[FEATURE] - Small reg and script helpers and cleanups about atlas HOT 4 OPEN

15. provide an option to disable the hosted network, possibly in 3. General Configuration\Hosted WiFI Network. if you don't ever plan to use it, the ability to host a WiFi network can be exploited. however, people may forget it's disabled, which can cause difficulty diagnosing later on.

netsh wlan set hostednetwork mode=disallow

from atlas.

delete GatherNetworkInfo.bat, why this is in a vanilla install is beyond me but it can be used by a hacker for intel gathering

This script runs as the permissions it's executed as. If an attacker has remote code execution, they could use various other and, most likely, better tools. It seems to be removed from the latest builds of Windows anyways.

We'd rather not touch components or files if it's not needed.

noting that i believe AtlasOS is already setting the old tunneling protocols as disabled

Generally, we don't touch these for compatibility reasons. Previously we messed around with Teredo, and in some cases, it would cause the XBOX app to not work properly. Those seem mostly disabled by default in Windows now, so I don't think it's significant to change them.

there are some strange service dependency problems that can lead to dependent services not starting and difficult-to-diagnose problems. there are several services not correctly set to depend, this is just one. more investigation is needed

Yeah, maybe? I'd still rather not touch it if it's not essential as I don't want to cause any conflicts or potential issues, but it is something to be researched into. I'd like to know why this is default and if it's a bug or purposeful.

disable negative DNS cache

This makes sense, but I want to know why it's not disabled by default.

disable Desktop icon label shadow

The shadow is required for good visibility on white backgrounds.

add AHCI device initiated sleep options to Power Options

enable Turbo Boost in Power Options

Sure. Although, I'd want to research these settings before unhiding them.

remove Git from Context Menus

remove AMD Radeon from the Context Menu

I'd consider it, but I don't want to go too out of scope for Atlas.

Powershell Contect Menu entries might not be wanted

Command Prompt here Context Menu entries

These are in the extended context menu, I don't think that it matters.

provide an option to disable the hosted network

Do you have any recent vulnerabilities related to this?

from atlas.

This makes sense, but I want to know why it's not disabled by default.

it's specified in the RFC. in my experience for end users it's the more likely config to confound diagnosis. in large infrastructure it's also not a good idea because it can inhibit failover. imo the thinking is outdated.

The shadow is required for good visibility on white backgrounds.

I don't think any of your users will have white backgrounds, but your call 😊

Sure. Although, I'd want to research these settings before unhiding them.

sure. the use case for CPU turbo states is mostly laptops. reducing from the defaults (Enabled, or Aggressive Enabled) relieves heat on the GPU, which is usually the most heat bound. when you see laptop reviews that the GPU is throttling, especially AMD, this is usually why. SSD AHCI is also mostly for power saving, it enables lower idle states of e.g. <1W for SSDs. though Windows is awful at power-saving to start so this is a losing battle an SSD isn't going to win. SSD AHCI is more a case of it should be exposed by default, imo.

I'd consider it, but I don't want to go too out of scope for Atlas

fair. I was going to compile these into my own git until I found Atlas. I don't want to duplicate work.

Do you have any recent vulnerabilities related to this?

this speaks to principle of least access and secure by default configs (as well as the GatherNetworkInfo.vbs). you don't need a published exploit to reduce attack surface. however security needs to be balanced with usability, as you know, and hosted networks is problematic as previously noted because someone can disable it then travel a year later and need it.

however a hardened system will withstand more attacks than a system that's simply patched. security is also a question of "what's the weakest link in the chain". I wouldn't wait for exploits, as long as WU compatibility and usability can be maintained.

I guess it depends on the goals of Atlas, which I'd need to learn more intricately. in short OS hardening involves:

• removing non-essential services
• removing non-essential software/modules/stale vectors
• hardening TCP and remaining services (here, like the above, is the reason to stray from RFC, which are usually designed for the widest use cases, sometimes impractically so)
• disable dangling resources like default shares, default/insecure logins
• (restrict firewalls to the smallest set of in/outbound ports. probably not practical here)
• (ideally rename default logins to unguessable ones and create dummy default logins, however I would argue this is clearly out of scope)

from atlas.