3a30a0421e
Add windows/iso-builder.md: reproducible custom-packed-ISO pipeline design for
SilverMetal Enhanced - Windows on IoT Enterprise LTSC. Covers the licensing
frame (IoT = blessed channel for preinstalled custom images; self-apply stays a
builder), 7 build stages (verify/extract/DISM-service/inject-unattend/brand/
oscdimg-repack/attest), the offline-vs-first-boot-vs-firmware control split, an
honest reproducibility scope (pinned inputs + SBOM + attestation, NOT bit-
identical on Windows), and M0-M4 milestones.
Scaffold windows/ per the planned layout:
- installer/ build.ps1 (7-stage orchestrator, stages stubbed to M2),
inputs.manifest.json (pinned-input schema), autounattend.xml
(local-account OOBE), oem/SetupComplete.cmd (first-boot runner)
- hardening/ shared §A-H PowerShell modules + Verify-SilverMetalWindows.ps1
(used by BOTH the ISO first-boot path and the self-apply track).
BitLocker module enforces TPM+PIN and blocks TPM-only.
- policies/ wdac/ debloat/ stack-installer/ drivers/ tests/ scaffolded with
READMEs; wdac/ documents audit->enforce; debloat/ flags Tiny11/NTLite as an
anti-pattern; rename applocker/ -> wdac/ realised.
All 11 PowerShell scripts parse clean; manifest JSON + autounattend XML valid.
Module bodies are M1 scaffold (safe: log + policy-set; interactive/firmware
steps documented, not faked).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
32 lines
1.7 KiB
PowerShell
32 lines
1.7 KiB
PowerShell
#Requires -Version 5.1
|
|
<# SilverMetal Enhanced - Windows | Domain F: Network & radios
|
|
Distrust the network: firewall default-deny inbound, encrypted DNS, kill
|
|
LAN name-resolution leak vectors, WiFi-only (no baseband module). SilverVPN
|
|
always-on kill-switch is installed by 08-stack-install.ps1.
|
|
Spec: ../hardening-spec.md (F) | SCAFFOLD (M1).
|
|
#>
|
|
[CmdletBinding()] param()
|
|
Set-StrictMode -Version Latest; $ErrorActionPreference = 'Stop'
|
|
Write-Host '[F] Network & radios'
|
|
|
|
# Firewall: default-deny inbound on all profiles.
|
|
Set-NetFirewallProfile -Profile Domain,Public,Private -DefaultInboundAction Block -DefaultOutboundAction Allow -Enabled True
|
|
|
|
# Disable SMBv1 + LAN name-resolution leak vectors.
|
|
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart -EA SilentlyContinue | Out-Null
|
|
$dns = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient'
|
|
New-Item $dns -Force | Out-Null
|
|
Set-ItemProperty $dns -Name EnableMulticast -Type DWord -Value 0 # LLMNR off
|
|
$nbt = 'HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters'
|
|
Set-ItemProperty $nbt -Name NodeType -Type DWord -Value 2 # NetBIOS: P-node (no broadcast)
|
|
|
|
# Encrypted DNS (DoH) auto + WPAD off.
|
|
$doh = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient'
|
|
Set-ItemProperty $doh -Name DoHPolicy -Type DWord -Value 3 # require DoH
|
|
Set-Service WinHttpAutoProxySvc -StartupType Disabled -EA SilentlyContinue
|
|
|
|
# TODO-M1: configure DoH server template; verify NO WWAN adapter present (we do not fit the
|
|
# 4G/5G baseband module); disable Bluetooth radio unless in use.
|
|
|
|
Write-Host ' [F] firewall default-deny, SMB1 off, LLMNR/NetBIOS/WPAD off, DoH required.'
|