mirror of
https://github.com/NexusOne23/noid-privacy.git
synced 2026-02-07 12:11:53 +01:00
v2.2.2: Performance fix for firewall snapshot (60-120s to 2-5s) + version alignment
This commit is contained in:
NexusOne23
parent
73b7e7c68e
commit
877e01df37
65 changed files with 183 additions and 137 deletions
|
|
@ -2,7 +2,7 @@
|
|||
# Module manifest for AdvancedSecurity
|
||||
|
||||
# Version
|
||||
ModuleVersion = '2.2.1'
|
||||
ModuleVersion = '2.2.2'
|
||||
|
||||
# Unique ID
|
||||
GUID = 'e7f5a3d2-8c9b-4f1e-a6d3-9b2c8f4e5a1d'
|
||||
|
|
@ -48,7 +48,7 @@
|
|||
LicenseUri = ''
|
||||
ProjectUri = ''
|
||||
ReleaseNotes = @'
|
||||
v2.2.1 (2025-12-08)
|
||||
v2.2.2 (2025-12-08)
|
||||
- Production release of AdvancedSecurity module
|
||||
- 49 advanced hardening settings implemented (was 36)
|
||||
- NEW: Wireless Display (Miracast) security hardening
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# AdvancedSecurity Module Loader
|
||||
# Version: 2.2.1
|
||||
# Version: 2.2.2
|
||||
# Description: Advanced Security Hardening - Beyond Microsoft Security Baseline
|
||||
|
||||
# Get module path
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"$schema": "http://json-schema.org/draft-07/schema#",
|
||||
"title": "Administrative Shares Configuration",
|
||||
"description": "Configuration for disabling administrative shares (C$, ADMIN$, etc.) to prevent lateral movement",
|
||||
"version": "2.2.1",
|
||||
"version": "2.2.2",
|
||||
|
||||
"Administrative_Shares": {
|
||||
"description": "Disable automatic creation and remove existing administrative shares",
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"$schema": "http://json-schema.org/draft-07/schema#",
|
||||
"title": "Credential Protection Configuration",
|
||||
"description": "Configuration for credential hardening including WDigest protection",
|
||||
"version": "2.2.1",
|
||||
"version": "2.2.2",
|
||||
|
||||
"WDigest_Protection": {
|
||||
"description": "Prevent WDigest from storing plaintext passwords in LSASS memory",
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"$schema": "http://json-schema.org/draft-07/schema#",
|
||||
"title": "RDP Hardening Configuration",
|
||||
"description": "Configuration for RDP (Remote Desktop Protocol) hardening including NLA enforcement and optional complete disable",
|
||||
"version": "2.2.1",
|
||||
"version": "2.2.2",
|
||||
|
||||
"NLA_Enforcement": {
|
||||
"description": "Network Level Authentication (NLA) enforcement settings",
|
||||
|
|
|
|||
|
|
@ -186,22 +186,34 @@ function Backup-AdvancedSecuritySettings {
|
|||
|
||||
# 8. Firewall Rules Snapshot
|
||||
Write-Host ""
|
||||
Write-Host " ============================================" -ForegroundColor Cyan
|
||||
Write-Host " FIREWALL RULES BACKUP - PLEASE WAIT" -ForegroundColor Cyan
|
||||
Write-Host " ============================================" -ForegroundColor Cyan
|
||||
Write-Host " Creating snapshot for risky ports..." -ForegroundColor White
|
||||
Write-Host " Creating firewall snapshot for risky ports..." -ForegroundColor Cyan
|
||||
Write-Host " Ports: 79, 137-139, 1900, 2869, 5355, 3702, 5353, 5357, 5358" -ForegroundColor Gray
|
||||
Write-Host ""
|
||||
Write-Host " [!] This operation takes 60-120 seconds" -ForegroundColor Yellow
|
||||
Write-Host " System is working - do not interrupt!" -ForegroundColor Yellow
|
||||
Write-Host " ============================================" -ForegroundColor Cyan
|
||||
Write-Host ""
|
||||
Write-Log -Level INFO -Message "Backing up firewall rules snapshot for risky ports (79, 137, 138, 139, 1900, 2869, 5355, 3702, 5353, 5357, 5358)..." -Module "AdvancedSecurity"
|
||||
$firewallRules = Get-NetFirewallRule | Where-Object {
|
||||
$portFilter = $_ | Get-NetFirewallPortFilter
|
||||
(($portFilter.LocalPort -in @(79, 137, 138, 139, 1900, 2869, 5355, 3702, 5353, 5357, 5358)) -or
|
||||
($portFilter.RemotePort -in @(79, 137, 138, 139, 1900, 2869, 5355, 3702, 5353, 5357, 5358))) -and
|
||||
($_.Direction -eq 'Inbound' -or $_.Direction -eq 'Outbound')
|
||||
|
||||
# PERFORMANCE FIX: Batch query instead of per-rule queries
|
||||
# Old approach: Get-NetFirewallRule | ForEach { Get-NetFirewallPortFilter } = 300+ queries × 200ms = 60-120s!
|
||||
# New approach: Get all port filters once, then filter via hashtable = 2-5s total
|
||||
$riskyPorts = @(79, 137, 138, 139, 1900, 2869, 5355, 3702, 5353, 5357, 5358)
|
||||
|
||||
# Step 1: Get all firewall rules once
|
||||
$allRules = Get-NetFirewallRule -ErrorAction SilentlyContinue
|
||||
|
||||
# Step 2: Get all port filters in one batch query and build hashtable by InstanceID
|
||||
$allPortFilters = @{}
|
||||
Get-NetFirewallPortFilter -ErrorAction SilentlyContinue | ForEach-Object {
|
||||
$allPortFilters[$_.InstanceID] = $_
|
||||
}
|
||||
|
||||
# Step 3: Filter rules by risky ports (fast hashtable lookup)
|
||||
$firewallRules = $allRules | Where-Object {
|
||||
$portFilter = $allPortFilters[$_.InstanceID]
|
||||
if ($portFilter) {
|
||||
(($portFilter.LocalPort -in $riskyPorts) -or ($portFilter.RemotePort -in $riskyPorts)) -and
|
||||
($_.Direction -eq 'Inbound' -or $_.Direction -eq 'Outbound')
|
||||
}
|
||||
else {
|
||||
$false
|
||||
}
|
||||
} | Select-Object Name, DisplayName, Enabled, Direction, Action
|
||||
|
||||
$firewallData = @{
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ function Block-FingerProtocol {
|
|||
|
||||
.NOTES
|
||||
Author: NexusOne23
|
||||
Version: 2.2.1
|
||||
Version: 2.2.2
|
||||
Requires: Administrator privileges
|
||||
|
||||
REFERENCES:
|
||||
|
|
|
|||
|
|
@ -41,16 +41,22 @@ function Disable-RiskyPorts {
|
|||
$disabledRules = 0
|
||||
$errors = @()
|
||||
|
||||
# PERFORMANCE: Get all firewall rules ONCE and cache port filters
|
||||
# PERFORMANCE FIX: Batch query instead of per-rule queries
|
||||
# Old approach: foreach { Get-NetFirewallPortFilter } = 300+ queries × 200ms = 60s+
|
||||
# New approach: Get all port filters once via hashtable = 2-5s total
|
||||
Write-Log -Level INFO -Message "Loading firewall rules for analysis..." -Module "AdvancedSecurity"
|
||||
$allRules = Get-NetFirewallRule | Where-Object { $_.Direction -eq 'Inbound' -and $_.Enabled -eq $true }
|
||||
$allRules = Get-NetFirewallRule -ErrorAction SilentlyContinue | Where-Object { $_.Direction -eq 'Inbound' -and $_.Enabled -eq $true }
|
||||
|
||||
# Pre-fetch port filters to avoid repeated Get-NetFirewallPortFilter calls
|
||||
# NOTE: We cache both the rule and its ports so we can later filter ONLY
|
||||
# ALLOW rules for disabling. NoID block rules must remain enabled.
|
||||
# Get all port filters in one batch query and build hashtable by InstanceID
|
||||
$allPortFilters = @{}
|
||||
Get-NetFirewallPortFilter -ErrorAction SilentlyContinue | ForEach-Object {
|
||||
$allPortFilters[$_.InstanceID] = $_
|
||||
}
|
||||
|
||||
# Build cache with fast hashtable lookup
|
||||
$rulesWithPorts = @()
|
||||
foreach ($rule in $allRules) {
|
||||
$portFilter = $rule | Get-NetFirewallPortFilter -ErrorAction SilentlyContinue
|
||||
$portFilter = $allPortFilters[$rule.InstanceID]
|
||||
if ($portFilter) {
|
||||
$rulesWithPorts += [PSCustomObject]@{
|
||||
Rule = $rule
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ function Set-SRPRules {
|
|||
|
||||
.NOTES
|
||||
Author: NexusOne23
|
||||
Version: 2.2.1
|
||||
Version: 2.2.2
|
||||
Requires: Administrator privileges
|
||||
|
||||
REFERENCES:
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ function Set-WindowsUpdate {
|
|||
|
||||
.NOTES
|
||||
Author: NexusOne23
|
||||
Version: 2.2.1
|
||||
Version: 2.2.2
|
||||
Requires: Administrator privileges
|
||||
Based on: Windows Settings > Windows Update > Advanced options
|
||||
#>
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ function Invoke-AdvancedSecurity {
|
|||
- Enterprise: Conservative approach with domain-safety checks
|
||||
- Maximum: Maximum hardening for air-gapped/high-security environments
|
||||
|
||||
Features implemented (v2.2.1):
|
||||
Features implemented (v2.2.2):
|
||||
- RDP NLA enforcement + optional complete disable
|
||||
- WDigest credential protection
|
||||
- Administrative shares disable (domain-aware)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue