Update Harden-Windows.ps1

Mr-DS-ML-85 · web-flow · commit a5bb5062421e · 2025-07-05T21:17:55.000+06:00
Improved handle port blocks by Firewall 
Added error handling for services
Added warning of port already disabled by Firewall
And added Minor Improvements for the code
diff --git a/Harden-Windows.ps1 b/Harden-Windows.ps1
@@ -1,36 +1,59 @@
-# === Run as Administrator ===
+# === Run this script as Administrator ===
+
+# ----------------------------------------
+# 🚫 Block inbound dangerous or unneeded ports
+# ----------------------------------------
+$portsToBlock = @(
+    "135", "137", "139", "445", "5040", "1462", "7680",
+    "26822", "32683", "33683", "49664", "49665", "49666", "49667", "49670"
+)
 
-# Block dangerous inbound ports
-$portsToBlock = "135", "139", "445", "5040", "1462", "49664-49669"
 foreach ($port in $portsToBlock) {
-    New-NetFirewallRule -DisplayName "Block Port $port" `
-                        -Direction Inbound `
-                        -LocalPort $port `
-                        -Protocol TCP `
-                        -Action Block `
-                        -Profile Any
+    $ruleName = "Block TCP Port $port"
+    Write-Host "🔒 Blocking port: $port"
+
+    if (-not (Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue)) {
+        New-NetFirewallRule -DisplayName $ruleName `
+                            -Direction Inbound `
+                            -LocalPort $port `
+                            -Protocol TCP `
+                            -Action Block `
+                            -Profile Any
+        Write-Host "✅ Port $port blocked"
+    } else {
+        Write-Host "⚠️ Rule already exists for port $port (skipping)"
+    }
 }
 
-# Disable dangerous or unneeded services
+# ----------------------------------------
+# ❌ Disable dangerous or unneeded services
+# ----------------------------------------
 $servicesToDisable = @(
     "RemoteRegistry",
-    "TermService",           # Remote Desktop
-    "LanmanServer",          # File Sharing (SMB)
-    "LanmanWorkstation",     # SMB Client
-    "SSDPDiscovery",
-    "upnphost",              # UPnP
-    "FDResPub",              # Function Discovery
-    "Spooler"                # Printer (optional, comment out if needed)
+    "TermService",         # Remote Desktop
+    "LanmanServer",        # SMB File Sharing
+    "LanmanWorkstation",   # SMB Client
+    "SSDPDiscovery",       # Might not exist
+    "upnphost",            # UPnP
+    "FDResPub",            # Function Discovery
+    "Spooler"              # Printer service (optional)
 )
 
 foreach ($svc in $servicesToDisable) {
-    Write-Host "Disabling service: $svc"
-    Stop-Service -Name $svc -ErrorAction SilentlyContinue
-    Set-Service -Name $svc -StartupType Disabled
+    $service = Get-Service -Name $svc -ErrorAction SilentlyContinue
+    if ($service) {
+        Write-Host "🛑 Disabling service: $svc"
+        Stop-Service -Name $svc -ErrorAction SilentlyContinue
+        Set-Service -Name $svc -StartupType Disabled
+    } else {
+        Write-Host "⚠️ Service not found: $svc (skipping)"
+    }
 }
 
-# OPTIONAL: Disable IPv6 (uncomment if you want)
-<# 
+# ----------------------------------------
+# 🧪 OPTIONAL: Disable IPv6 (Uncomment if needed)
+# ----------------------------------------
+<#
 Write-Host "Disabling IPv6..."
 New-ItemProperty `
     -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" `
@@ -40,4 +63,7 @@ New-ItemProperty `
     -Force
 #>
 
-Write-Host "`n✅ System hardening complete. Please restart your computer to apply all changes."
+# ----------------------------------------
+# ✅ Done
+# ----------------------------------------
+Write-Host "`n🎉 System hardening complete. Please restart your PC to apply all changes." -ForegroundColor Green
