Andreas/noid-privacy
1
0
Fork 0
mirror of https://github.com/NexusOne23/noid-privacy.git synced 2026-02-07 12:11:53 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
noid-privacy/Modules/AdvancedSecurity/Private/Set-WirelessDisplaySecurity.ps1

200 lines
10 KiB
PowerShell
Raw Blame History

function Set-WirelessDisplaySecurity {
<#
.SYNOPSIS
Hardens Wireless Display (Miracast) settings to prevent screen interception attacks.
.DESCRIPTION
Configures Windows Wireless Display policies to prevent attackers from:
- Setting up rogue Miracast receivers to capture your screen
- Using your PC as an unauthorized display receiver
- Intercepting screen content via mDNS spoofing
Default (always applied): Blocks receiving projections, requires PIN for pairing
Full disable: Also blocks sending projections and mDNS discovery
.PARAMETER DisableCompletely
If specified, completely disables all Wireless Display functionality.
Default: Only hardens (blocks receiving, requires PIN) but allows sending.
.EXAMPLE
Set-WirelessDisplaySecurity
# Applies default hardening (blocks receiving, requires PIN)
.EXAMPLE
Set-WirelessDisplaySecurity -DisableCompletely
# Completely disables all Wireless Display functionality
#>
[CmdletBinding()]
param(
[switch]$DisableCompletely
)
try {
Write-Log -Level INFO -Message "Applying Wireless Display security hardening (DisableCompletely: $DisableCompletely)..." -Module "AdvancedSecurity"
$changesApplied = 0
# Registry path for Wireless Display policies
$connectPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect"
# Create key if it doesn't exist
if (-not (Test-Path $connectPath)) {
New-Item -Path $connectPath -Force | Out-Null
Write-Log -Level INFO -Message "Created registry key: $connectPath" -Module "AdvancedSecurity"
}
# ============================================
# ALWAYS APPLIED (Default hardening for all profiles)
# ============================================
# 1. AllowProjectionToPC = 0 (Block receiving projections - prevents rogue receiver attacks)
$currentValue = Get-ItemProperty -Path $connectPath -Name "AllowProjectionToPC" -ErrorAction SilentlyContinue
if ($null -eq $currentValue -or $currentValue.AllowProjectionToPC -ne 0) {
Set-ItemProperty -Path $connectPath -Name "AllowProjectionToPC" -Value 0 -Type DWord -Force
Write-Log -Level INFO -Message "Set AllowProjectionToPC = 0 (Block receiving)" -Module "AdvancedSecurity"
$changesApplied++
}
# 2. RequirePinForPairing = 2 (Always require PIN - prevents unauthorized pairing)
$currentValue = Get-ItemProperty -Path $connectPath -Name "RequirePinForPairing" -ErrorAction SilentlyContinue
if ($null -eq $currentValue -or $currentValue.RequirePinForPairing -ne 2) {
Set-ItemProperty -Path $connectPath -Name "RequirePinForPairing" -Value 2 -Type DWord -Force
Write-Log -Level INFO -Message "Set RequirePinForPairing = 2 (Always require PIN)" -Module "AdvancedSecurity"
$changesApplied++
}
# ============================================
# OPTIONAL: Complete disable (user choice)
# ============================================
if ($DisableCompletely) {
Write-Log -Level INFO -Message "Applying complete Wireless Display disable..." -Module "AdvancedSecurity"
# 3. AllowProjectionFromPC = 0 (Block sending projections)
$currentValue = Get-ItemProperty -Path $connectPath -Name "AllowProjectionFromPC" -ErrorAction SilentlyContinue
if ($null -eq $currentValue -or $currentValue.AllowProjectionFromPC -ne 0) {
Set-ItemProperty -Path $connectPath -Name "AllowProjectionFromPC" -Value 0 -Type DWord -Force
Write-Log -Level INFO -Message "Set AllowProjectionFromPC = 0 (Block sending)" -Module "AdvancedSecurity"
$changesApplied++
}
# 4. AllowMdnsAdvertisement = 0 (Don't advertise as receiver)
$currentValue = Get-ItemProperty -Path $connectPath -Name "AllowMdnsAdvertisement" -ErrorAction SilentlyContinue
if ($null -eq $currentValue -or $currentValue.AllowMdnsAdvertisement -ne 0) {
Set-ItemProperty -Path $connectPath -Name "AllowMdnsAdvertisement" -Value 0 -Type DWord -Force
Write-Log -Level INFO -Message "Set AllowMdnsAdvertisement = 0 (No mDNS ads)" -Module "AdvancedSecurity"
$changesApplied++
}
# 5. AllowMdnsDiscovery = 0 (Don't discover receivers via mDNS)
$currentValue = Get-ItemProperty -Path $connectPath -Name "AllowMdnsDiscovery" -ErrorAction SilentlyContinue
if ($null -eq $currentValue -or $currentValue.AllowMdnsDiscovery -ne 0) {
Set-ItemProperty -Path $connectPath -Name "AllowMdnsDiscovery" -Value 0 -Type DWord -Force
Write-Log -Level INFO -Message "Set AllowMdnsDiscovery = 0 (No mDNS discovery)" -Module "AdvancedSecurity"
$changesApplied++
}
# 6. AllowProjectionFromPCOverInfrastructure = 0 (Block infrastructure projection)
$currentValue = Get-ItemProperty -Path $connectPath -Name "AllowProjectionFromPCOverInfrastructure" -ErrorAction SilentlyContinue
if ($null -eq $currentValue -or $currentValue.AllowProjectionFromPCOverInfrastructure -ne 0) {
Set-ItemProperty -Path $connectPath -Name "AllowProjectionFromPCOverInfrastructure" -Value 0 -Type DWord -Force
Write-Log -Level INFO -Message "Set AllowProjectionFromPCOverInfrastructure = 0" -Module "AdvancedSecurity"
$changesApplied++
}
# 7. AllowProjectionToPCOverInfrastructure = 0 (Block infrastructure receiving)
$currentValue = Get-ItemProperty -Path $connectPath -Name "AllowProjectionToPCOverInfrastructure" -ErrorAction SilentlyContinue
if ($null -eq $currentValue -or $currentValue.AllowProjectionToPCOverInfrastructure -ne 0) {
Set-ItemProperty -Path $connectPath -Name "AllowProjectionToPCOverInfrastructure" -Value 0 -Type DWord -Force
Write-Log -Level INFO -Message "Set AllowProjectionToPCOverInfrastructure = 0" -Module "AdvancedSecurity"
$changesApplied++
}
# 8. Block Miracast ports via Windows Firewall (7236, 7250)
$firewallRules = @(
@{
Name = "NoID-Block-Miracast-TCP-7236"
DisplayName = "NoID Privacy - Block Miracast TCP 7236"
Direction = "Inbound"
Protocol = "TCP"
LocalPort = 7236
},
@{
Name = "NoID-Block-Miracast-TCP-7250"
DisplayName = "NoID Privacy - Block Miracast TCP 7250"
Direction = "Inbound"
Protocol = "TCP"
LocalPort = 7250
},
@{
Name = "NoID-Block-Miracast-UDP-7236"
DisplayName = "NoID Privacy - Block Miracast UDP 7236"
Direction = "Inbound"
Protocol = "UDP"
LocalPort = 7236
},
@{
Name = "NoID-Block-Miracast-UDP-7250"
DisplayName = "NoID Privacy - Block Miracast UDP 7250"
Direction = "Inbound"
Protocol = "UDP"
LocalPort = 7250
}
)
foreach ($rule in $firewallRules) {
$existingRule = Get-NetFirewallRule -Name $rule.Name -ErrorAction SilentlyContinue
if (-not $existingRule) {
New-NetFirewallRule -Name $rule.Name `
-DisplayName $rule.DisplayName `
-Direction $rule.Direction `
-Protocol $rule.Protocol `
-LocalPort $rule.LocalPort `
-Action Block `
-Profile Any `
-Enabled True | Out-Null
Write-Log -Level INFO -Message "Created firewall rule: $($rule.DisplayName)" -Module "AdvancedSecurity"
$changesApplied++
}
}
# 9. Disable WiFi Direct Service (WFDSConMgrSvc) - CRITICAL for complete Miracast block
# Registry policies alone don't block WiFi Direct P2P discovery!
$wfdService = Get-Service -Name "WFDSConMgrSvc" -ErrorAction SilentlyContinue
if ($wfdService) {
if ($wfdService.Status -eq 'Running') {
Stop-Service -Name "WFDSConMgrSvc" -Force -ErrorAction SilentlyContinue
Write-Log -Level INFO -Message "Stopped WiFi Direct Service (WFDSConMgrSvc)" -Module "AdvancedSecurity"
}
if ($wfdService.StartType -ne 'Disabled') {
Set-Service -Name "WFDSConMgrSvc" -StartupType Disabled -ErrorAction SilentlyContinue
Write-Log -Level INFO -Message "Disabled WiFi Direct Service (WFDSConMgrSvc) - survives reboot" -Module "AdvancedSecurity"
$changesApplied++
}
}
# 10. Disable WiFi Direct Virtual Adapters (immediate effect)
$wfdAdapters = Get-NetAdapter -InterfaceDescription "Microsoft Wi-Fi Direct Virtual*" -IncludeHidden -ErrorAction SilentlyContinue
if ($wfdAdapters) {
$wfdAdapters | Where-Object { $_.Status -ne 'Disabled' } | ForEach-Object {
Disable-NetAdapter -Name $_.Name -Confirm:$false -ErrorAction SilentlyContinue
Write-Log -Level INFO -Message "Disabled WiFi Direct adapter: $($_.Name)" -Module "AdvancedSecurity"
$changesApplied++
}
}
}
if ($changesApplied -eq 0) {
Write-Log -Level SUCCESS -Message "Wireless Display security already configured (no changes needed)" -Module "AdvancedSecurity"
}
else {
Write-Log -Level SUCCESS -Message "Wireless Display security applied ($changesApplied changes)" -Module "AdvancedSecurity"
}
return $true
}
catch {
Write-Log -Level ERROR -Message "Failed to apply Wireless Display security: $_" -Module "AdvancedSecurity" -Exception $_.Exception
return $false
}
}
Reference in a new issue View git blame Copy permalink