39 lines
1.8 KiB
PowerShell
39 lines
1.8 KiB
PowerShell
#Requires -Version 5.1
|
|
<# SilverMetal Enhanced - Windows | Domain D: Kernel & credential isolation
|
|
VBS + HVCI + Credential Guard + LSA protection + Kernel DMA Protection.
|
|
The genuinely strong, hardware-backed part of hardened Windows.
|
|
Spec: ../hardening-spec.md (D) | SCAFFOLD (M1).
|
|
#>
|
|
[CmdletBinding()] param()
|
|
Set-StrictMode -Version Latest; $ErrorActionPreference = 'Stop'
|
|
Write-Host '[D] Kernel & credential isolation'
|
|
|
|
# VBS + HVCI (Memory Integrity)
|
|
$dg = 'HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard'
|
|
New-Item $dg -Force | Out-Null
|
|
Set-ItemProperty $dg -Name EnableVirtualizationBasedSecurity -Type DWord -Value 1
|
|
Set-ItemProperty $dg -Name RequirePlatformSecurityFeatures -Type DWord -Value 1 # Secure Boot
|
|
$hvci = "$dg\Scenarios\HypervisorEnforcedCodeIntegrity"
|
|
New-Item $hvci -Force | Out-Null
|
|
Set-ItemProperty $hvci -Name Enabled -Type DWord -Value 1
|
|
|
|
# Credential Guard
|
|
$lsacfg = "$dg\Scenarios\CredentialGuard"
|
|
New-Item $lsacfg -Force | Out-Null
|
|
Set-ItemProperty $lsacfg -Name Enabled -Type DWord -Value 1
|
|
|
|
# LSA protection (RunAsPPL)
|
|
$lsa = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa'
|
|
Set-ItemProperty $lsa -Name RunAsPPL -Type DWord -Value 1
|
|
|
|
# Kernel DMA Protection: on AMD this is firmware-gated (ACPI IVRS DMA_REMAP bit).
|
|
# Block new DMA devices while locked as the compensating control (see Domain G).
|
|
$ki = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection'
|
|
New-Item $ki -Force | Out-Null
|
|
Set-ItemProperty $ki -Name DeviceEnumerationPolicy -Type DWord -Value 0 # block until authorized
|
|
|
|
# TODO-M1: confirm msinfo32 reports VBS=Running + Credential Guard + HVCI after reboot;
|
|
# confirm whether Kernel DMA Protection shows On (IVRS bit) -- open question §8.
|
|
|
|
Write-Host ' [D] policy set (VBS/HVCI/CredGuard/LSA-PPL/DMA). Effective after reboot.'
|