Andreas/noid-privacy
1
0
Fork 0
mirror of https://github.com/NexusOne23/noid-privacy.git synced 2026-02-07 04:01:52 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
noid-privacy/Docs/FEATURES.md
NexusOne23 d78d941113 v2.2.0: Fix Privacy settings count + DoH connectivity test 
Privacy Module:
- Fixed 'Applied X settings' to show only registry settings (60/78/86)
- Bloatware count no longer added to settings total
- Consistent with module prompt (MSRecommended: 60, Strict: 78, Paranoid: 86)

DNS Module:
- Fixed DoH connectivity test for systems with REQUIRE mode active
- Tests HTTPS endpoint (port 443) when classic DNS is blocked
- Proper detection of existing DoH configuration

Verified: Full Apply/Verify/Restore cycle - 633/633 settings (100%)
2025-12-09 10:48:12 +01:00

30 KiB
Raw Blame History

NoID Privacy - Complete Feature List

Framework Version: v2.2.0
Total Security Settings: 633 (Paranoid mode)
Modules: 7 (All Production-Ready)
Last Updated: December 8, 2025

📊 Module Overview

Module Settings Status Description
SecurityBaseline 425 v2.2.0 Microsoft Security Baseline for Windows 11 v25H2
ASR 19 v2.2.0 Attack Surface Reduction rules
DNS 5 v2.2.0 Secure DNS with DoH encryption
Privacy 78 v2.2.0 Telemetry control, OneDrive hardening (Strict: 70 Registry + 2 Services + 6 OneDrive)
AntiAI 32 v2.2.0 AI lockdown (15 features, 32 compliance checks)
EdgeHardening 24 v2.2.0 Microsoft Edge browser security (24 policies)
AdvancedSecurity 50 v2.2.0 Advanced hardening beyond MS Baseline (incl. Wireless Display, Discovery Protocols, IPv6)
TOTAL 633 100% Complete Framework (Paranoid mode)

🔒 Module 1: SecurityBaseline (425 Settings)

Description: Complete implementation of Microsoft's official Windows 11 v25H2 Security Baseline

Components:

Registry Policies (335 settings)

  • Computer Configuration policies (330 settings)
  • User Configuration policies (5 settings)
  • Windows Defender Antivirus baseline
  • Windows Firewall configuration
  • BitLocker drive encryption settings
  • Internet Explorer 11 security zones

Security Template (67 settings)

  • Password Policy: MinimumPasswordLength (14), PasswordHistorySize (24), etc.
  • Account Lockout: LockoutBadCount (10), LockoutDuration (10 minutes)
  • User Rights Assignment: Administrative permissions and privileges
  • Security Options: Network access, authentication, object access
  • Service Configuration: Xbox services disabled for security

Audit Policies (23 subcategories)

  • Logon/Logoff events
  • Account Management
  • Policy Change tracking
  • Privilege Use monitoring
  • System events
  • Object Access auditing

Key Features:

  • VBS (Virtualization Based Security)
  • Credential Guard
  • System Guard Secure Launch
  • Kernel CET Shadow Stacks (Win11 25H2)
  • Memory Integrity (HVCI)
  • Interactive BitLocker USB prompt (Home/Enterprise choice)

Home User Adjustments:

  • BitLocker USB: Default = 0 (Home Mode - USB works normally)
  • Password Policies: Only affect local accounts (~5% of users)

🛡️ Module 2: ASR (19 Settings)

Description: All 19 Microsoft Defender Attack Surface Reduction rules

What ASR Rules Block (and Why It's Important):

Email & Download Attacks

  1. Block executable content from email - Stops malware from .exe/.dll/.ps1 email attachments
  2. Block JavaScript/VBScript from launching downloads - Prevents drive-by downloads from malicious websites
  3. Block execution of obfuscated scripts - Detects and blocks heavily obfuscated PowerShell/JS scripts used by malware
  4. Block untrusted/unsigned processes from USB - Prevents USB-based malware execution (BadUSB attacks)

Office Exploits

  1. Block Office from creating child processes - Stops Word/Excel macros from spawning cmd.exe/powershell.exe
  2. Block Office from creating executable content - Prevents Office from writing .exe files to disk
  3. Block Office from injecting code into other processes - Stops process injection attacks
  4. Block Win32 API calls from Office macros - Prevents macros from calling dangerous Windows APIs
  5. Block Adobe Reader from creating child processes - Same protection for PDF exploits
  6. Block Office communication apps (Outlook) child processes - Stops email-based exploit chains

Credential Theft & Persistence

  1. Block credential stealing from LSASS - Protects against Mimikatz and similar tools
  2. Block persistence through WMI - Prevents malware from hiding in WMI event subscriptions
  3. Block process creation from PSExec/WMI - Stops lateral movement tools (configurable: Block or Audit)

Ransomware Protection

  1. Use advanced ransomware protection - AI-powered behavioral detection of ransomware
  2. Block executable files unless they meet reputation criteria - SmartScreen integration

Advanced Threats

  1. Block abuse of exploited vulnerable signed drivers - Prevents BYOVD (Bring Your Own Vulnerable Driver) attacks
  2. Block webshell creation - Stops IIS/Apache webshell deployment (Server-focused)
  3. Block rebooting in Safe Mode - Prevents ransomware from bypassing defenses
  4. Block use of copied/impersonated system tools - Detects renamed legitimate tools (rundll32.exe → run.exe)

Interactive Prompt:

  • PSExec/WMI Rule (d1e49aac): Choose Block or Audit
    • Block: Maximum security (may break SCCM/remote admin tools)
    • Audit: Logs events only (good for enterprise compatibility testing)

🌐 Module 3: DNS (5 Settings)

Description: Secure DNS with DNS-over-HTTPS encryption

Providers (3 available):

Quad9 (Default - Security)

  • IPv4: 9.9.9.9, 149.112.112.112
  • IPv6: 2620:fe::fe, 2620:fe::9
  • DoH: https://dns.quad9.net/dns-query
  • Ratings: Speed 4/5, Privacy 5/5, Security 5/5, Filtering 4/5
  • Best for: Security-focused users, malware protection

Cloudflare (Speed)

  • IPv4: 1.1.1.1, 1.0.0.1
  • IPv6: 2606:4700:4700::1111, 2606:4700:4700::1001
  • DoH: https://cloudflare-dns.com/dns-query
  • Ratings: Speed 5/5, Privacy 4/5, Security 4/5, Filtering 2/5
  • Best for: Speed-focused users, fastest resolver

AdGuard (Ad-Blocking)

  • IPv4: 94.140.14.14, 94.140.15.15
  • IPv6: 2a10:50c0::ad1:ff, 2a10:50c0::ad2:ff
  • DoH: https://dns.adguard-dns.com/dns-query
  • Ratings: Speed 4/5, Privacy 4/5, Security 4/5, Filtering 5/5
  • Best for: Ad/tracker blocking at DNS level

Features:

  • DoH Encryption with 2 Interactive Modes:
    • [1] REQUIRE Mode (Default): NO unencrypted fallback (AllowFallbackToUdp = $False)
      • Best for: Home networks, single-location systems
      • Maximum security - DNS queries always encrypted
    • [2] ALLOW Mode: Fallback to UDP allowed (AllowFallbackToUdp = $True)
      • Best for: VPN users, mobile devices, corporate networks, captive portals
      • Balanced security - falls back to unencrypted if DoH unavailable
    • [3] Skip: Keep current DNS settings unchanged
  • DNSSEC validation (server-side by all providers)
  • DHCP-aware backup/restore
  • Physical adapter auto-detection (excludes virtual/VPN adapters)
  • Connectivity validation before apply

🔇 Module 4: Privacy (78 Settings)

Description: Windows telemetry control, OneDrive/MS Store telemetry, and bloatware removal

What's Actually Done:

  • Windows Telemetry: 3 modes (MSRecommended/Strict/Paranoid)
  • OneDrive Telemetry: Feedback & sync reports disabled
  • OneDrive Sync: Remains FUNCTIONAL (DisablePersonalSync = 0)
  • MS Store Telemetry: AutoDownload = 3 (auto-update apps, no upgrade prompts)
  • Bloatware Removal: 8-24 apps removed (PolicyMethod for ENT/EDU, ClassicMethod for others)

Operating Modes (Interactive Selection):

MSRecommended (Default - Fully Supported)

  • AllowTelemetry = 1 (Required)
  • Services NOT disabled (policies only)
  • AppPrivacy: Selective (Location/Radios Force Deny, Mic/Camera user decides)
  • Best for: Production, business environments

Strict (Maximum Privacy)

  • AllowTelemetry = 0 (Off - Enterprise/Edu only, Pro falls back)
  • Services: DiagTrack + dmwappushservice disabled
  • AppPrivacy: Force Deny Location/App-Diagnose/Generative AI only
  • Mic/Camera: User decides (Teams/Zoom work!)
  • Best for: Privacy-focused home users, small business

Paranoid (Hardcore - NOT Recommended)

  • Everything from Strict + WerSvc disabled
  • Tasks: CEIP/AppExperience/DiskDiag disabled
  • AppPrivacy: Force Deny ALL (Mic/Camera/Contacts/Calendar)
  • WARNING: BREAKS Teams/Zoom/Skype!
  • Best for: Air-gapped, kiosk, extreme privacy only

⚠️ Windows Insider Program Compatibility

MSRecommended mode sets AllowTelemetry=1 via Group Policy, which blocks Windows Insider Program enrollment. The Insider Program requires "Optional diagnostic data" (AllowTelemetry=3) for initial enrollment.

Workaround: Temporarily remove the AllowTelemetry policy before Insider enrollment:

Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry"

After enrollment, you can optionally re-apply Privacy hardening. Insider builds will continue to download even with AllowTelemetry=1 restored.

See: README Troubleshooting - Windows Insider Program Compatibility

Bloatware Removal:

PolicyMethod (8 apps - ENT/EDU Win11 25H2+):

  • BingNews, BingWeather, MicrosoftSolitaireCollection
  • MicrosoftStickyNotes, GamingApp, WindowsFeedbackHub
  • Xbox components (GamingOverlay, IdentityProvider)

ClassicMethod (up to 24 apps - All other editions):

Microsoft.BingNews, Microsoft.BingWeather
Microsoft.MicrosoftStickyNotes, Microsoft.GamingApp
Microsoft.XboxApp, Microsoft.XboxGamingOverlay
Microsoft.XboxIdentityProvider
Microsoft.ZuneMusic, Microsoft.ZuneVideo
Microsoft.WindowsFeedbackHub, Microsoft.GetHelp
Microsoft.Getstarted, Microsoft.MixedReality.Portal
Microsoft.People, Microsoft.YourPhone
Clipchamp.Clipchamp, SpotifyAB.SpotifyMusic
*CandyCrush*, Disney.*, Facebook.*, TikTok.TikTok

Skipped for restore safety (not in winget msstore):

  • Microsoft.MicrosoftSolitaireCollection
  • Microsoft.XboxSpeechToTextOverlay, Microsoft.Xbox.TCUI

Protected Apps (19 kept):

  • Core Apps: WindowsStore, WindowsCalculator, Photos, Paint
  • Productivity: WindowsNotepad, WindowsTerminal, WindowsCamera, ScreenSketch, WindowsSoundRecorder
  • System: DesktopAppInstaller (winget), StorePurchaseApp
  • Media Codecs: HEIF, HEVC, WebP, VP9, WebMedia, AV1, MPEG2, RAW (8 extensions)

OneDrive Settings:

  • Telemetry: Disabled
  • Sync: Functional (not broken)
  • Store: Enabled (app updates needed)

🤖 Module 5: AntiAI (32 Policies)

Description: Disable 15 Windows AI features via 32 registry policies (v2.2.0)

15 AI Features Disabled:

# Feature Policies Description
1 Generative AI Master Switch 2 Blocks ALL apps from using on-device AI models
2 Windows Recall 8 Screenshots, OCR, component removal + Enterprise Protection
3 Windows Copilot 6 4-layer disable: WindowsAI, WindowsCopilot, Taskbar, Explorer
4 Click to Do 2 Screenshot AI analysis with action suggestions
5 Paint Cocreator 1 Cloud-based text-to-image generation
6 Paint Generative Fill 1 AI-powered image editing
7 Paint Image Creator 1 DALL-E art generator
8 Notepad AI 1 Write, Summarize, Rewrite features (GPT)
9 Settings Agent 1 AI-powered Settings search
10 Recall Export Block 1 Prevents export of Recall data
11 Copilot URI Handlers 1 Blocks ms-copilot:// and ms-chat:// URI schemes
12 Edge Copilot Sidebar 3 EdgeSidebarEnabled, ShowHubsSidebar, HubsSidebarEnabled
13 Region Policy Override 1 Prevents region bypass for AI features
14 Copilot Network Block 1 Blocks Copilot endpoints via hosts file
15 File Explorer AI Actions 1 HideAIActionsMenu in Explorer context menu

Recall Enterprise Protection:

  • App Deny List: Browser, Terminal, Password managers, RDP never captured
  • URI Deny List: Banking (.bank.), Email (mail.*), Login pages (password, login)
  • Storage Duration: Maximum 30 days retention
  • Storage Space: Maximum 10 GB allocated

Automatically Blocked (by Master Switch):

  • Photos Generative Erase / Background effects
  • Clipchamp Auto Compose
  • Snipping Tool AI-OCR / Quick Redact
  • All future generative AI apps

32 Registry Policies Applied:

HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy\LetAppsAccessSystemAIModels = 2
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\systemAIModels\Value = Deny
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\AllowRecallEnablement = 0
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis = 1
HKCU:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis = 1
HKCU:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableRecallDataProviders = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\SetDenyAppListForRecall = [...]
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\SetDenyUriListForRecall = [...]
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\SetMaximumStorageDurationForRecallSnapshots = 30
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\SetMaximumStorageSpaceForRecallSnapshots = 10
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\TurnOffWindowsCopilot = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot\TurnOffWindowsCopilot = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot\ShowCopilotButton = 0
HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableWindowsCopilot = 1
HKCU:\Software\Policies\Microsoft\Windows\WindowsCopilot\TurnOffWindowsCopilot = 1
HKCU:\Software\Policies\Microsoft\Windows\WindowsCopilot\ShowCopilotButton = 0
HKCU:\Software\Policies\Microsoft\Windows\WindowsAI\SetCopilotHardwareKey = Notepad (redirect)
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableClickToDo = 1
HKCU:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableClickToDo = 1
HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Paint\DisableCocreator = 1
HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Paint\DisableGenerativeFill = 1
HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Paint\DisableImageCreator = 1
HKLM:\SOFTWARE\Policies\WindowsNotepad\DisableAIFeatures = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableSettingsAgent = 1
HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\AllowRecallExport = 0
HKLM:\SOFTWARE\Policies\Microsoft\Edge\EdgeSidebarEnabled = 0
HKLM:\SOFTWARE\Policies\Microsoft\Edge\ShowHubsSidebar = 0
HKLM:\SOFTWARE\Policies\Microsoft\Edge\HubsSidebarEnabled = 0
HKLM:\SOFTWARE\Policies\Microsoft\Edge\CopilotPageContext = 0
HKLM:\SOFTWARE\Policies\Microsoft\Edge\CopilotCDPPageContext = 0

Impact:

  • No AI data collection
  • No cloud processing of local data
  • Copilot completely hidden from taskbar and Start menu
  • Edge Copilot sidebar disabled
  • Traditional app experience restored
  • Reboot required for Recall component removal

⚠️ Known Limitations:

Some UI elements in Paint and Photos apps may still be visible but non-functional due to lack of Microsoft-provided policies:

  • Photos: Generative Erase button, Background Blur/Remove options
  • Paint: Some AI feature UI elements

Why? Microsoft does NOT provide dedicated policies to hide these UI elements. Functionality is blocked via systemAIModels API Master Switch (LetAppsAccessSystemAIModels = 2), but UI removal requires Microsoft to add policies in future Windows updates.

Result: Buttons are visible but clicking them does nothing (API access blocked).

🌐 Module 6: EdgeHardening (24 Settings)

Description: Microsoft Edge v139 Security Baseline

Core Security:

  • EnhanceSecurityMode = 2 (Strict)
  • SmartScreenEnabled = 1
  • SmartScreenPuaEnabled = 1
  • PreventSmartScreenPromptOverride = 1
  • SitePerProcess = 1 (Site isolation)

Privacy:

  • TrackingPrevention = 2 (Strict)
  • PersonalizationReportingEnabled = 0
  • DiagnosticData = 0
  • DoNotTrack = 1

Security Mitigations:

  • SSL/TLS error override blocked
  • Extension blocklist (blocks all by default)
  • IE Mode restrictions
  • SharedArrayBuffer disabled (Spectre protection)
  • Application-bound encryption enabled

Features:

  • Native PowerShell implementation (no LGPO.exe)
  • AllowExtensions parameter available
  • Full backup/restore support

🔐 Module 7: AdvancedSecurity (50 Settings)

Description: Advanced hardening beyond Microsoft Security Baseline

Profile-Based Execution:

Feature Balanced Enterprise Maximum
RDP NLA Enforcement
WDigest Protection
Risky Ports/Services
Legacy TLS Disable
WPAD Disable
PowerShell v2 Removal
Admin Shares Disable ⚠️ Domain Check
RDP Complete Disable ⚠️ Optional
UPnP/SSDP Block ⚠️ Optional
Wireless Display Hardening
Wireless Display Full Disable ⚠️ Optional ⚠️ Optional ⚠️ Optional
Discovery Protocols (WSD/mDNS) Disable ⚠️ Optional
Firewall Shields Up ⚠️ Optional
IPv6 Disable (mitm6 mitigation) ⚠️ Optional
SRP .lnk Protection
Windows Update Config
Finger Protocol Block

Components:

1. RDP Hardening (3 settings)

  • NLA Enforcement: UserAuthentication = 1, SecurityLayer = 2
  • Optional Disable: fDenyTSConnections = 1 (Maximum profile only, for air-gapped systems)
  • Protection: Prevents RDP brute-force attacks

2. WDigest Credential Protection (1 setting)

  • Registry: UseLogonCredential = 0
  • Protection: Prevents LSASS memory credential theft (Mimikatz)
  • Note: Deprecated in Win11 24H2+ but kept for backwards compatibility

3. Risky Ports Closure (15 firewall rules)

  • LLMNR: Port 5355 TCP/UDP (MITM attack prevention)
  • NetBIOS: Ports 137-138 TCP/UDP (name resolution hijacking)
  • UPnP: Ports 1900, 2869 TCP/UDP (NAT traversal exploits)

4. Risky Services (3 services)

  • SSDP Discovery: Disabled (UPnP)
  • UPnP Device Host: Disabled
  • TCP/IP NetBIOS Helper: Disabled

5. Administrative Shares (2 registry keys)

  • AutoShareWks = 0: Disables C$, ADMIN$
  • AutoShareServer = 0: Server shares
  • Domain-Aware: Auto-skipped for domain-joined systems unless -Force

6. Legacy TLS Disable (8 registry keys)

  • TLS 1.0: Client + Server disabled
  • TLS 1.1: Client + Server disabled
  • Protection: BEAST, CRIME, POODLE attacks prevented

7. WPAD Disable (3 registry keys)

  • User + Machine: AutoDetect = 0
  • WinHTTP: DisableWpad = 1
  • Protection: Proxy hijacking attacks prevented

8. PowerShell v2 Removal (1 Windows Feature)

  • Feature: MicrosoftWindowsPowerShellV2Root
  • Protection: Prevents downgrade attacks (bypasses logging, AMSI, CLM)

9. SRP .lnk Protection - CVE-2025-9491 (2 rules)

  • Rule 1: Block %LOCALAPPDATA%\Temp*.lnk (Outlook attachments)
  • Rule 2: Block %USERPROFILE%\Downloads*.lnk (Browser downloads)
  • Protection: Prevents zero-day LNK RCE exploitation
  • Status: CRITICAL - Actively exploited since 2017, no patch available

10. Windows Update Configuration (3 Simple GUI Settings)

Aligns with Windows Settings GUI toggles NO forced schedules, NO auto-reboot, and only the documented policy keys needed to drive the visible switches

Settings Applied:

1. Get Latest Updates Immediately (ON, managed by policy)

  • Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
  • Keys:
    • AllowOptionalContent = 1
    • SetAllowOptionalContent = 1
  • Effect: Enables optional/content configuration updates so the toggle "Get the latest updates as soon as they're available" is effectively ON and enforced by policy
  • GUI Path: Settings > Windows Update > Advanced options > Get the latest updates as soon as they're available (will show as managed by your organization)

2. Microsoft Update for Other Products (ON, user-toggleable)

  • Registry: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
  • Key: AllowMUUpdateService = 1
  • Effect: Get updates for Office, drivers, and other Microsoft products when updating Windows
  • GUI Path: Settings > Windows Update > Advanced options > Receive updates for other Microsoft products (user can still toggle)

3. Delivery Optimization - Downloads from Other Devices (OFF, managed by policy)

  • Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization
  • Key: DODownloadMode = 0
  • Effect: HTTP only (Microsoft servers) no peer-to-peer, no LAN sharing
  • GUI Path: Settings > Windows Update > Advanced options > Delivery Optimization > Allow downloads from other devices = OFF (managed by your organization)

User Control & Transparency:

  • NO forced installation schedules
  • NO auto-reboot policies
  • Microsoft Update toggle remains user-controlled in the GUI
  • Windows clearly indicates where policies manage settings ("Some settings are managed by your organization")

Why This Approach?

  • Follows Microsoft Best Practice - matches GUI behavior
  • User keeps control over installation timing
  • No unexpected reboots at 3 AM
  • Transparent - exactly what Windows Settings shows

11. Finger Protocol Block (1 firewall rule)

  • Port: TCP 79 outbound
  • Protection: ClickFix malware campaign mitigation
  • Attack: Malware uses finger.exe to retrieve commands from attacker servers
  • Impact: Zero (Finger protocol obsolete since 1990s)

12. Wireless Display Security (9 settings)

Default Hardening (always applied, all profiles):

  • AllowProjectionToPC = 0: Block receiving projections (PC can't be used as display)
  • RequirePinForPairing = 2: Always require PIN for pairing

Optional Full Disable (user choice):

  • AllowProjectionFromPC = 0: Block sending projections
  • AllowMdnsAdvertisement = 0: Don't advertise as receiver via mDNS
  • AllowMdnsDiscovery = 0: Don't discover displays via mDNS
  • AllowProjectionFromPCOverInfrastructure = 0: Block infrastructure projection
  • AllowProjectionToPCOverInfrastructure = 0: Block infrastructure receiving
  • Firewall Rules: Block Miracast ports 7236/7250 (TCP + UDP)

Protection:

  • Prevents rogue Miracast receiver attacks (screen capture by attackers in network)
  • Blocks WPS PIN brute-force on Miracast connections
  • Prevents mDNS spoofing for fake display discovery
  • Defense-in-depth for Miracast attack surface

Impact:

  • Default: Presentations to TV/projector still work (sending allowed)
  • Full Disable: Use HDMI/USB-C cables instead of Miracast

13. Discovery Protocols Security (WS-Discovery + mDNS)

Optional (Maximum profile - user choice):

  • mDNS Resolver: Disabled via registry (EnableMDNS = 0)
  • WS-Discovery Services: FDResPub + SSDPSRV disabled
  • Firewall Blocks:
    • WS-Discovery ports: UDP 3702 (blocked inbound/outbound)
    • mDNS port: UDP 5353 (blocked inbound/outbound)

Protection:

  • Prevents network mapping via WS-Discovery
  • Blocks mDNS spoofing attacks (fake printers/devices)
  • Reduces lateral movement attack surface
  • Stops automatic device enumeration by attackers

Impact:

  • Automatic network printer/scanner discovery stops
  • Smart TV discovery via mDNS stops
  • Miracast discovery via mDNS stops (even if Feature 12 allows sending)
  • Manual IP configuration required for network devices

14. Firewall Shields Up (Maximum profile only)

Optional (Maximum profile):

  • Block All Inbound: DefaultInboundAction = Block
  • Block All Outbound: DefaultOutboundAction = Block (with exceptions)
  • Applies to Domain, Private, and Public profiles

Protection:

  • Maximum network isolation
  • Blocks all unsolicited inbound connections
  • Prevents unauthorized outbound connections

Impact:

  • Only explicitly allowed traffic passes
  • Recommended for air-gapped or high-security systems

15. IPv6 Disable (Maximum profile only - optional)

Optional (Maximum profile - user choice):

  • DisabledComponents = 0xFF: Completely disables IPv6 stack
  • Prevents all IPv6 traffic including DHCPv6 Solicitation

Protection (mitm6 attack):

  • Prevents DHCPv6 spoofing attacks
  • Blocks fake DHCPv6 server → DNS takeover
  • Prevents NTLM credential relay via IPv6
  • Defense-in-depth (WPAD already disabled)

Impact:

  • IPv6-only services/websites won't work
  • Exchange Server may have issues if using IPv6
  • Some Active Directory features may be affected
  • REBOOT REQUIRED

Recommended for:

  • Air-gapped systems
  • Standalone workstations (no Exchange/AD)
  • High-security environments where IPv6 is not needed

🎯 Protection Coverage

Zero-Day Vulnerabilities:

CVE-2025-9491 - Windows LNK RCE MITIGATED

  • Status: Unpatched (Microsoft: "does not meet servicing threshold")
  • Exploited Since: 2017 by APT groups
  • Our Protection: SRP rules block .lnk execution from Temp/Downloads
  • Why ASR Fails: .lnk files not classified as "executable content"
  • Why SmartScreen Fails: .lnk points to legitimate cmd.exe (trusted)

ClickFix Malware Campaign MITIGATED

  • Attack Vector: finger.exe abuse to retrieve malicious commands
  • Our Protection: Outbound TCP port 79 blocked
  • Impact: Zero (legacy protocol unused in 2025)

Attack Surface Reduction:

Attack Type Protection
Email Malware ASR: Block executables from email
USB Malware ASR: Block untrusted USB processes
Office Macros ASR: Block Win32 API calls
Credential Theft ASR: Block LSASS access + WDigest disabled
Ransomware ASR: Advanced ransomware protection
MITM Attacks DNS DoH + LLMNR/NetBIOS disabled
RDP Brute-Force NLA enforcement + optional disable
Proxy Hijacking WPAD disabled
TLS Exploits TLS 1.0/1.1 disabled (BEAST/CRIME)
PowerShell Downgrade PSv2 removed
DMA Attacks FireWire (IEEE 1394) blocked

📋 Interactive Features

User Prompts (13 Total):

SecurityBaseline (1 prompt):

  1. BitLocker USB Policy (Home/Enterprise)
    • Home Mode: USB works normally (no encryption enforcement)
    • Enterprise Mode: Require BitLocker encryption on USB drives

ASR (2 prompts):

  1. PSExec/WMI rule mode (Block/Audit)

    • Block: Maximum security (may break SCCM/remote admin)
    • Audit: Log only (compatibility testing)

  2. New Software rule mode (Block/Audit)

    • Block: Block executables that don't meet prevalence criteria
    • Audit: Log only (recommended for new software installs)

DNS (2 prompts):

  1. Provider selection (Quad9/Cloudflare/AdGuard/Skip)

    • 3 DNS providers available with ratings
    • Skip option to keep current DNS

  2. DoH Mode selection (REQUIRE/ALLOW/Skip)

    • REQUIRE: No unencrypted fallback (maximum security)
    • ALLOW: Fallback to UDP if needed (VPN/corporate/mobile)
    • Skip: Keep current DNS settings

Privacy (3 prompts):

  1. Mode selection (MSRecommended/Strict/Paranoid)

    • MSRecommended: Fully supported, production-safe
    • Strict: Maximum privacy (Teams/Zoom work)
    • Paranoid: Extreme privacy (BREAKS Teams/Zoom!)

  2. Cloud Clipboard (Enable/Disable) - only in MSRecommended mode

    • Disable: No cross-device clipboard sync (privacy)
    • Enable: Keep cloud clipboard functionality

  3. Bloatware Removal (Yes/No)

    • Yes: Remove 8-24 pre-installed apps
    • No: Keep all apps installed

AdvancedSecurity (5 prompts):

  1. Profile selection (Balanced/Enterprise/Maximum)

    • Balanced: Safe defaults for home users
    • Enterprise: Domain-aware checks
    • Maximum: Maximum hardening

  2. RDP Disable (Yes/No) - Balanced profile only, Maximum always disables

    • Yes: Completely disable Remote Desktop
    • No: Keep RDP enabled (with NLA hardening)

  3. UPnP/SSDP Block (Yes/No) - Balanced profile only, others always block

    • Yes: Block UPnP/SSDP (may break DLNA streaming)
    • No: Keep UPnP enabled

  4. Wireless Display Disable (Yes/No) - all profiles

    • Yes: Completely disable Miracast (use HDMI instead)
    • No: Keep Miracast hardened but usable

  5. Admin Shares Disable (Yes/No) - Domain-joined systems only

    • Yes: Disable C$/ADMIN$ even on domain (may break IT tools)
    • No: Keep admin shares for IT management (SCCM, PDQ, etc.)

Backup & Restore:

  • Session-based backup system (Initialize-BackupSystem)
  • Full registry backup before changes
  • Service state backup
  • Feature state backup
  • DHCP settings backup (DNS module)
  • Restore capability for all modules

Verification:

  • Test-BaselineCompliance (SecurityBaseline)
  • Test-ASRCompliance (ASR)
  • Test-DNSConnectivity (DNS)
  • Test-AntiAI (AntiAI)
  • Test-PrivacyCompliance (Privacy)
  • Test-EdgeHardening (EdgeHardening)
  • Test-AdvancedSecurity (AdvancedSecurity)

🔧 Safety Features

Pre-Flight Checks:

  • Administrator elevation required
  • OS version detection (Windows 11 24H2+)
  • Hardware capability detection (TPM, VBS)
  • Domain-joined system detection

Execution Safety:

  • WhatIf mode (dry-run preview)
  • Profile-based execution (Balanced/Enterprise/Maximum)
  • Incremental backups
  • Error handling with graceful degradation
  • Comprehensive logging

Rollback:

  • Restore-SecurityBaseline
  • Restore-DNSSettings
  • Restore-PrivacySettings
  • Restore-AdvancedSecuritySettings

📊 Home User Friendly

Password Policies (Low Impact):

  • Only affect local accounts (~5% of home users)
  • 95%+ use Microsoft Accounts (managed online by Microsoft)
  • Policies: MinimumPasswordLength (14), PasswordHistory (24), Lockout (10)

BitLocker USB (User Choice):

  • Default: Home Mode (USB works normally)
  • Option: Enterprise Mode (encryption enforcement)
  • Interactive prompt during SecurityBaseline

FireWire Blocking:

  • Blocks IEEE 1394 devices (DMA attack prevention)
  • Impact: <1% of users (obsolete technology)

🎉 Framework Status

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
NoID Privacy v2.2.0
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Total Settings:             633 ✅
Modules:                    7/7 (100%) ✅
Production Status:          Ready ✅
Verification:               100% ✅
BACKUP-APPLY-VERIFY-RESTORE: Complete ✅

Zero-Day Protection:        ✅ CVE-2025-9491 + ClickFix
Microsoft Best Practices:   100% ✅
Home User Friendly:         ✅ Interactive prompts
Enterprise Ready:           ✅ Profile-based execution

Framework Completion:       🎉 100% COMPLETE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Last Updated: December 8, 2025
Framework Version: v2.2.0