-
-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] - Small reg and script helpers and cleanups #1130
Comments
netsh wlan set hostednetwork mode=disallow |
This script runs as the permissions it's executed as. If an attacker has remote code execution, they could use various other and, most likely, better tools. It seems to be removed from the latest builds of Windows anyways. We'd rather not touch components or files if it's not needed.
Generally, we don't touch these for compatibility reasons. Previously we messed around with Teredo, and in some cases, it would cause the XBOX app to not work properly. Those seem mostly disabled by default in Windows now, so I don't think it's significant to change them.
Yeah, maybe? I'd still rather not touch it if it's not essential as I don't want to cause any conflicts or potential issues, but it is something to be researched into. I'd like to know why this is default and if it's a bug or purposeful.
This makes sense, but I want to know why it's not disabled by default.
The shadow is required for good visibility on white backgrounds.
Sure. Although, I'd want to research these settings before unhiding them.
I'd consider it, but I don't want to go too out of scope for Atlas.
These are in the extended context menu, I don't think that it matters.
Do you have any recent vulnerabilities related to this? |
it's specified in the RFC. in my experience for end users it's the more likely config to confound diagnosis. in large infrastructure it's also not a good idea because it can inhibit failover. imo the thinking is outdated.
I don't think any of your users will have white backgrounds, but your call 😊
sure. the use case for CPU turbo states is mostly laptops. reducing from the defaults (Enabled, or Aggressive Enabled) relieves heat on the GPU, which is usually the most heat bound. when you see laptop reviews that the GPU is throttling, especially AMD, this is usually why. SSD AHCI is also mostly for power saving, it enables lower idle states of e.g. <1W for SSDs. though Windows is awful at power-saving to start so this is a losing battle an SSD isn't going to win. SSD AHCI is more a case of it should be exposed by default, imo.
fair. I was going to compile these into my own git until I found Atlas. I don't want to duplicate work.
this speaks to principle of least access and secure by default configs (as well as the GatherNetworkInfo.vbs). you don't need a published exploit to reduce attack surface. however security needs to be balanced with usability, as you know, and hosted networks is problematic as previously noted because someone can disable it then travel a year later and need it. however a hardened system will withstand more attacks than a system that's simply patched. security is also a question of "what's the weakest link in the chain". I wouldn't wait for exploits, as long as WU compatibility and usability can be maintained. I guess it depends on the goals of Atlas, which I'd need to learn more intricately. in short OS hardening involves:
|
Responding to your 6th point, I've researched about disabling negative caching and it seems to be useful for gaining more up to date information but Windows' TTL is 15 minutes for negative caching so I'm not sure if disabling it would have any benefit. Also some DNS blocking services return NXDOMAIN as a result which would then not be stored in any negative cache and would result in many more DNS requests. Also, if a DNS issue is not fixed, it increases latency. I agree with your points 8,10,11 and 15, but the others I feel like would not benefit the general Atlas user and could cause more problems than intended. |
that's all good, really this is just a list of "here's some things i do, in case any are helpful / relevant", without understanding (yet) what is considered in-scop and out of scope for the project (though i have read the documentation). one way to address the negative DNS cache is to lower the TTL to say 1 minute, which would effectively debounce the most common issues without causing confusion due to brief DNS failures i.e. "this didn't work for a while, now it mysteriously does" however, i don't think it's an important enough setting to warrant a lot of discussion (i.e. it's not high-value). please feel free to take whatever's valuable and discard the rest. i will gain understanding of what's in-scope for this project from whatever you take. |
I believe some "fixes or features" related to this issue need to be merged, such as gathernetworkinfo (2), to enhance security for users with Intel. Regarding point 6, we can reduce the TTL, and that would be satisfactory. Personally, I don’t mind disabling the negative DNS cache, and I would also support the proposal to remove all DNS caching, as I am using a self-hosted AdGuard that effectively handles DNS caching. For points 8, 9, and 10, I think merging them is essential, especially for laptop users. As for point 14, I don’t think it’s advisable to remove AMD Radeon from the context menu; I appreciate having that option. Point 15 seems perfectly fine. However, I believe point 4 need further investigation. I came across some information regarding netprofm, but I only found a description in another repository Windows Server Docs, which stated: "Identifies the networks the computer has connected to, collects and stores properties for these networks, and notifies applications when these properties change." source As for point 3, it doesn't seem ideal because if someone has IPv6 enabled, it could lead to issues; it works fine if IPv6 is disabled. |
point 4 is a rabbit hole. I discovered this when BITS wouldn't start because I'd disabled netprofm, and discovered the dependencies weren't set on a new install. I would file this under "one of the many ways Windows Updates can break" that's difficult to hunt down. however looking more closely, I don't think MS have maintained their service dependencies well since they added all the new ones in Win11... I think we would find there's several or a dozen that are broken. problems can obviously be avoided by not supporting messing with services, rather than trying to map and set all dependencies (which isn't high value work), but WU breaking is a good reason to fix the BITS one imo. WU breaks often enough and is important enough that fortifying against this is a good idea. I agree on all your other comments. I think many people disable IPv6, but I don't know for sure. it certainly isn't the "amazing thing" we all knew it wouldn't be! |
It seems my ISP in Italy provides higher speed on IPv6 than IPv4, and they were the first ISP to offer IPv6. If I disable IPv6, my speed will be significantly reduced, which is why I think disabling IPv6 isn't ideal. In any case, the issue/feature merge looks promising, but you opened the issue back in June and it's still open in October, so it seems the Atlas developers aren't very interested in merging your feature. :( |
Before continuing...
What is your feature request regarding to?
Atlas Playbook
Is your feature request related to a problem? Please describe.
there are several cleanups, QoL changes, and hardening steps i take on a new Windows install, and i can't see that Atlas 0.40 currently does them (thought they may be planned for 0.50).
i don't believe these are worth splitting into different issues. i can adapt them all and fork/PR, or let me know what parts are useful if any.
1. delete instances of Macromedia Flash. there are still remnants of Flash in Win10/11edit: i believe Atlas is already doing this or it's no longer in Win11. it may be in Win10, though.
sc config BITS depend=netprofm
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}]
winget
in Atlas-OS offers to install Git, and Git adds two options to the Context Menu which may not be wanted. optionally provide a reg file to remove them in 4. Interface Tweaks\Context Menus\Git Bash HereDescribe the solution you would like.
whatever set of options people will find most useful.
Describe alternatives you have considered.
doing these manually.
Additional context.
No response
The text was updated successfully, but these errors were encountered: