Hi,
I’ve written this script as part of a company security to harden the corporate image. I would value your input on areas of improvement and techniques i should use or if its perfect !!
##Stage 1 #Disabled services try { $Services = ( Get-Service -ComputerName $ENV:COMPUTERNAME | Where { $_.Displayname -in @( "Distributed Link Tracking Client", "Family Safety", "Function Discovery Provider Host", "Function Discovery Resource Publication", "HomeGroup Listener", "HomeGroup Provider", "Internet Connection Sharing (ICS)", "IP Helper", "KtmRm for Distributed Transaction Coordinator", "Microsoft iSCSI Initiator Service", "Microsoft Keyboard Filter", "Net.Tcp Port Sharing Service", "Offline Files", "Peer Name Resolution Protocol", "Peer Networking Grouping", "Peer Networking Identity Manager", "PNRP Machine Name Publication Service", "Quality Windows Audio Video Experience", "Remote Access Auto Connection Manager", "Remote Access Connection Manager", "Remote Registry", "Routing and Remote Access", "Sensor Monitoring Service", "Smart Card", "SSDP Discovery", "Telephony", "UPnP Device Host", "WebClient", "Windows Connect Now - Config Registrar", "Windows Media Player Network Sharing Service", "WinHTTP Web Proxy Auto-Discovery Service" ) } | set-Service -StartMode manual -PassThru ) $Services | ForEach-Object { write-host -ForegroundColor Green "$ENV:COMPUTERNAME : Successfully disabled the service $($_.name)."} } catch { Write-Warning $_ } ##Stage 2 #Disable "Qos Packet Scheduler" try { if (Get-NetAdapterBinding -name "Ethernet*" -DisplayName "QoS Packet Scheduler" -OutVariable LANConnection) { Disable-NetAdapterBinding -name $LANConnection.name -DisplayName $LANConnection.displayname Write-Warning "$($LANConnection.displayname) was set to disabled on Network Adapter $($LANConnection.name)" } Else { Write-Warning "Cannot find Ethernet Adapter" } } catch { Write-Warning -Message $_.Exception.message } ##Stage 3 #Create reg keys "DisabledComponents" and "UPnPMode" Try { $DCPath = "HKLM:SYSTEM\CurrentControlSet\Services\tcpip6\Parameters" $Name = "DisabledComponents" $Value = "255" New-ItemProperty -Path $DCPath -Name $Name -Value $Value -PropertyType DWORD -force | Out-Null $UPPatch = "HKLM:Software\Microsoft\DirectplayNATHelp\DPNHUPnP" $Name2 = "UPnPMode" $Value2 = "2" New-ItemProperty -Path $UPPatch -Name $Name2 -Value $Value2 -PropertyType DWORD -force | Out-Null } catch { Write-Warning -Message $_.Exception.message } ##Stage 3 #Disable hidden devices #Disable 'remote Desktop Device Redirector Bus' $RDDRB = (Get-CimInstance Win32_PNPEntity | Where caption -match 'Remote Desktop Device Redirector Bus').PNPDeviceID $ppid = "{0}{1}" -f '@',$RDDRB $outputstring = (.\devcon.exe status $ppid) | Out-String try { if ([boolean]($outputstring | where { $_ -match "disabled" })) { Write-Warning "Device 'remote Desktop Device Redirector Bus' is already Disabled" } else { $Disable = (.\devcon.exe disable $ppid) | Out-String $Disable | where { $_ -match "Disabled" } Write-Warning "Device 'remote Desktop Device Redirector Bus' has been disabled via current script" } } Catch { Write-Warning -Message $_.Exception.message } #Disable 'Microsoft Kernel Debug Network Adapter' $MKDNA = (Get-CimInstance Win32_PNPEntity | Where caption -match 'Microsoft Kernel Debug Network Adapter').PNPDeviceID $ppid2 = "{0}{1}" -f '@',$MKDNA $outputstring = (.\devcon.exe status $ppid2) | Out-String try { if ([boolean]($outputstring | where { $_ -match "disabled" })) { Write-Warning "Device 'Microsoft Kernel Debug Network Adapter' is already Disabled" } else { $Disable2 = (.\devcon.exe disable $ppid2) | Out-String $Disable2 | where { $_ -match "Disabled" } Write-Warning "Device 'Microsoft Kernel Debug Network Adapter' has been disabled via current script" } } Catch { Write-Warning -Message $_.Exception.message } ##Stage 4 #Set IGMPLevel to 'None' if ( (Get-NetIPv4Protocol).IGMPlevel -eq 'None' ) { write-host -ForegroundColor Cyan "No action required as IGMPlevel is already set to 'None'" } else { Set-NetIPv4Protocol -IGMPLevel none -passthru -OutVariable result |Out-Null if ($result.IGMPLevel -eq 'None') { write-host -ForegroundColor Yellow "PROCESSED: IGMPLevel has been set to 'None'" } else { write-warning "FAILED: To change IGMPLevel"} } ##Stage 5 #Disable dump file creation Try { $x = Get-CimInstance Win32_OSRecoveryConfiguration -Property DebugInfoType if ($x.DebugInfoType -eq 0) { Write-verbose "No Action Required"} else {$x.DebugInfoType = "0" Write-Warning "Will set the debugging information to $($x.DebugInfoType)" Set-CimInstance -CimInstance $x -PassThru -OutVariable NewValue |out-null } if ($NewValue.DebugInfoType -eq 0) {write-verbose "New value correctly set to $($NewValue.DebugInfoType)"} else {write-warning "Value has not been set !! Please check"} } catch { Write-Warning -Message $_.Exception.message }