUCCESS -Message "Stopped $($svc.Name)" -Module "AdvancedSecurity"
|
||
|
|
}
|
||
|
|
else {
|
||
|
|
Write-Log -Level INFO -Message "$($svc.Name) already stopped" -Module "AdvancedSecurity"
|
||
|
|
}
|
||
|
|
|
||
|
|
# Disable service
|
||
|
|
Write-Log -Level INFO -Message "Disabling $($svc.Name)..." -Module "AdvancedSecurity"
|
||
|
|
Set-Service -Name $svc.Name -StartupType Disabled -ErrorAction Stop
|
||
|
|
Write-Log -Level SUCCESS -Message "Disabled $($svc.Name) (StartupType = Disabled)" -Module "AdvancedSecurity"
|
||
|
|
|
||
|
|
$stoppedCount++
|
||
|
|
}
|
||
|
|
catch {
|
||
|
|
$errors += "$($svc.Name): $_"
|
||
|
|
Write-Log -Level WARNING -Message "Failed to stop/disable $($svc.Name): $_" -Module "AdvancedSecurity"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
# Verify ports are closed
|
||
|
|
Write-Log -Level INFO -Message "Verifying ports are closed..." -Module "AdvancedSecurity"
|
||
|
|
|
||
|
|
Start-Sleep -Seconds 2 # Give services time to fully stop
|
||
|
|
|
||
|
|
$portsClosed = @()
|
||
|
|
$portsStillOpen = @()
|
||
|
|
|
||
|
|
# Check TCP ports
|
||
|
|
foreach ($port in @(139, 2869)) {
|
||
|
|
$listener = Get-NetTCPConnection -LocalPort $port -State Listen -ErrorAction SilentlyContinue
|
||
|
|
if (-not $listener) {
|
||
|
|
$portsClosed += "TCP $port"
|
||
|
|
Write-Log -Level SUCCESS -Message "Port TCP $port is CLOSED" -Module "AdvancedSecurity"
|
||
|
|
}
|
||
|
|
else {
|
||
|
|
$portsStillOpen += "TCP $port"
|
||
|
|
Write-Log -Level WARNING -Message "Port TCP $port is still LISTENING!" -Module "AdvancedSecurity"
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
# Check UDP port 1900
|
||
|
|
$udpListener = Get-NetUDPEndpoint -LocalPort 1900 -ErrorAction SilentlyContinue
|
||
|
|
if (-not $udpListener) {
|
||
|
|
$portsClosed += "UDP 1900"
|
||
|
|
Write-Log -Level SUCCESS -Message "Port UDP 1900 is CLOSED" -Module "AdvancedSecurity"
|
||
|
|
}
|
||
|
|
else {
|
||
|
|
$portsStillOpen += "UDP 1900"
|
||
|
|
Write-Log -Level WARNING -Message "Port UDP 1900 is still LISTENING locally. SSDP service is disabled and blocked by firewall; this listener is a known Windows behavior and not reachable from external networks." -Module "AdvancedSecurity"
|
||
|
|
}
|
||
|
|
|
||
|
|
# Summary
|
||
|
|
Write-Host ""
|
||
|
|
Write-Host "================================================" -ForegroundColor Green
|
||
|
|
Write-Host " RISKY SERVICES STOPPED" -ForegroundColor Green
|
||
|
|
Write-Host "================================================" -ForegroundColor Green
|
||
|
|
Write-Host ""
|
||
|
|
Write-Host "Services stopped: $stoppedCount" -ForegroundColor White
|
||
|
|
foreach ($svc in $services) {
|
||
|
|
$service = Get-Service -Name $svc.Name -ErrorAction SilentlyContinue
|
||
|
|
if ($service) {
|
||
|
|
$status = if ($service.Status -eq 'Stopped') { "STOPPED" } else { $service.Status }
|
||
|
|
$startType = $service.StartType
|
||
|
|
Write-Host " $($svc.DisplayName): $status (StartType: $startType)" -ForegroundColor Gray
|
||
|
|
}
|
||
|
|
}
|
||
|
|
Write-Host ""
|
||
|
|
Write-Host "Ports closed: $($portsClosed.Count)" -ForegroundColor White
|
||
|
|
foreach ($port in $portsClosed) {
|
||
|
|
Write-Host " $port" -ForegroundColor Green
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($portsStillOpen.Count -gt 0) {
|
||
|
|
Write-Host ""
|
||
|
|
Write-Host "Ports still open: $($portsStillOpen.Count)" -ForegroundColor Yellow
|
||
|
|
foreach ($port in $portsStillOpen) {
|
||
|
|
Write-Host " $port" -ForegroundColor Yellow
|
||
|
|
}
|
||
|
|
if ($portsStillOpen -contains "UDP 1900") {
|
||
|
|
Write-Host ""
|
||
|
|
Write-Host "Note: UDP 1900 may still show a local listener, but SSDP is disabled and blocked by firewall. This is a known Windows behavior and not remotely reachable." -ForegroundColor Gray
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
if ($errors.Count -gt 0) {
|
||
|
|
Write-Host ""
|
||
|
|
Write-Host "Errors: $($errors.Count)" -ForegroundColor Red
|
||
|
|
foreach ($errorMsg in $errors) {
|
||
|
|
Write-Host " $errorMsg" -ForegroundColor Red
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
Write-Host ""
|
||
|
|
|
||
|
|
if ($errors.Count -eq 0) {
|
||
|
|
Write-Log -Level SUCCESS -Message "All risky services stopped and disabled successfully" -Module "AdvancedSecurity"
|
||
|
|
return $true
|
||
|
|
}
|
||
|
|
else {
|
||
|
|
Write-Log -Level WARNING -Message "Completed with $($errors.Count) errors" -Module "AdvancedSecurity"
|
||
|
|
return $true # Partial success
|
||
|
|
}
|
||
|
|
}
|
||
|
|
catch {
|
||
|
|
Write-Log -Level ERROR -Message "Failed to stop risky services: $_" -Module "AdvancedSecurity" -Exception $_.Exception
|
||
|
|
return $false
|
||
|
|
}
|
||
|
|
}
|