Disable old networking components?

[GrofLuigi]

Inspired by Microsoft's Security Advisory 2914486, I did just as it, well, advised:

Workarounds

Reroute the NDProxy service to Null.sys

For environments with non-default, limited user privileges, Microsoft has verified that the following workaround effectively blocks the attacks that have been observed in the wild.

To implement this workaround, follow these steps:

From an elevated command prompt, execute the following commands:

sc stop ndproxy
reg add HKLM\System\CurrentControlSet\Services\ndproxy /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\null.sys /f

Restart the system.

Effects of this workaround

Disabling NDProxy.sys will cause certain services that rely on Windows Telephony Application Programming Interfaces (TAPI) to not function. Services that will no longer work include Remote Access Service (RAS), dial-up networking, and virtual private networking (VPN).

First, let me describe the consequences: everything is working OK, but you lose the NULL device (I don't know if anything uses it; is it used for CMD prompt redirection?). On restart, NULL driver complains and doesn't start. Apparently, you can't have two NULL devices. I even tried copying the driver to NULL1.sys and adjusting the above line accordingly, but they can't start both.

OK. Let's try disabling NDProxy, since it doesn't function anyway. No go. On restart, LanmanWorkstation doesn't start. It has no visible dependencies to NDProxy. In fact, the string NDProxy appears in the registry only in its service name and in ENUM. I've also checked all the GUIDs in LanmanWorkstation\Linkage and it still doesn't lead me to NDProxy. There isn't anything visible in advanced networking components.

So, questions:

1. Is it a "cheating" dependency (hardcoded, built-in, of LanmanWorkstation to NDProxy)? Or is it inside the tangled mess of networking components that is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network ? Has a program or method appeared to untangle that mess in human readable form?

2. While we're at it, is there a way to disable more of the now obsolete (or unused in any particular machine) networking components like TAPI, RAS, PPoE, VPN... but fully disable the drivers, not just skin deep? I'm sure many of the NDIS* services are unnecessary in this day and age, but of course, when I tried disabling them, I've received the BSOD. This example shows that some can be disabled (NDProxy>NULL), so how to do it for more of them?

It's not about the security risks, it's about cleaning the crud. Yes, even XP and Server2003 are still bloated, even after NLite.

*Edit: ^ This might be my fault, I didn't kill Telephony at the time with NLite, because I needed it for faxing. You can see how old my installation is.

*Edit2: In the system files, the string NDProxy appears only in ndis.sys and ndptsp.tsp. So I guess it's hardcoded there. But still how did it get to LanmanWorkstation?

GL

Edited November 29, 2013 by GrofLuigi