Windows Networking | Harden System Security¶

Disables Smart Multi-Homed Name Resolution because it uses NetBIOS and LLMNR, protocols that shouldn't be used anymore. CSP

Disables LMHOSTS lookup protocol on all network adapters, legacy feature that's not used anymore.

Disables Printing over HTTP because HTTP is not encrypted and it's an old feature that's not used anymore. CSP

Sets the minimum required SMB version for Client to 3.1.1 which is the latest available version at the moment and was introduced years ago with Windows 10.

Sets the minimum required SMB version for Server to 3.1.1 which is the latest available version at the moment and was introduced years ago with Windows 10.

Blocks NTLM completely. This sub-category applies the following 4 policies:
For SMB.
For all incoming connections.
For all outgoing connections. - This can prevent you from using RDP (Remote Desktop) remotely via IP address which is insecure as it needs public exposed ports and uses NTLM. You can use Quick Assist or Bastion for Azure VMs which are more secure alternatives. Local RDP such as for Hyper-V enhanced session is not affected.
Disables the RPC Endpoint Mapper Client Authentication policy. CSP. It is recommended to be disabled when NTLM is completely blocked.

Enables encryption for SMB Server. Its status can be checked using the following PowerShell command: (get-SmbServerConfiguration).EncryptData. If the returned value is $True then SMB Encryption is turned on.

Configures the Cipher Suites from the default value of AES_128_GCM,AES_128_CCM,AES_256_GCM,AES_256_CCM to AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM for the SMB Client. CSP

Configures the Cipher Suites from the default value of AES_128_GCM,AES_128_CCM,AES_256_GCM,AES_256_CCM to AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM for the SMB Server. CSP