Andreas/noid-privacy
1
0
Fork 0
mirror of https://github.com/NexusOne23/noid-privacy.git synced 2026-02-07 12:11:53 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
noid-privacy/Modules/AdvancedSecurity/Private/Disable-AdminShares.ps1

219 lines
11 KiB
PowerShell
Raw Blame History

function Disable-AdminShares {
<#
.SYNOPSIS
Disable administrative shares (C$, ADMIN$, etc.) to prevent lateral movement
.DESCRIPTION
Disables the automatic creation of administrative shares and removes existing shares.
Administrative shares (C$, D$, ADMIN$) are used by attackers for:
- Lateral movement (WannaCry, NotPetya propagation)
- Remote file access with stolen credentials
- Pass-the-Hash attacks
- Automated malware propagation
CRITICAL: Includes domain-safety check. On domain-joined systems, admin shares
are often required for Group Policy, SCCM, and remote management tools.
REQUIRES REBOOT to prevent share recreation.
.PARAMETER Force
Force disable even on domain-joined systems (NOT RECOMMENDED for enterprise!)
.EXAMPLE
Disable-AdminShares
Disables admin shares with domain-safety check
.EXAMPLE
Disable-AdminShares -Force
Forces disable even on domain-joined systems (DANGEROUS!)
.NOTES
Impact:
- Home/Workgroup: Highly recommended
- Enterprise Domain: May break management tools - TEST FIRST!
- IPC$ cannot be removed (required by Windows)
Shares will NOT be recreated after reboot (if registry values set to 0).
#>
[CmdletBinding()]
param(
[Parameter(Mandatory = $false)]
[switch]$Force
)
try {
Write-Log -Level INFO -Message "Configuring administrative shares disable..." -Module "AdvancedSecurity"
# CRITICAL: Check if system is domain-joined
$computerSystem = Get-CimInstance -ClassName Win32_ComputerSystem
if ($computerSystem.PartOfDomain -and -not $Force) {
Write-Log -Level WARNING -Message "Domain-joined system detected. Admin shares disable SKIPPED." -Module "AdvancedSecurity"
Write-Log -Level WARNING -Message "Admin shares are often required for:" -Module "AdvancedSecurity"
Write-Log -Level WARNING -Message " - Group Policy management" -Module "AdvancedSecurity"
Write-Log -Level WARNING -Message " - SCCM/Management tools" -Module "AdvancedSecurity"
Write-Log -Level WARNING -Message " - Remote administration" -Module "AdvancedSecurity"
Write-Log -Level WARNING -Message "Use -Force to override (NOT RECOMMENDED!)" -Module "AdvancedSecurity"
Write-Host ""
Write-Host "================================================" -ForegroundColor Yellow
Write-Host " DOMAIN-JOINED SYSTEM DETECTED" -ForegroundColor Yellow
Write-Host "================================================" -ForegroundColor Yellow
Write-Host ""
Write-Host "Administrative shares are often required for:" -ForegroundColor White
Write-Host " - Group Policy remote management" -ForegroundColor Gray
Write-Host " - SCCM and other management tools" -ForegroundColor Gray
Write-Host " - Remote administration via WMI/PowerShell" -ForegroundColor Gray
Write-Host ""
Write-Host "Skipping admin shares disable to prevent breakage." -ForegroundColor Green
Write-Host "Use -DisableAdminShares -Force to override (NOT RECOMMENDED)." -ForegroundColor Red
Write-Host ""
return $true # Not an error, just skipped
}
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
# Check if LanmanServer service is running (required for Get-SmbShare)
$serverService = Get-Service -Name "LanmanServer" -ErrorAction SilentlyContinue
$serviceRunning = $serverService -and $serverService.Status -eq 'Running'
# Backup current shares and registry settings
Write-Log -Level INFO -Message "Backing up current administrative shares..." -Module "AdvancedSecurity"
if (-not $serviceRunning) {
# Server service not running - admin shares are already effectively disabled
Write-Log -Level INFO -Message "LanmanServer service is not running - admin shares already disabled" -Module "AdvancedSecurity"
$currentShares = @()
}
else {
try {
$currentShares = Get-SmbShare | Where-Object { $_.Name -match '^[A-Z]\$$|^ADMIN\$$' } |
Select-Object Name, Path, Description
}
catch {
Write-Log -Level INFO -Message "Could not query SMB shares: $($_.Exception.Message)" -Module "AdvancedSecurity"
$currentShares = @()
}
}
$backupData = @{
Shares = $currentShares
AutoShareWks = (Get-ItemProperty -Path $regPath -Name "AutoShareWks" -ErrorAction SilentlyContinue).AutoShareWks
AutoShareServer = (Get-ItemProperty -Path $regPath -Name "AutoShareServer" -ErrorAction SilentlyContinue).AutoShareServer
DomainJoined = $computerSystem.PartOfDomain
BackupDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
}
# Register backup
$backupJson = $backupData | ConvertTo-Json -Depth 10
Register-Backup -Type "AdminShares_Settings" -Data $backupJson -Name "AdminShares_Disable"
Write-Log -Level INFO -Message "Backed up $($currentShares.Count) administrative shares" -Module "AdvancedSecurity"
# Disable automatic creation
Write-Log -Level INFO -Message "Disabling automatic administrative share creation..." -Module "AdvancedSecurity"
if (-not (Test-Path $regPath)) {
New-Item -Path $regPath -Force | Out-Null
}
# Disable for Workstation (Home/Pro)
$existing = Get-ItemProperty -Path $regPath -Name "AutoShareWks" -ErrorAction SilentlyContinue
if ($null -ne $existing) {
Set-ItemProperty -Path $regPath -Name "AutoShareWks" -Value 0 -Force | Out-Null
} else {
New-ItemProperty -Path $regPath -Name "AutoShareWks" -Value 0 -PropertyType DWord -Force | Out-Null
}
Write-Log -Level SUCCESS -Message "Disabled AutoShareWks (Workstation shares)" -Module "AdvancedSecurity"
# Disable for Server editions
$existing = Get-ItemProperty -Path $regPath -Name "AutoShareServer" -ErrorAction SilentlyContinue
if ($null -ne $existing) {
Set-ItemProperty -Path $regPath -Name "AutoShareServer" -Value 0 -Force | Out-Null
} else {
New-ItemProperty -Path $regPath -Name "AutoShareServer" -Value 0 -PropertyType DWord -Force | Out-Null
}
Write-Log -Level SUCCESS -Message "Disabled AutoShareServer (Server edition shares)" -Module "AdvancedSecurity"
# Remove existing shares
Write-Log -Level INFO -Message "Removing existing administrative shares..." -Module "AdvancedSecurity"
$removedCount = 0
$skippedShares = @()
foreach ($share in $currentShares) {
try {
Remove-SmbShare -Name $share.Name -Force -ErrorAction Stop
Write-Log -Level SUCCESS -Message "Removed share: $($share.Name) ($($share.Path))" -Module "AdvancedSecurity"
$removedCount++
}
catch {
# ADMIN$ and C$ cannot be removed while system is running (expected behavior)
# They will NOT be recreated after reboot due to registry settings
Write-Log -Level INFO -Message "Share $($share.Name) protected by system (will not be recreated after reboot)" -Module "AdvancedSecurity"
$skippedShares += $share.Name
}
}
if ($skippedShares.Count -gt 0) {
Write-Log -Level INFO -Message "System-protected shares: $($skippedShares -join ', ') - Will NOT be recreated after reboot" -Module "AdvancedSecurity"
}
Write-Log -Level SUCCESS -Message "Removed $removedCount administrative shares, $($skippedShares.Count) protected by system" -Module "AdvancedSecurity"
# Add firewall protection for Public networks
Write-Log -Level INFO -Message "Adding firewall protection for SMB on Public networks..." -Module "AdvancedSecurity"
$firewallRuleName = "Block Admin Shares - NoID Privacy"
# Check if rule already exists
$existingRule = Get-NetFirewallRule -DisplayName $firewallRuleName -ErrorAction SilentlyContinue
if ($existingRule) {
Write-Log -Level INFO -Message "Firewall rule already exists, updating..." -Module "AdvancedSecurity"
Remove-NetFirewallRule -DisplayName $firewallRuleName -ErrorAction SilentlyContinue
}
# Create new firewall rule
New-NetFirewallRule -DisplayName $firewallRuleName `
-Direction Inbound `
-Protocol TCP `
-LocalPort 445 `
-Profile Public `
-Action Block `
-ErrorAction Stop | Out-Null
Write-Log -Level SUCCESS -Message "Firewall rule created: Block SMB (port 445) on Public networks" -Module "AdvancedSecurity"
Write-Host ""
Write-Host "================================================" -ForegroundColor Green
Write-Host " ADMINISTRATIVE SHARES DISABLED" -ForegroundColor Green
Write-Host "================================================" -ForegroundColor Green
Write-Host ""
Write-Host "Registry settings:" -ForegroundColor White
Write-Host " AutoShareWks: 0 (Disabled)" -ForegroundColor Gray
Write-Host " AutoShareServer: 0 (Disabled)" -ForegroundColor Gray
Write-Host ""
Write-Host "Removed shares: $removedCount" -ForegroundColor White
if ($skippedShares.Count -gt 0) {
Write-Host "Protected shares: $($skippedShares -join ', ') (cannot be removed while running)" -ForegroundColor Gray
}
Write-Host "Firewall: SMB blocked on Public networks" -ForegroundColor White
Write-Host ""
Write-Host "IMPORTANT: REBOOT REQUIRED" -ForegroundColor Yellow
$exampleShares = if ($skippedShares.Count -gt 0) { $skippedShares -join ', ' } else { 'C$, ADMIN$' }
Write-Host "All admin shares (including $exampleShares) will NOT be recreated after reboot." -ForegroundColor Green
Write-Host ""
Write-Host "Note: IPC$ cannot be removed (required by Windows)" -ForegroundColor Gray
Write-Host "Note: Explicit file shares will still work" -ForegroundColor Gray
Write-Host ""
return $true
}
catch {
Write-Log -Level ERROR -Message "Failed to disable administrative shares: $_" -Module "AdvancedSecurity" -Exception $_.Exception
return $false
}
}
Reference in a new issue View git blame Copy permalink