Windows 10 - networking

This web page applies to both Windows 10 Home - Fall Update - version 1511, and also to Windows 10 Home - Anniversary Edition - version 1607.

As with all previous versions of Windows, Microsoft have put into Windows 10 various networking technologies which are mostly enabled by default - some of them are quite new technologies, and some of them are for backward compatibility with older versions of Windows.

Some of these older technologies are famously insecure - NetBIOS is one, and is a common route for malicious attacks on Windows. It is enabled by default in most versions of Windows - including NT, 2000, XP, Windows 7, Windows 8.1, and now Windows 10.

The infamous Conficker worm variants A, B, C, and E all used NetBIOS to reek their havoc on so many computers in 2009. NetBIOS provides a well worn route into a Windows machine for hackers. Don`t underestimate the risk of enabling NetBIOS on a computer.

If you don`t need them, it is better to remove them, as it helps to reduce the attack surface.

 

Removing protocols - Ethernet

Go to "Control panel" / "Network and sharing centre" / "Change adapter settings" / Right click on "Ethernet"

Select "Properties"

You will probably see a list of 9 items, most with ticked boxes. Many of these are weak spots - get rid of as many as you can that you don`t need.

For a basic Ethernet LAN connection, the only two that are probably required are

• QoS Packet Scheduler
• Internet Protocol Version 4 (TCP/IPv4)

Some websites suggest that QoS Packet Scheduler is not required - however I am not so sure about that, so I leave it in.

IPv6 is very much built into Windows 10, but unless you really need it, I think it is best to untick it, as it can add security holes. However do note that unticking the IPv6 box within the Properties box on any network adapter does not stop IPv6 from running inside the computer, it only stops that network adapter from conveying IPv6 traffic.

The other ones all depend on how you want to use the computer - but they all lower the security of the computer. You can untick the boxes to kill them, but a better method is to uninstall them. This has the advantage that it removes them from the wireless connection as well.

Now highlight "Internet Protocol Version 4 (TCP/IPv4)", click on Properties, click on Advanced, click on the Wins tab. Unless you really need it - select "Disable NetBIOS over TCP/IP".

If you are going to use some of the Microsoft file sharing technologies, you may need NetBIOS.

 

Removing protocols - wireless

If Windows 10 is on a laptop, repeat all this for the Wireless network connection.

Again, it all depends on how you want to use the laptop, but I reckon that if you connect to any kind of public Wi-Fi, and have facilities like "File and Printer Sharing" and "NetBIOS" enabled, then you are playing with fire.

If you want to use some kind of Microsoft networking on your "safe" home or work Wi-Fi, and also want to use public Wi-Fi`s, you are going to have a bit of a problem with this. You will have to work out your own solution.

If you can use ethernet at home or at work, then you could have the Microsoft networking enabled on the ethernet connection, but not on the Wi-Fi.

 

Removing protocols - other connection types

There may be other types of connections listed, for example, VPN`s. You may need to repeat all this for them as well.

 

LLMNR

Windows 7, 8.1, 10 all advertise themselves using LLMNR, and it can`t be stopped using the firewall.

LLMNR multicasts UDP messages on port 5355. It may also use TCP on port 5355.

It can be regarded as a security risk, as the host transmits multicast LLMNR packets which identify the host.

In addition, as the Windows firewall is a stateful firewall, the outgoing packets will cut holes through the firewall for incoming packets for a period of time on port 5355 - this provides a hole for attack. So it is better to disable LLMNR if it is not required.

On the higher versions of Windows, Group policy can be used to disable LLMNR.

On Windows 10 Home, LLMNR can be disabled by a registry entry - the key doesn`t exist by default, and needs to be created. The key is

       HKLM/Software/Policies/Microsoft/WindowsNT/DNSClient/

Create a DWORD called "EnableMulticast" with a value of "0".

There is a bit more about LLMNR in my web page about Windows 7 Name Resolution.

PS - if you have doubts as to whether you should do this - a hacker can use LLMNR traffic to capture user name and password hashes from a computer, then use cracking tools to extract the password from the hash, and he now has a username and password to log onto the computer whenever he wants. Not really what you want !

 

Network Location Awareness

Network Location Awareness is a service for identifying what types of network the computer is connected to. It can be used to decide if a network connection should be part of the Public profile or the Private profile, once the administrator has made a choice about it.

It can also be used by applications that are NLA aware to react to changing network connections, such as might be experienced by a roaming laptop, which might be used on LAN`s, then on WiFi, for example.

So it may be useful from that point of view. However it has a couple of security downsides - every time the computer is started, or reconnects to a network -

• it advertises on 169.254.19.248
• it tries to connect to a web server "www.msftncsi.com", in order to download a file called "ncsi.txt"

The list above of disabled services therefore includes the Network List Service and the Network Location Awareness service.

However if you think you need this service, but don`t want the computer to connect to the web server at "www.msftncsi.com", this action can be stopped via a registry entry - go to the key

       HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\

Change the DWORD called "EnableActiveProbing" to the value of "0"

 

Disable IGMP

IGMP is part of Windows networking, and if you don`t want to use Windows networking, IGMP can be disabled using

       netsh interface ipv4 set global mldlevel= none

This adds a registry entry

       HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\IGMPLevel

which is a DWORD with the value of 0

It also adds another two keys, but these have no data associated with them.

       HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\IPAutoconfigurationMask

       HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\IPAutoconfigurationSubnet

 

Disable IPv6

IPv6 is very much built into Windows, and Microsoft quite strongly advocate that it should not be disabled - in fact it can cause some boot-up delays if it is disabled.

However if it is not required, it increases the attack surface - in particular, any IPv6 tunneling techniques are a significant attack surface, as they can be used to connect to the computer through the firewall, and the firewall doesn`t see what is going on. Note that IPv6 tunnelling can still happen even if you have disabled IPv6 on a network adapter.

There is quite a lot of variety in the suggestions on the internet about how to disable IPv6, and it took a bit of digging to understand what is going on.

To disable all or part of IPv6, add an entry to the registry -

       HKLM\System\CurrentControlSet\Services\TCPIP6\Parameters\DisabledComponents

which is a DWORD with a default value of 0x00000000 - which means that IPv6 is fully enabled.

It appears that the last two digits of this character string act as a mask, with each character within the mask acting as a flag for a particular part of the IPv6 suite - but bear in mind that the above string is in hex, the mask works at a binary level.

• bit 0 - flag for all IPv6 tunnel interfaces
• bit 1 - flag for 6-to-4 based interfaces
• bit 2 - flag for all ISATAP interfaces
• bit 3 - flag for all Teredo interfaces
• bit 4 - flag for non-tunnel interfaces
• bit 5 - flag for default IPv6 / IPv4 preference for connections

In all these, the default value is zero, which is on, set it to one to block that mechanism.

So to leave all of IPv6 working as Microsoft wants , leave the above registry entry on 0x00000000

To disable all IPv6, set the above registry entry to 0x000000ff - don`t set it to 0xffffffff as some websites suggest.

Historically, some sources suggest that to disable all IPv6 the registry setting should be set to 0xffffffff - this is now regarded as wrong, as the upper 24 bits need to be zero for the fastest boot up times. These upper 24 bits don`t do anything as far as controlling IPv6 is concerned, so there is no need to set them to one. So use 0x000000ff, don`t use 0xffffffff.

To disable all IPv6 tunneling but leave IPv6 working, set the above registry entry to 0x00000001

You can do your own maths if you want to allow some tunneling mechanisms but block others.

You may need IPv6 without realising it, because your router or wireless connections use IPv6.

Note that if IPv6 is enabled, even if tunneling is blocked, then the computer will do quite a lot of advertising on IPv6.

 

Disable SMB 1.0

SMB 1.0 is a legacy protocol that was used in file and printer sharing, if you don`t need it, disable it through Control Panel / Programs and Features.

 

 

 

 

• home page
• image gallery
• about this website
• about the colour bar

 

website design by ron-t

 

website hosting by freevirtualservers.com

 

© 2024   Ron Turner

 

+                                   +  

 

 

• grayscale