SilverLABS/SilverMetal
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
13df66d137ca0e345b1bd2a311f4928e281dd09c
SilverMetal/windows/hardening/04-app-control.ps1
sysadmin 3a30a0421e docs(windows): add ISO-builder design + scaffold the windows/ tree 
Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for
SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing
frame (IoT = blessed channel for preinstalled custom images; self-apply stays a
builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/
oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an
honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit-
identical on Windows), and M0-M4 milestones.

Scaffold windows/ per the planned layout:
- installer/  build.ps1 (7-stage orchestrator, stages stubbed to M2),
              inputs.manifest.json (pinned-input schema), autounattend.xml
              (local-account OOBE), oem/SetupComplete.cmd (first-boot runner)
- hardening/  shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1
              (used by BOTH the ISO first-boot path and the self-apply track).
              BitLocker module enforces TPM+PIN and blocks TPM-only.
- policies/ wdac/ debloat/ stack-installer/ drivers/ tests/  scaffolded with
  READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an
  anti-pattern; rename applocker/ -> wdac/ realised.

All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid.
Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware
steps documented, not faked).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 15:35:13 +01:00

37 lines
2.0 KiB
PowerShell
Raw Blame History

#Requires -Version 5.1
<# SilverMetal Enhanced - Windows | Domain E: Application control
WDAC (App Control) AUDIT-first then enforce; Defender ASR at max; Defender
on for detection but sample submission OFF (privacy); SmartScreen; CFA.
Balanced posture = audit before enforce (don't brick the dev workflow).
Spec: ../hardening-spec.md (E) | SCAFFOLD (M1).
#>
[CmdletBinding()] param()
Set-StrictMode -Version Latest; $ErrorActionPreference = 'Stop'
Write-Host '[E] Application control'
# --- Defender: detection on, but do NOT exfiltrate user files ---
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent 2 # 2 = never send samples
Set-MpPreference -PUAProtection Enabled
Set-MpPreference -EnableControlledFolderAccess Enabled
# --- ASR rules at max (Block) ---
$asr = @{
'BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550'=1 # block executable content from email/webmail
'9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2'=1 # block credential stealing from lsass
'D4F940AB-401B-4EFC-AADC-AD5F3C50688A'=1 # block Office child processes
'3B576869-A4EC-4529-8536-B80A7769E899'=1 # block Office executable content creation
'5BEB7EFE-FD9A-4556-801D-275E5FFC04CC'=1 # block obfuscated scripts
'D3E037E1-3EB8-44C8-A917-57927947596D'=1 # block JS/VBS launching downloaded content
'B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4'=1 # block untrusted/unsigned from USB
}
foreach ($id in $asr.Keys) { Add-MpPreference -AttackSurfaceReductionRules_Ids $id -AttackSurfaceReductionRules_Actions $asr[$id] }
# --- WDAC: deploy base policy in AUDIT first ---
# TODO-M1: compile ..\wdac\silvermetal-base.xml -> .cip in AUDIT mode (option 3 'Audit Mode' set),
# stage to C:\Windows\System32\CodeIntegrity\CiPolicies\Active, CiTool --refresh.
# After a real-usage shakedown, regenerate from audit events and PROMOTE to enforce.
Write-Warning ' WDAC base policy authoring is M1 (audit) -> M2 (enforce). Not yet deployed.'
Write-Host ' [E] Defender+ASR applied; WDAC pending policy authoring.'
Reference in New Issue View Git Blame Copy Permalink