lock down install directory — strip Users read access from Nebula files

install-nebula.ps1

@@ -159,6 +159,17 @@ if (-not (Test-Path $InstallDir)) {
     }
 }
 
+# Lock down the directory — only SYSTEM and Administrators need access.
+# Program Files subdirectories inherit broad ACLs (Users: Read & Execute).
+# Take ownership, disable inheritance, and strip everything except SYSTEM and Admins.
+takeown /F $InstallDir /R /A /D Y | Out-Null
+icacls $InstallDir /inheritance:d /T /Q
+icacls $InstallDir /remove:g "BUILTIN\Users" /T /Q
+icacls $InstallDir /remove:g "CREATOR OWNER" /T /Q
+icacls $InstallDir /remove:g "NT SERVICE\TrustedInstaller" /T /Q
+icacls $InstallDir /remove:g "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" /T /Q
+icacls $InstallDir /remove:g "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES" /T /Q
+
 # --- Copy files ---
 
 try {