projects/nebula-domain-join
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

lock down install directory — strip Users read access from Nebula files

Browse Source
This commit is contained in:
Damien Coles 2026-02-12 16:01:22 -08:00
parent 2c29c0d33e
commit 21bd26b72e
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
install-nebula.ps1
View File

@ -159,6 +159,17 @@ if (-not (Test-Path $InstallDir)) {
} }
} }
# Lock down the directory — only SYSTEM and Administrators need access.
# Program Files subdirectories inherit broad ACLs (Users: Read & Execute).
# Take ownership, disable inheritance, and strip everything except SYSTEM and Admins.
takeown /F $InstallDir /R /A /D Y | Out-Null
icacls $InstallDir /inheritance:d /T /Q
icacls $InstallDir /remove:g "BUILTIN\Users" /T /Q
icacls $InstallDir /remove:g "CREATOR OWNER" /T /Q
icacls $InstallDir /remove:g "NT SERVICE\TrustedInstaller" /T /Q
icacls $InstallDir /remove:g "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" /T /Q
icacls $InstallDir /remove:g "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES" /T /Q
# --- Copy files --- # --- Copy files ---
try { try {