Andreas/noid-privacy
1
0
Fork 0
mirror of https://github.com/NexusOne23/noid-privacy.git synced 2026-02-07 04:01:52 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
noid-privacy/Modules/AdvancedSecurity/Private/Test-DiscoveryProtocolsSecurity.ps1

122 lines
4.4 KiB
PowerShell
Raw Blame History

function Test-DiscoveryProtocolsSecurity {
<#
.SYNOPSIS
Tests WS-Discovery and mDNS hardening state.
.DESCRIPTION
Verifies that the following conditions are met:
- OS-level mDNS resolver disabled (EnableMDNS = 0)
- FDResPub and fdPHost services disabled and not running
- NoID firewall BLOCK rules for WS-Discovery and mDNS exist and are enabled
Returns a PSCustomObject with detailed fields and an overall Compliant flag.
.EXAMPLE
Test-DiscoveryProtocolsSecurity
#>
[CmdletBinding()]
param()
$result = [PSCustomObject]@{
EnableMDNS = $null
FDResPubDisabled = $false
FdPHostDisabled = $false
FirewallRulesPresent = $false
FirewallRulesEnabled = $false
Udp3702ListenersClosed = $null
Udp5353ListenersClosed = $null
Tcp5357ListenersClosed = $null
Tcp5358ListenersClosed = $null
Compliant = $false
Pass = $true # Optional feature (Maximum only) - always pass
}
try {
# 1) Check mDNS registry flag
$dnsParamsPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters"
if (Test-Path $dnsParamsPath) {
$props = Get-ItemProperty -Path $dnsParamsPath -ErrorAction SilentlyContinue
if ($props.PSObject.Properties.Name -contains 'EnableMDNS') {
$result.EnableMDNS = $props.EnableMDNS
}
}
# 2) Check services
$fdResPub = Get-Service -Name "FDResPub" -ErrorAction SilentlyContinue
if ($fdResPub) {
$result.FDResPubDisabled = ($fdResPub.StartType -eq 'Disabled' -and $fdResPub.Status -ne 'Running')
}
$fdPHost = Get-Service -Name "fdPHost" -ErrorAction SilentlyContinue
if ($fdPHost) {
$result.FdPHostDisabled = ($fdPHost.StartType -eq 'Disabled' -and $fdPHost.Status -ne 'Running')
}
# 3) Check firewall rules
$ruleNames = @(
"NoID-Block-WSD-UDP-3702",
"NoID-Block-WSD-TCP-5357",
"NoID-Block-WSD-TCP-5358",
"NoID-Block-mDNS-UDP-5353"
)
$rules = @()
foreach ($name in $ruleNames) {
$r = Get-NetFirewallRule -Name $name -ErrorAction SilentlyContinue
if ($r) {
$rules += $r
}
}
if ($rules.Count -gt 0) {
$result.FirewallRulesPresent = ($rules.Count -eq $ruleNames.Count)
$result.FirewallRulesEnabled = @($rules | Where-Object { $_.Enabled -eq 'True' -and $_.Action -eq 'Block' }).Count -eq $ruleNames.Count
}
# 4) Optional: check that ports are not listening
try {
$udp3702 = Get-NetUDPEndpoint -LocalPort 3702 -ErrorAction SilentlyContinue
$result.Udp3702ListenersClosed = (-not $udp3702)
}
catch {
$result.Udp3702ListenersClosed = $null
}
try {
$udp5353 = Get-NetUDPEndpoint -LocalPort 5353 -ErrorAction SilentlyContinue
$result.Udp5353ListenersClosed = (-not $udp5353)
}
catch {
$result.Udp5353ListenersClosed = $null
}
try {
$tcp5357 = Get-NetTCPConnection -LocalPort 5357 -State Listen -ErrorAction SilentlyContinue
$result.Tcp5357ListenersClosed = (-not $tcp5357)
}
catch {
$result.Tcp5357ListenersClosed = $null
}
try {
$tcp5358 = Get-NetTCPConnection -LocalPort 5358 -State Listen -ErrorAction SilentlyContinue
$result.Tcp5358ListenersClosed = (-not $tcp5358)
}
catch {
$result.Tcp5358ListenersClosed = $null
}
# Overall compliance: mDNS disabled, services disabled, firewall rules present+enabled
$mdnsOk = ($result.EnableMDNS -eq 0)
$servicesOk = $result.FDResPubDisabled -and $result.FdPHostDisabled
$firewallOk = $result.FirewallRulesPresent -and $result.FirewallRulesEnabled
$result.Compliant = $mdnsOk -and $servicesOk -and $firewallOk
return $result
}
catch {
Write-Log -Level ERROR -Message "Failed to test discovery protocol security (WS-Discovery/mDNS): $_" -Module "AdvancedSecurity" -Exception $_.Exception
return $result
}
}
Reference in a new issue View git blame Copy permalink