Windows Hardening: Disable 5 Features to Cut Attack Surface

Windows ships with dozens of features and background services designed to improve convenience — but those conveniences are also additional points of entry for attackers. A recent how‑to-style guide compiled a short list of commonly unnecessary capabilities that many users can safely disable to reduce their Windows attack surface; this article expands that advice, verifies the technical details, and weighs the trade‑offs so you can make safe, informed decisions.

Overview​

Built‑in conveniences such as automatic Wi‑Fi reconnection, the WebClient/WebDAV mini‑redirector, the Print Spooler, Network Discovery, and Windows Script Host (WSH) can each be abused by attackers to escalate access, execute code, or move laterally across a network. Disabling unused features is a proven, low‑cost hardening step: when services aren’t running they cannot be exploited. This article summarizes the common tweaks, verifies the safe methods to disable and re‑enable them, provides mitigation alternatives, and highlights the practical downsides so readers can balance security and usability.
Key takeaways up front:

• Disabling unused services reduces your attack surface immediately and often dramatically.
• Some services (Print Spooler, WebClient/WebDAV, WSH) have historic and recent exploitation evidence — disabling them is a reasonable emergency mitigation where printing, WebDAV mounts, or script execution are not required. (msrc.microsoft.com, research.checkpoint.com)
• Always use documented procedures, test changes, and keep Windows Update and endpoint protection enabled — hardening is a complement to, not a replacement for, patching and AV/EDR. (windowscentral.com, bleepingcomputer.com)

---

Background: why disabling features matters​

Every extra Windows component or service increases complexity and potential vulnerability. Services that listen on network ports, run with high privileges, or process remote content are particularly risky because they provide remote‑to‑local attack paths. Turning off features you do not need follows simple security logic: minimize the code running on a device and minimize the number of channels attackers can use.
Historically, Microsoft itself has recommended disabling specific services as a mitigation when a vulnerability targets a particular component; for example, disabling the WebClient service has been suggested as a practical workaround for certain WebDAV‑based RCE issues. (msrc.microsoft.com) More recently, advanced attackers have demonstrated creative chains that abuse legitimate features — for example, an espionage campaign known as Stealth Falcon abused WebDAV and a zero‑day (CVE‑2025‑33053) to run attacker binaries from a remote WebDAV server. That incident shows how apparently rarely used subsystems can become high‑impact vectors. (research.checkpoint.com, helpnetsecurity.com)
Security hardening should be selective: stop unneeded services, but review potential business or app dependencies first. The sections below cover the most commonly recommended switches, step‑by‑step, with pros, cons, and mitigation alternatives.

---

1) Remove automatic Wi‑Fi connection for public networks​

Why it matters​

Windows will, by default, remember Wi‑Fi networks you've connected to and can auto‑join them when in range. That convenience opens opportunities for Evil Twin and Man‑in‑the‑Middle (MitM) attacks where an attacker spoofs a previously used SSID or runs a malicious hotspot. Automatic reconnection can occur before VPNs or endpoint protections are fully active, exposing credentials or traffic. (windowscentral.com, howtogeek.com)

How to disable automatic connection (short steps)​

• Open Settings → Network & internet → Wi‑Fi → Manage known networks.
• Select a network, click Edit (or Properties), then toggle off Connect automatically when in range.
• Repeat for public or untrusted networks. Alternatively, use the command line to set a profile to manual:
• netsh wlan set profileparameter name="<ProfileName>" connectionmode=manual
• Replace <ProfileName> with the saved profile name. (elevenforum.com, howtogeek.com)

Pros​

• Prevents silent reconnection to hotspots you used once.
• Low‑risk change with immediate security gains.

Cons and trade‑offs​

• You must manually connect to trusted networks; slightly less convenience.
• For users who rely on many ephemeral hotspots this may be cumbersome.

Practical alternatives​

• Keep automatic connect enabled only for trusted home and workplace SSIDs.
• Use automatic VPN connection policies (where available) and avoid saving open/public networks.
• Forget networks you no longer use.

---

2) Disable the WebClient (WebDAV) service​

What WebClient does​

The WebClient service powers the Windows WebDAV client (the "WebClient mini‑redirector"), allowing users to access remote WebDAV shares the same way they browse UNC or mapped drives. When enabled it can cause Windows to process remote content and — historically — has been the path used in remote‑to‑local attacks. Microsoft has recommended disabling WebClient as a mitigation in past advisories. (msrc.microsoft.com, learn.microsoft.com)

Real‑world risk: recent exploitation​

In 2025, security researchers publicly documented a targeted espionage campaign (Stealth Falcon) that exploited a WebDAV‑related zero‑day (CVE‑2025‑33053). The attackers used a crafted .url shortcut that set a remote WebDAV working directory and caused Windows to run attacker‑supplied binaries from that remote share. That chain shows how WebDAV can be weaponized to execute code without the user directly launching an EXE. (research.checkpoint.com, blog.checkpoint.com)

How to disable WebClient safely​

• Open Services (type Services in the Start menu).
• Find WebClient, right‑click → Properties.
• Click Stop (if running), then set Startup type to Disabled.
• Click OK and reboot if desired.

Re‑enable by reversing the steps and setting Startup type to Automatic or Manual and starting the service. (msrc.microsoft.com)

Pros​

• Blocks a practical attack surface used in WebDAV‑based exploits.
• Simple, reversible, and low‑impact for users who do not use WebDAV.

Cons and trade‑offs​

• Breaks legitimate WebDAV access and any application that depends on the WebClient service (for example, mapped WebDAV drives or some collaboration tools).
• May trigger System log errors for dependent services; test before broad deployment.

Enterprise considerations​

• If you need WebDAV server access in an organization, apply access controls, limit WebDAV to trusted internal sites, and use network controls to prevent outbound WebDAV to the internet.
• As an interim mitigation after a public report of exploitation, disabling WebClient is an accepted Microsoft workaround. (msrc.microsoft.com)

---

3) Turn off the Print Spooler service (PrintNightmare context)​

Why Print Spooler is high risk​

The Print Spooler service runs with high privileges and historically has been the source of multiple critical vulnerabilities, with notable incidents grouped under the “PrintNightmare” name. Because spooler components handle remote printer driver installation and accept networked print jobs, they expose a broad attack surface. Microsoft and security vendors recommended disabling the service as an emergency mitigation when exploitable flaws were public. (windowscentral.com, bleepingcomputer.com)

Verified guidance​

Security advisories from vendors and incident response writeups repeatedly list disabling the Print Spooler as a practical mitigation when a public zero‑day is being exploited. Disabling prevents both local and remote printing until patches and safer configurations are in place. (bleepingcomputer.com, loffler.com)

How to disable Print Spooler (two supported ways)​

Option A — Services GUI:

• Open Services (Services.msc).
• Find Print Spooler, right‑click → Properties.
• Click Stop and set Startup type to Disabled.
• Confirm and close.

Option B — PowerShell (quick, scriptable):

• Open an elevated PowerShell session.
• Run:
• Stop-Service -Name Spooler -Force
• Set-Service -Name Spooler -StartupType Disabled
• To re‑enable: Set-Service -Name Spooler -StartupType Automatic and Start-Service -Name Spooler. (windowscentral.com, bleepingcomputer.com)

Pros​

• Removes a high‑privilege local attack surface.
• Simple to script across machines where printing is not required.

Cons and operational impact​

• Local and network printing will stop; if your workflow requires printing this is disruptive.
• Some business workflows rely on printers or print servers; test and apply a Group Policy that only disables spooler on non‑printing systems (domain controllers are a common candidate for disabling). (sygnia.co)

Best practice​

• If you must keep printing, use the Group Policy to block inbound print spooler client connections while allowing local printing, or isolate print servers on secure VLANs and apply strict authentication for driver installation. (bleepingcomputer.com)

---

4) Toggle off Network Discovery​

What Network Discovery does​

Network Discovery makes your PC visible on local networks and allows discovery of other devices for sharing and printing. On public or untrusted networks it increases discoverability and the chance that attackers will find exposed services. For most laptop/tablet users who do not rely on local file‑sharing, turning Network Discovery off is a net security improvement.

How to disable Network Discovery​

• Open Settings → Network & internet → Advanced network settings → Advanced sharing settings.
• Under the profile (Private / Guest or Public), set Network discovery to Off.
• Or use Control Panel → Network and Sharing Center → Change advanced sharing settings.

Pros​

• Reduces visibility on local networks.
• Prevents accidental file/print sharing exposure.

Cons and trade‑offs​

• Disables quick device discovery for printers, NAS devices, or local file sharing. Re‑enable temporarily when needed.

---

5) Disable Windows Script Host (WSH)​

Why WSH is a vector​

Windows Script Host executes .vbs and .js scripts and is used by administrators and some legacy installers. However, script files are a top infection vector for phishing and ransomware — attackers embed malicious VBScript or JScript inside archives or delivered attachments. Disabling WSH prevents those scripts from launching via cscript/wscript. Security vendors commonly recommend disabling WSH unless the environment explicitly requires it. (withsecure.com, f-secure.com)

How to disable WSH (registry method)​

Warning: Back up the registry before editing.

• Open Registry Editor (regedit).
• For a system‑wide disable, navigate to:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
• (On 64‑bit systems also check HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings.)
• Create a new DWORD (32‑bit) named Enabled and set its value to 0.
• Optionally set the same key under HKEY_CURRENT_USER to block for the current user.
• To re‑enable, delete the Enabled value or set it to 1.
• Test by attempting to run a .vbs or .js file — Windows will show Windows Script Host access is disabled when blocked. (f-secure.com, withsecure.com)

Pros​

• Blocks a common, easy script‑based infection vector.
• Straightforward to deploy via Intune, Group Policy, or configuration management.

Cons and caveats​

• Breaks any legitimate local scripts, installers, or automation that rely on WSH (including some legacy enterprise tools).
• Disabling WSH does not block scripts embedded in Office macros — macro security must be handled separately.

---

Risk analysis: strengths and potential pitfalls​

Strengths of the “turn‑off” approach​

• Immediate reduction in exposed attack surface: disabled services simply do not accept input or process remote content.
• Low technical complexity: most changes require only a few clicks or a single PowerShell command, making them practical across small fleets.
• Reversibility: changes are usually reversible without reinstalling software.

Potential risks and operational costs​

• Usability impact: disabling Print Spooler or WebClient can break legitimate workflows. Evaluate dependencies before wide deployment.
• False sense of security: disabling features reduces risk but does not eliminate the need for patching, endpoint detection and response (EDR), or user training.
• Management complexity: in larger organizations, ad hoc disabling can cause support tickets and user friction — use targeted policies, test groups, and staged rollouts.

When to prefer alternatives​

• If an application requires a disabled feature, consider compensating controls:
• Network segmentation (restrict WebDAV traffic to internal trusted hosts).
• Strong endpoint controls (application allow‑lists, Smart App Control, ASR rules).
• Patching and vendor mitigations (apply Microsoft patches promptly to address the underlying flaw).
• For printing needs, consider maintaining a dedicated, hardened print server rather than enabling spooler on every endpoint.

---

Deployment guidance: test, roll out, and monitor​

• Inventory dependencies first. Scan for services, scheduled tasks, and applications that depend on the feature you plan to disable.
• Test on a small set of non‑critical machines. Ensure users don’t lose critical capability.
• Use management tooling: Group Policy, PowerShell DSC, Intune, or configuration management to roll out consistent changes and to allow fast rollback. (linkedin.com)
• Monitor logs and helpdesk tickets for unexpected breakages. Add a short‑term exception process for legitimate needs.
• Maintain a written policy documenting which systems have which services disabled and why.

---

Quick reference: commands and steps​

• Disable Print Spooler (PowerShell):
• Stop-Service -Name Spooler -Force
• Set-Service -Name Spooler -StartupType Disabled
• Disable WebClient (Services GUI or PowerShell):
• Services.msc → WebClient → Stop → Startup type = Disabled
• Disable Windows Script Host (registry):
• Add HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled = DWORD(0)
• On 64‑bit: also check HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings. (f-secure.com, stackoverflow.com)
• Turn off automatic Wi‑Fi connect (Settings):
• Settings → Network & internet → Wi‑Fi → Manage known networks → Select network → Toggle Connect automatically when in range off. (windowscentral.com)

---

Case study: Stealth Falcon and why WebDAV matters​

The June 2025 Stealth Falcon campaign is an instructive example. Researchers discovered exploitation of a WebDAV‑related zero‑day (CVE‑2025‑33053) where attackers used a crafted .url shortcut and a remote WebDAV working directory to trick Windows into executing attacker binaries hosted on the remote server. The chain used legitimate Windows binaries (LOLBins) and WebDAV access to bypass typical detections and deploy a tailored implant — reinforcing why unused remote file access protocols are valuable hardening targets. (research.checkpoint.com, helpnetsecurity.com)
Lessons:

• Rarely used subsystems can become critical escalation points when chained with other actions.
• Emergency mitigations like disabling WebClient or setting stricter workstation policies are practical stopgaps while patches are developed and tested. (msrc.microsoft.com, blog.checkpoint.com)

---

Recommended baseline for typical users​

For most individual users and small businesses that do not require shared printing, WebDAV mounts, or legacy VBScript automation, the following baseline is sensible:

• Disable automatic connection to public/untrusted Wi‑Fi networks. (windowscentral.com)
• Disable WebClient if you do not use WebDAV or mapped WebDAV drives. (msrc.microsoft.com)
• Disable Print Spooler on machines that never print (or block inbound print spooler client connections via Group Policy on servers). (bleepingcomputer.com)
• Turn off Network Discovery on public networks.
• Consider disabling Windows Script Host unless VBScript/JScript is required by tools you actively use. (f-secure.com)

Keep these safety checks:

• Keep Windows Update active; apply Microsoft patches as they become available. (windowscentral.com)
• Maintain anti‑malware protection and enable reputation‑based protection or Smart App Control where available.
• Back up important data and implement recovery plans in case of disruption.

---

Final thoughts — hardening with context​

Disabling unnecessary Windows features is a practical, high‑leverage way to reduce risk. The changes are often small but compound: remove one service, close one port, and you remove a class of attacks. However, hardening must be applied thoughtfully: identify legitimate dependencies, use management tooling, and keep patching and monitoring in place. Recent weaponized attacks that chain benign features (for example, WebDAV tricks used by Stealth Falcon) underline that even legacy or low‑use functionality can be an active threat vector — and therefore a valid target for restriction when unused. (research.checkpoint.com, msrc.microsoft.com)
If convenience and compatibility are essential for specific workflows, document exceptions and apply compensating controls (segmentation, least privilege, allow‑listing) rather than leaving broad attack surfaces open by default. Security is a layered process: reduce the attack surface where feasible, patch promptly, monitor actively, and plan for controlled reversibility when business needs require re‑enabling a feature.

---

Source: Make Tech Easier Turn Off These Windows Features to Reduce Your Attack Surface - Make Tech Easier