Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE] - Small reg and script helpers and cleanups #1130

Open
4 tasks done
sammilucia opened this issue Jun 19, 2024 · 8 comments
Open
4 tasks done

[FEATURE] - Small reg and script helpers and cleanups #1130

sammilucia opened this issue Jun 19, 2024 · 8 comments
Labels
enhancement New feature or request

Comments

@sammilucia
Copy link

sammilucia commented Jun 19, 2024

Before continuing...

  • I agree to follow Atlas' Code of Conduct
  • I have searched our issue tracker to verify that the issue hasn't been reported already
  • I have searched the Atlas documentation beforehand for a solution
  • I am on the latest version of Atlas, and didn't do an unsupported upgrade

What is your feature request regarding to?

Atlas Playbook

Is your feature request related to a problem? Please describe.

there are several cleanups, QoL changes, and hardening steps i take on a new Windows install, and i can't see that Atlas 0.40 currently does them (thought they may be planned for 0.50).

i don't believe these are worth splitting into different issues. i can adapt them all and fork/PR, or let me know what parts are useful if any.

1. delete instances of Macromedia Flash. there are still remnants of Flash in Win10/11
edit: i believe Atlas is already doing this or it's no longer in Win11. it may be in Win10, though.

takeown /F c:\windows\system32\macromed /A /R /D Y
icacls c:\windows\system32\macromed /grant Administrators:F /T /C
rmdir /S /Q c:\windows\system32\macromed

takeown /F c:\windows\syswow64\macromed /A /R /D Y
icacls c:\windows\syswow64\macromed /grant Administrators:F /T /C
rmdir /S /Q c:\windows\syswow64\macromed

del c:\windows\syswow64\flashplayer*.*
  1. delete GatherNetworkInfo.bat, why this is in a vanilla install is beyond me but it can be used by a hacker for intel gathering
echo Deleting GatherNetworkInfo.vbs (security target)
takeown /F c:\windows\system32\gathernetworkinfo.vbs /A
icacls c:\windows\system32\gathernetworkinfo.vbs /grant Administrators:F /C
del /Q c:\windows\system32\gathernetworkinfo.vbs
  1. noting that i believe AtlasOS is already setting the old tunneling protocols as disabled i.e.
netsh int teredo set state disabled
netsh int 6to4 set state disabled
netsh int isatap set state disabled
  1. service corrections. there are some strange service dependency problems that can lead to dependent services not starting and difficult-to-diagnose problems. there are several services not correctly set to depend, this is just one. more investigation is needed
sc config BITS depend=netprofm
  1. Add Recycle Bin to My Computer as an optional reg file in Atlas\4. Interface Tweaks\Recycle Bin
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}]
  1. disable negative DNS cache. by default Windows caches failed DNS queries which is a problem because most failures are short-term, leading to misleading problem diagnoses. i would recommend disabling by default
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
"MaxNegativeCacheTtl"=dword:00000000

7. **disable Desktop icon label shadow**. imho it looks outdated and out of place with Material design.
```reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ListviewShadow]
"DefaultApplied"=dword:00000000
  1. add AHCI device initiated sleep options to Power Options for SSDs. this adds HIPM and DIPM sleep options to SSD in the Windows Power Plans which gives more granular control over SSD sleep states
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\0b2d69d7-a2a1-449c-9680-f91c70521c60]
"Attributes"=dword:00000002
  1. option to disable Network Data Usage monitoring. this should probably be optional as some people might use metered network connections/cellular. i suggest Atlas\3. General Configuration\Network Data Usage
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ndu]
"Start"=dword:00000004
  1. enable Turbo Boost in Power Options to configure CPU boost states. i don't believe this is accessible in Windows or AtlasOS however i could be mistaken.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\be337238-0d82-4146-a960-4f3749d470c7]
"Attributes"=dword:00000002
  1. remove Git from Context Menus. winget in Atlas-OS offers to install Git, and Git adds two options to the Context Menu which may not be wanted. optionally provide a reg file to remove them in 4. Interface Tweaks\Context Menus\Git Bash Here
[-HKEY_CLASSES_ROOT\Directory\shell\git_gui]
[-HKEY_CLASSES_ROOT\Directory\shell\git_gui\command]
[-HKEY_CLASSES_ROOT\Directory\shell\git_shell]
[-HKEY_CLASSES_ROOT\Directory\shell\git_shell\command]
[-HKEY_CLASSES_ROOT\Directory\Background\shell\git_shell]
[-HKEY_CLASSES_ROOT\Directory\Background\shell\git_shell\command]
[-HKEY_CLASSES_ROOT\Directory\Background\shell\git_gui]
[-HKEY_CLASSES_ROOT\Directory\Background\shell\git_gui\command]
  1. similarly Powershell Contect Menu entries might not be wanted. this may require a takeown script
[-HKEY_CLASSES_ROOT\Drive\shell\Powershell]
[-HKEY_CLASSES_ROOT\Drive\shell\Powershell\command]
[-HKEY_CLASSES_ROOT\Directory\shell\Powershell]
[-HKEY_CLASSES_ROOT\Directory\shell\Powershell\command]
  1. similarly Command Prompt here Context Menu entries might not be wanted. this may require a takeown script
[-HKEY_CLASSES_ROOT\Directory\shell\cmd]
[-HKEY_CLASSES_ROOT\Directory\shell\cmd\command]
[-HKEY_CLASSES_ROOT\Directory\Background\shell\cmd]
[-HKEY_CLASSES_ROOT\Directory\Background\shell\cmd\command]
  1. provide option to remove AMD Radeon from the Context Menu since it's difficult to use. suggest providing a reg file in 4. Interface Tweaks\Context Menus\AMD
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked]
"{FDADFEE3-02D1-4E7C-A511-380F4C98D73B}"=""

Describe the solution you would like.

whatever set of options people will find most useful.

Describe alternatives you have considered.

doing these manually.

Additional context.

No response

@sammilucia sammilucia added the enhancement New feature or request label Jun 19, 2024
@sammilucia
Copy link
Author

  1. provide an option to disable the hosted network, possibly in 3. General Configuration\Hosted WiFI Network. if you don't ever plan to use it, the ability to host a WiFi network can be exploited. however, people may forget it's disabled, which can cause difficulty diagnosing later on.
netsh wlan set hostednetwork mode=disallow

@he3als
Copy link
Contributor

he3als commented Jun 19, 2024

delete GatherNetworkInfo.bat, why this is in a vanilla install is beyond me but it can be used by a hacker for intel gathering

This script runs as the permissions it's executed as. If an attacker has remote code execution, they could use various other and, most likely, better tools. It seems to be removed from the latest builds of Windows anyways.

We'd rather not touch components or files if it's not needed.

noting that i believe AtlasOS is already setting the old tunneling protocols as disabled

Generally, we don't touch these for compatibility reasons. Previously we messed around with Teredo, and in some cases, it would cause the XBOX app to not work properly. Those seem mostly disabled by default in Windows now, so I don't think it's significant to change them.

there are some strange service dependency problems that can lead to dependent services not starting and difficult-to-diagnose problems. there are several services not correctly set to depend, this is just one. more investigation is needed

Yeah, maybe? I'd still rather not touch it if it's not essential as I don't want to cause any conflicts or potential issues, but it is something to be researched into. I'd like to know why this is default and if it's a bug or purposeful.

disable negative DNS cache

This makes sense, but I want to know why it's not disabled by default.

disable Desktop icon label shadow

The shadow is required for good visibility on white backgrounds.

add AHCI device initiated sleep options to Power Options

enable Turbo Boost in Power Options

Sure. Although, I'd want to research these settings before unhiding them.

remove Git from Context Menus

remove AMD Radeon from the Context Menu

I'd consider it, but I don't want to go too out of scope for Atlas.

Powershell Contect Menu entries might not be wanted

Command Prompt here Context Menu entries

These are in the extended context menu, I don't think that it matters.

provide an option to disable the hosted network

Do you have any recent vulnerabilities related to this?

@sammilucia
Copy link
Author

sammilucia commented Jun 19, 2024

This makes sense, but I want to know why it's not disabled by default.

it's specified in the RFC. in my experience for end users it's the more likely config to confound diagnosis. in large infrastructure it's also not a good idea because it can inhibit failover. imo the thinking is outdated.

The shadow is required for good visibility on white backgrounds.

I don't think any of your users will have white backgrounds, but your call 😊

Sure. Although, I'd want to research these settings before unhiding them.

sure. the use case for CPU turbo states is mostly laptops. reducing from the defaults (Enabled, or Aggressive Enabled) relieves heat on the GPU, which is usually the most heat bound. when you see laptop reviews that the GPU is throttling, especially AMD, this is usually why. SSD AHCI is also mostly for power saving, it enables lower idle states of e.g. <1W for SSDs. though Windows is awful at power-saving to start so this is a losing battle an SSD isn't going to win. SSD AHCI is more a case of it should be exposed by default, imo.

I'd consider it, but I don't want to go too out of scope for Atlas

fair. I was going to compile these into my own git until I found Atlas. I don't want to duplicate work.

Do you have any recent vulnerabilities related to this?

this speaks to principle of least access and secure by default configs (as well as the GatherNetworkInfo.vbs). you don't need a published exploit to reduce attack surface. however security needs to be balanced with usability, as you know, and hosted networks is problematic as previously noted because someone can disable it then travel a year later and need it.

however a hardened system will withstand more attacks than a system that's simply patched. security is also a question of "what's the weakest link in the chain". I wouldn't wait for exploits, as long as WU compatibility and usability can be maintained.

I guess it depends on the goals of Atlas, which I'd need to learn more intricately. in short OS hardening involves:

  • removing non-essential services
  • removing non-essential software/modules/stale vectors
  • hardening TCP and remaining services (here, like the above, is the reason to stray from RFC, which are usually designed for the widest use cases, sometimes impractically so)
  • disable dangling resources like default shares, default/insecure logins
  • (restrict firewalls to the smallest set of in/outbound ports. probably not practical here)
  • (ideally rename default logins to unguessable ones and create dummy default logins, however I would argue this is clearly out of scope)

Kajal4414 added a commit to Kajal4414/Scripts that referenced this issue Jun 20, 2024
@he3als he3als moved this to Low priority in Atlas Playbook Jul 4, 2024
@nicklvh
Copy link
Contributor

nicklvh commented Jul 13, 2024

Responding to your 6th point, I've researched about disabling negative caching and it seems to be useful for gaining more up to date information but Windows' TTL is 15 minutes for negative caching so I'm not sure if disabling it would have any benefit. Also some DNS blocking services return NXDOMAIN as a result which would then not be stored in any negative cache and would result in many more DNS requests. Also, if a DNS issue is not fixed, it increases latency.

I agree with your points 8,10,11 and 15, but the others I feel like would not benefit the general Atlas user and could cause more problems than intended.

@sammilucia
Copy link
Author

that's all good, really this is just a list of "here's some things i do, in case any are helpful / relevant", without understanding (yet) what is considered in-scop and out of scope for the project (though i have read the documentation).

one way to address the negative DNS cache is to lower the TTL to say 1 minute, which would effectively debounce the most common issues without causing confusion due to brief DNS failures i.e. "this didn't work for a while, now it mysteriously does"

however, i don't think it's an important enough setting to warrant a lot of discussion (i.e. it's not high-value). please feel free to take whatever's valuable and discard the rest. i will gain understanding of what's in-scope for this project from whatever you take.

@NextWork123
Copy link

NextWork123 commented Oct 19, 2024

I believe some "fixes or features" related to this issue need to be merged, such as gathernetworkinfo (2), to enhance security for users with Intel. Regarding point 6, we can reduce the TTL, and that would be satisfactory. Personally, I don’t mind disabling the negative DNS cache, and I would also support the proposal to remove all DNS caching, as I am using a self-hosted AdGuard that effectively handles DNS caching.

For points 8, 9, and 10, I think merging them is essential, especially for laptop users. As for point 14, I don’t think it’s advisable to remove AMD Radeon from the context menu; I appreciate having that option. Point 15 seems perfectly fine.

However, I believe point 4 need further investigation. I came across some information regarding netprofm, but I only found a description in another repository Windows Server Docs, which stated: "Identifies the networks the computer has connected to, collects and stores properties for these networks, and notifies applications when these properties change." source

As for point 3, it doesn't seem ideal because if someone has IPv6 enabled, it could lead to issues; it works fine if IPv6 is disabled.

@sammilucia
Copy link
Author

point 4 is a rabbit hole. I discovered this when BITS wouldn't start because I'd disabled netprofm, and discovered the dependencies weren't set on a new install. I would file this under "one of the many ways Windows Updates can break" that's difficult to hunt down.

however looking more closely, I don't think MS have maintained their service dependencies well since they added all the new ones in Win11... I think we would find there's several or a dozen that are broken.

problems can obviously be avoided by not supporting messing with services, rather than trying to map and set all dependencies (which isn't high value work), but WU breaking is a good reason to fix the BITS one imo. WU breaks often enough and is important enough that fortifying against this is a good idea.

I agree on all your other comments. I think many people disable IPv6, but I don't know for sure. it certainly isn't the "amazing thing" we all knew it wouldn't be!

@NextWork123
Copy link

point 4 is a rabbit hole. I discovered this when BITS wouldn't start because I'd disabled netprofm, and discovered the dependencies weren't set on a new install. I would file this under "one of the many ways Windows Updates can break" that's difficult to hunt down.

however looking more closely, I don't think MS have maintained their service dependencies well since they added all the new ones in Win11... I think we would find there's several or a dozen that are broken.

problems can obviously be avoided by not supporting messing with services, rather than trying to map and set all dependencies (which isn't high value work), but WU breaking is a good reason to fix the BITS one imo. WU breaks often enough and is important enough that fortifying against this is a good idea.

I agree on all your other comments. I think many people disable IPv6, but I don't know for sure. it certainly isn't the "amazing thing" we all knew it wouldn't be!

It seems my ISP in Italy provides higher speed on IPv6 than IPv4, and they were the first ISP to offer IPv6. If I disable IPv6, my speed will be significantly reduced, which is why I think disabling IPv6 isn't ideal. In any case, the issue/feature merge looks promising, but you opened the issue back in June and it's still open in October, so it seems the Atlas developers aren't very interested in merging your feature. :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: Low priority
Development

No branches or pull requests

4 participants