refactor(template): §7 — move OS hardening to Deploy, Setup becomes validation-only
§7.1 — Setup Steps 1/3/4b/5b/5c converted to Assert-Step only:
- Deploy post-install.ps1 now owns: Firewall (all profiles disabled),
WinRM MaxMemory=2048MB/IdleTimeout=2h/MaxProcesses=25/StartupType=Automatic,
lock screen (NoLockScreen), SM GPO policy key + scheduled task disable,
DisableCAD in Winlogon, OOBE non-policy key.
- Setup no longer re-applies these — validates them, throws if Deploy missed any.
§7.2 — WU lifecycle Strategy B:
- Deploy: replaces sc.exe disable with GPO locks only (NoAutoUpdate=1,
DisableWindowsUpdateAccess=1); services remain Manual (Windows default).
- Setup Step 6 Step A already clears these locks before COM API; Step 6b
permanently disables services post-update. No Setup changes needed.
§7.3 — Docs updated:
- Deploy .DESCRIPTION reflects full hardening ownership.
- Setup .DESCRIPTION marks validation-only steps, updates step ordering rationale.
- WINDOWS-TEMPLATE-SETUP.md: three-script architecture table, CI-WinBuild.vmx
path, Fase C step list + rationale + validation table updated.
TODO: §7.1/7.2/7.3 marked done. §7.4 e2e pending (requires new VM snapshot).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -36,13 +36,19 @@
|
||||
|
||||
Hardening done by post-install.ps1 inside the guest:
|
||||
- UAC off (EnableLUA=0, LocalAccountTokenFilterPolicy=1)
|
||||
- Defender real-time protection off
|
||||
- Defender real-time protection off + DisableAntiSpyware=1 GPO
|
||||
- DiagTrack/Telemetry off
|
||||
- Windows Update services disabled
|
||||
- RDP enabled (no NLA, lab only) + firewall rule
|
||||
- WinRM enabled HTTP 5985 + HTTPS 5986 (self-signed cert), Basic auth,
|
||||
AllowUnencrypted, TrustedHosts=*
|
||||
- Windows Update GPO locks (NoAutoUpdate=1, DisableWindowsUpdateAccess=1);
|
||||
services remain Manual — Setup-WinBuild2025 Step 6b permanently disables
|
||||
them after applying updates (§7.2 Strategy B)
|
||||
- Windows Firewall all profiles disabled (VMnet8 NAT lab; Setup Step 1 validates)
|
||||
- RDP enabled (no NLA, lab only) + firewall rules for RDP/ICMP/WinRM-HTTPS
|
||||
- WinRM HTTP 5985 + HTTPS 5986 (self-signed cert), Basic auth,
|
||||
AllowUnencrypted, TrustedHosts=*, MaxMemory=2048MB, IdleTimeout=2h, MaxProcesses=25
|
||||
- ICMPv4 inbound allowed
|
||||
- Lock screen disabled, Server Manager (policy + HKLM + task + HKCU + Default hive),
|
||||
DisableCAD (Policies\System + Winlogon), OOBE/telemetry suppressed;
|
||||
Setup-WinBuild2025 Step 5b/5c validate all of these
|
||||
- VMware Tools installed (Complete) from Tools ISO
|
||||
- install_complete.flag dropped in C:\Windows\Temp
|
||||
|
||||
@@ -506,15 +512,22 @@ sc.exe config DiagTrack start= disabled | Out-Null
|
||||
sc.exe stop DiagTrack | Out-Null
|
||||
L 'Telemetry disabled'
|
||||
|
||||
# ── Windows Update services disabled ──────────────────────────────────────
|
||||
foreach (`$svc in 'wuauserv','UsoSvc','WaaSMedicSvc') {
|
||||
sc.exe config `$svc start= disabled | Out-Null
|
||||
sc.exe stop `$svc | Out-Null
|
||||
}
|
||||
reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' /v NoAutoUpdate /t REG_DWORD /d 1 /f | Out-Null
|
||||
L 'Windows Update disabled'
|
||||
# ── Windows Update GPO locks — services left Manual (§7.2 Strategy B) ───
|
||||
# Services remain at Windows default (Manual/on-demand). Setup-WinBuild2025
|
||||
# Step 6 invokes the WU COM API via a SYSTEM scheduled task; it clears these
|
||||
# GPO keys first (Step A), applies updates, then permanently disables services
|
||||
# in Step 6b (post-update lockdown). These keys block background auto-start
|
||||
# between Deploy and Setup without breaking the on-demand COM API.
|
||||
reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate' /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 /f | Out-Null
|
||||
reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU' /v NoAutoUpdate /t REG_DWORD /d 1 /f | Out-Null
|
||||
L 'Windows Update GPO locks set (services remain Manual; Setup Step 6b permanently disables)'
|
||||
|
||||
# ── Firewall: profiles stay default; allow RDP + ICMP + WinRM HTTPS ──────
|
||||
# ── Firewall: all profiles disabled + allow RDP + ICMP + WinRM HTTPS ─────
|
||||
# Disabling all profiles removes any block on subsequent WinRM config and WU
|
||||
# downloads. This VM lives on VMnet8 NAT behind the VMware NAT gateway — no
|
||||
# inbound exposure from outside the host. Setup-WinBuild2025 Step 1 validates.
|
||||
Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled False
|
||||
L 'Windows Firewall disabled on all profiles'
|
||||
reg add 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f | Out-Null
|
||||
reg add 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' /v UserAuthentication /t REG_DWORD /d 0 /f | Out-Null
|
||||
Enable-NetFirewallRule -DisplayGroup 'Remote Desktop' -ErrorAction SilentlyContinue
|
||||
@@ -533,6 +546,11 @@ try {
|
||||
New-NetFirewallRule -DisplayName 'WinRM-HTTPS' -Direction Inbound -Protocol TCP -LocalPort 5986 -Action Allow -Profile Any | Out-Null
|
||||
L 'WinRM HTTPS listener configured'
|
||||
} catch { L "WinRM HTTPS failed: `$(`$_.Exception.Message)" }
|
||||
winrm set winrm/config/winrs '@{MaxProcessesPerShell="25"}' | Out-Null
|
||||
Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB 2048 -Force 3>`$null
|
||||
Set-Item WSMan:\localhost\Shell\IdleTimeOut 7200000 -Force 3>`$null
|
||||
Set-Service -Name WinRM -StartupType Automatic 3>`$null
|
||||
L 'WinRM shell limits: MaxMemory=2048MB IdleTimeout=2h MaxProcesses=25; StartType=Automatic'
|
||||
|
||||
# ── Server Manager / WAC popup / first-logon UX ──────────────────────────
|
||||
# Server Manager auto-start off — machine-wide + current Administrator + Default
|
||||
@@ -549,6 +567,18 @@ reg add 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v Disa
|
||||
# OOBE privacy experience suppressed
|
||||
reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows\OOBE' /v DisablePrivacyExperience /t REG_DWORD /d 1 /f | Out-Null
|
||||
L 'Server Manager + WAC + CAD + OOBE prompts disabled'
|
||||
# Supplemental UX hardening validated by Setup-WinBuild2025 Step 5c:
|
||||
# Lock screen: suppress at CI console sessions (no interactive user ever logs in)
|
||||
reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization' /v NoLockScreen /t REG_DWORD /d 1 /f | Out-Null
|
||||
# Server Manager GPO policy key (authoritative path on WS2025; HKLM key above is not always honoured)
|
||||
reg add 'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\ServerManager' /v DoNotOpenAtLogon /t REG_DWORD /d 1 /f | Out-Null
|
||||
# Server Manager scheduled task — the actual launcher on WS2025; registry alone insufficient
|
||||
schtasks /Change /TN '\Microsoft\Windows\Server Manager\ServerManager' /Disable 2>&1 | Out-Null
|
||||
# DisableCAD in Winlogon (belt-and-suspenders with Policies\System key set above)
|
||||
reg add 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' /v DisableCAD /t REG_DWORD /d 1 /f | Out-Null
|
||||
# OOBE non-policy key (supplements the Policies\Windows\OOBE key set above)
|
||||
reg add 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE' /v DisablePrivacyExperience /t REG_DWORD /d 1 /f | Out-Null
|
||||
L 'Lock screen, SM GPO policy + task, CAD Winlogon, OOBE non-policy key set'
|
||||
|
||||
# ── IE Enhanced Security Configuration off (Admin) ───────────────────────
|
||||
# Long-known CI papercut: ESC blocks every URL in admin sessions.
|
||||
|
||||
Reference in New Issue
Block a user