Andreas/noid-privacy
1
0
Fork 0
mirror of https://github.com/NexusOne23/noid-privacy.git synced 2026-02-07 12:11:53 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
noid-privacy/Modules/AdvancedSecurity/Config/AdminShares.json

116 lines
3.8 KiB
JSON
Raw Blame History

{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Administrative Shares Configuration",
"description": "Configuration for disabling administrative shares (C$, ADMIN$, etc.) to prevent lateral movement",
"version": "2.2.1",
"Administrative_Shares": {
"description": "Disable automatic creation and remove existing administrative shares",
"risk_level": "CRITICAL",
"attack_vectors": [
"Lateral movement in networks (WannaCry, NotPetya propagation)",
"Remote file access by attackers with stolen credentials",
"Pass-the-Hash attacks using admin shares",
"Automated malware propagation"
],
"shares_affected": {
"C$": "Root of C: drive",
"D$": "Root of D: drive (if exists)",
"E$": "Root of E: drive (if exists)",
"ADMIN$": "Windows directory (C:\\Windows)",
"IPC$": "Named pipes - CANNOT be removed (required by Windows)"
},
"registry_settings": {
"path": "HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters",
"AutoShareWks": {
"description": "Disable automatic shares on Workstation (Home/Pro editions)",
"value": 0,
"type": "DWORD",
"default": 1
},
"AutoShareServer": {
"description": "Disable automatic shares on Server editions",
"value": 0,
"type": "DWORD",
"default": 1
}
},
"firewall_protection": {
"description": "Block SMB on Public network profile",
"rule_name": "Block Admin Shares (NoID Privacy)",
"direction": "Inbound",
"protocol": "TCP",
"local_port": 445,
"profile": "Public",
"action": "Block"
},
"domain_safety": {
"enabled": true,
"description": "Automatically detect domain-joined systems and skip unless -Force",
"check": "Get-CimInstance -ClassName Win32_ComputerSystem | Select-Object PartOfDomain",
"warnings": [
"Group Policy management may be affected",
"SCCM/Management tools may require admin shares",
"Remote administration tools may stop working"
],
"force_required": true,
"enterprise_recommendation": "Test in staging environment before deployment"
}
},
"Profiles": {
"Balanced": {
"enabled": true,
"domain_check": true,
"force_required": false
},
"Enterprise": {
"enabled": "conditional",
"domain_check": true,
"force_required": true,
"note": "Auto-disabled for domain-joined systems unless -Force"
},
"Maximum": {
"enabled": true,
"domain_check": false,
"force_required": false,
"note": "Always enabled for maximum security"
}
},
"Impact": {
"positive": [
"Prevents lateral movement in case of credential theft",
"Stops automated ransomware propagation",
"Blocks Pass-the-Hash attack vectors using admin shares"
],
"negative": [
"Remote administration tools may not work",
"Group Policy remote management affected",
"Some enterprise monitoring tools may require admin shares",
"SCCM and similar tools may need explicit shares"
],
"recommendations": {
"home_users": "Recommended - high security benefit",
"enterprise": "Requires testing - may break management tools",
"workaround": "Create explicit shares for required management tools"
}
},
"Important_Notes": [
"REQUIRES REBOOT to prevent share recreation",
"Shares will NOT be recreated after reboot (if registry set)",
"IPC$ cannot be disabled (required by Windows)",
"File sharing via explicit shares still works",
"Can be restored by setting AutoShareWks/AutoShareServer = 1 + reboot"
],
"Compatibility": {
"windows_versions": ["Windows 10", "Windows 11", "Windows Server 2016+"],
"tested": "Windows 11 25H2 (Nov 16, 2025)"
}
}
Reference in a new issue View git blame Copy permalink