I have a batch script that disables Wpad (A security messaure)

Hi all. I found this batch file to render wpad useless or prevent the danger with wpad. I want you to give me advice on what you think of it, and if it's something that is a legit concern even in 2023. And feel free to use it for yourself for security if you find it legit prevention. I read about it and it is?/was a legit concern.

Here it is below:
"I have tested removing proxy from computers by renaming the WPAD key and rebooting.
You can also use IEAK11 to create a GPO to remove "Automatically detect settings" and that is why the script uses gpupdate to apply the GPO as well. If you already applied the change to a computer this script won't do changes and will exit. The basic script is bellow.

Even when you turn on in Internet Explorer "Automatically detect settings" proxy is not used and WPAD key is recreated but with no proxy. This setting is no longer recommended as makes your computer vulnerable (Disable WPAD Now or Have Your Accounts Compromised, Researchers Warn - Slashdot) ."

SCRIPT BELOW:


REM Script to delete the cached proxy configuration, clear IE cache, flushdns, rename WPAD key and delete the original; reboot is required

gpupdate

reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad.bad" >nul
if %ERRORLEVEL%==0 goto END

ELSE
(
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v "DefaultConnectionSettings" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v "SavedLegacySettings" /f

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8

ipconfig /flushdns

reg copy "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad.bad"

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f

echo n | gpupdate /force /wait:0

shutdown.exe /r /t 30 )

:END

dalchina said:

Please define the danger.... I'm worried now...

Click the link above and it will take you there to explain :)

- - - Updated - - -

I'll just share it here anyway, no need to click the link.

It's enabled by default on Windows (and supported by other operating systems) -- but now security researchers are warning that "Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections," according to CSO. Slashdot reader itwbennett writes:
Their advice: disable WPAD now. "No seriously, turn off WPAD!" one of their presentation slides said. "If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file"... A few days before their presentation, two other researchers named Itzik Kotler and Amit Klein independently showed the same HTTPS URL leak via malicious PACs in a presentation at the Black Hat security conference. A third researcher, Maxim Goncharov, held a separate Black Hat talk about WPAD security risks, entitled BadWPAD.

Paul Black said:

I just checked this on mine and there is NO Value Data set . . .

Hi. They say that just turning it off or not having it set in registry, is not enough apparently hence the Wpad script to disable it 100%.

That's great news! Thanks!