[FEATURE] - Small reg and script helpers and cleanups

[sammilucia]

Before continuing...

• [X] I agree to follow Atlas' Code of Conduct
• [X] I have searched our issue tracker to verify that the issue hasn't been reported already
• [X] I have searched the Atlas documentation beforehand for a solution
• [X] I am on the latest version of Atlas, and didn't do an unsupported upgrade

What is your feature request regarding to?

Atlas Playbook

Is your feature request related to a problem? Please describe.

there are several cleanups, QoL changes, and hardening steps i take on a new Windows install, and i can't see that Atlas 0.40 currently does them (thought they may be planned for 0.50).

i don't believe these are worth splitting into different issues. i can adapt them all and fork/PR, or let me know what parts are useful if any.

1. delete instances of Macromedia Flash. there are still remnants of Flash in Win10/11 edit: i believe Atlas is already doing this or it's no longer in Win11. it may be in Win10, though.

takeown /F c:\windows\system32\macromed /A /R /D Y
icacls c:\windows\system32\macromed /grant Administrators:F /T /C
rmdir /S /Q c:\windows\system32\macromed

takeown /F c:\windows\syswow64\macromed /A /R /D Y
icacls c:\windows\syswow64\macromed /grant Administrators:F /T /C
rmdir /S /Q c:\windows\syswow64\macromed

del c:\windows\syswow64\flashplayer*.*

2. delete GatherNetworkInfo.bat, why this is in a vanilla install is beyond me but it can be used by a hacker for intel gathering

   echo Deleting GatherNetworkInfo.vbs (security target)
   takeown /F c:\windows\system32\gathernetworkinfo.vbs /A
   icacls c:\windows\system32\gathernetworkinfo.vbs /grant Administrators:F /C
   del /Q c:\windows\system32\gathernetworkinfo.vbs

3. noting that i believe AtlasOS is already setting the old tunneling protocols as disabled i.e.

   netsh int teredo set state disabled
   netsh int 6to4 set state disabled
   netsh int isatap set state disabled

4. service corrections. there are some strange service dependency problems that can lead to dependent services not starting and difficult-to-diagnose problems. there are several services not correctly set to depend, this is just one. more investigation is needed

   sc config BITS depend=netprofm

5. Add Recycle Bin to My Computer as an optional reg file in Atlas\4. Interface Tweaks\Recycle Bin

   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}]

6. disable negative DNS cache. by default Windows caches failed DNS queries which is a problem because most failures are short-term, leading to misleading problem diagnoses. i would recommend disabling by default

   
   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
   "MaxNegativeCacheTtl"=dword:00000000

7. disable Desktop icon label shadow. imho it looks outdated and out of place with Material design.

   [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ListviewShadow]
   "DefaultApplied"=dword:00000000

8. add AHCI device initiated sleep options to Power Options for SSDs. this adds HIPM and DIPM sleep options to SSD in the Windows Power Plans which gives more granular control over SSD sleep states

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\0b2d69d7-a2a1-449c-9680-f91c70521c60]
   "Attributes"=dword:00000002

9. option to disable Network Data Usage monitoring. this should probably be optional as some people might use metered network connections/cellular. i suggest Atlas\3. General Configuration\Network Data Usage

   [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ndu]
   "Start"=dword:00000004

10. enable Turbo Boost in Power Options to configure CPU boost states. i don't believe this is accessible in Windows or AtlasOS however i could be mistaken.

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\be337238-0d82-4146-a960-4f3749d470c7]
    "Attributes"=dword:00000002

11. remove Git from Context Menus. winget in Atlas-OS offers to install Git, and Git adds two options to the Context Menu which may not be wanted. optionally provide a reg file to remove them in 4. Interface Tweaks\Context Menus\Git Bash Here

    [-HKEY_CLASSES_ROOT\Directory\shell\git_gui]
    [-HKEY_CLASSES_ROOT\Directory\shell\git_gui\command]
    [-HKEY_CLASSES_ROOT\Directory\shell\git_shell]
    [-HKEY_CLASSES_ROOT\Directory\shell\git_shell\command]
    [-HKEY_CLASSES_ROOT\Directory\Background\shell\git_shell]
    [-HKEY_CLASSES_ROOT\Directory\Background\shell\git_shell\command]
    [-HKEY_CLASSES_ROOT\Directory\Background\shell\git_gui]
    [-HKEY_CLASSES_ROOT\Directory\Background\shell\git_gui\command]

12. similarly Powershell Contect Menu entries might not be wanted. this may require a takeown script

    [-HKEY_CLASSES_ROOT\Drive\shell\Powershell]
    [-HKEY_CLASSES_ROOT\Drive\shell\Powershell\command]
    [-HKEY_CLASSES_ROOT\Directory\shell\Powershell]
    [-HKEY_CLASSES_ROOT\Directory\shell\Powershell\command]

13. similarly Command Prompt here Context Menu entries might not be wanted. this may require a takeown script

    [-HKEY_CLASSES_ROOT\Directory\shell\cmd]
    [-HKEY_CLASSES_ROOT\Directory\shell\cmd\command]
    [-HKEY_CLASSES_ROOT\Directory\Background\shell\cmd]
    [-HKEY_CLASSES_ROOT\Directory\Background\shell\cmd\command]

14. provide option to remove AMD Radeon from the Context Menu since it's difficult to use. suggest providing a reg file in 4. Interface Tweaks\Context Menus\AMD

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked]
    "{FDADFEE3-02D1-4E7C-A511-380F4C98D73B}"=""

Describe the solution you would like.

whatever set of options people will find most useful.

Describe alternatives you have considered.

doing these manually.

Additional context.

No response

[sammilucia]

15. provide an option to disable the hosted network, possibly in 3. General Configuration\Hosted WiFI Network. if you don't ever plan to use it, the ability to host a WiFi network can be exploited. however, people may forget it's disabled, which can cause difficulty diagnosing later on.

    netsh wlan set hostednetwork mode=disallow

[he3als]

delete GatherNetworkInfo.bat, why this is in a vanilla install is beyond me but it can be used by a hacker for intel gathering

This script runs as the permissions it's executed as. If an attacker has remote code execution, they could use various other and, most likely, better tools. It seems to be removed from the latest builds of Windows anyways.

We'd rather not touch components or files if it's not needed.

noting that i believe AtlasOS is already setting the old tunneling protocols as disabled

Generally, we don't touch these for compatibility reasons. Previously we messed around with Teredo, and in some cases, it would cause the XBOX app to not work properly. Those seem mostly disabled by default in Windows now, so I don't think it's significant to change them.

there are some strange service dependency problems that can lead to dependent services not starting and difficult-to-diagnose problems. there are several services not correctly set to depend, this is just one. more investigation is needed

Yeah, maybe? I'd still rather not touch it if it's not essential as I don't want to cause any conflicts or potential issues, but it is something to be researched into. I'd like to know why this is default and if it's a bug or purposeful.

disable negative DNS cache

This makes sense, but I want to know why it's not disabled by default.

disable Desktop icon label shadow

The shadow is required for good visibility on white backgrounds.

add AHCI device initiated sleep options to Power Options

enable Turbo Boost in Power Options

Sure. Although, I'd want to research these settings before unhiding them.

remove Git from Context Menus

remove AMD Radeon from the Context Menu

I'd consider it, but I don't want to go too out of scope for Atlas.

Powershell Contect Menu entries might not be wanted

Command Prompt here Context Menu entries

These are in the extended context menu, I don't think that it matters.

provide an option to disable the hosted network

Do you have any recent vulnerabilities related to this?

[sammilucia]

This makes sense, but I want to know why it's not disabled by default.

it's specified in the RFC. in my experience for end users it's the more likely config to confound diagnosis. in large infrastructure it's also not a good idea because it can inhibit failover. imo the thinking is outdated.

The shadow is required for good visibility on white backgrounds.

I don't think any of your users will have white backgrounds, but your call 😊

Sure. Although, I'd want to research these settings before unhiding them.

sure. the use case for CPU turbo states is mostly laptops. reducing from the defaults (Enabled, or Aggressive Enabled) relieves heat on the GPU, which is usually the most heat bound. when you see laptop reviews that the GPU is throttling, especially AMD, this is usually why. SSD AHCI is also mostly for power saving, it enables lower idle states of e.g. <1W for SSDs. though Windows is awful at power-saving to start so this is a losing battle an SSD isn't going to win. SSD AHCI is more a case of it should be exposed by default, imo.

I'd consider it, but I don't want to go too out of scope for Atlas

fair. I was going to compile these into my own git until I found Atlas. I don't want to duplicate work.

Do you have any recent vulnerabilities related to this?

this speaks to principle of least access and secure by default configs (as well as the GatherNetworkInfo.vbs). you don't need a published exploit to reduce attack surface. however security needs to be balanced with usability, as you know, and hosted networks is problematic as previously noted because someone can disable it then travel a year later and need it.

however a hardened system will withstand more attacks than a system that's simply patched. security is also a question of "what's the weakest link in the chain". I wouldn't wait for exploits, as long as WU compatibility and usability can be maintained.

I guess it depends on the goals of Atlas, which I'd need to learn more intricately. in short OS hardening involves:

• removing non-essential services
• removing non-essential software/modules/stale vectors
• hardening TCP and remaining services (here, like the above, is the reason to stray from RFC, which are usually designed for the widest use cases, sometimes impractically so)
• disable dangling resources like default shares, default/insecure logins
• (restrict firewalls to the smallest set of in/outbound ports. probably not practical here)
• (ideally rename default logins to unguessable ones and create dummy default logins, however I would argue this is clearly out of scope)

[nicklvh]

Responding to your 6th point, I've researched about disabling negative caching and it seems to be useful for gaining more up to date information but Windows' TTL is 15 minutes for negative caching so I'm not sure if disabling it would have any benefit. Also some DNS blocking services return NXDOMAIN as a result which would then not be stored in any negative cache and would result in many more DNS requests. Also, if a DNS issue is not fixed, it increases latency.

I agree with your points 8,10,11 and 15, but the others I feel like would not benefit the general Atlas user and could cause more problems than intended.

[sammilucia]

that's all good, really this is just a list of "here's some things i do, in case any are helpful / relevant", without understanding (yet) what is considered in-scop and out of scope for the project (though i have read the documentation).

one way to address the negative DNS cache is to lower the TTL to say 1 minute, which would effectively debounce the most common issues without causing confusion due to brief DNS failures i.e. "this didn't work for a while, now it mysteriously does"

however, i don't think it's an important enough setting to warrant a lot of discussion (i.e. it's not high-value). please feel free to take whatever's valuable and discard the rest. i will gain understanding of what's in-scope for this project from whatever you take.