openssh server improvements, debloat mode

postproc/debloat/debloat.reg

@@ -0,0 +1,119 @@
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\MTCUVC]
+; http://winaero.com/blog/enable-old-volume-control-in-windows-10/
+"EnableMtcUvc"=dword:00000000
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
+"DisableEdgeDesktopShortcutCreation"=dword:00000001
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection]
+"AllowTelemetry"=dword:00000000
+"DiagTrackAuthorization"=dword:00000000
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection]
+"AllowTelemetry"=dword:00000000
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search]
+"AllowCortana"=dword:00000000
+"ExplainAllowCortana"=dword:00000000
+"DisableWebSearch"=dword:00000001
+"AllowCloudSearch"=dword:00000000
+"AllowSearchToUseLocation"=dword:00000000
+"ConnectedSearchUseWeb"=dword:00000000
+
+[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search]
+"DeviceHistoryEnabled"=dword:00000000
+"AllowSearchToUseLocation"=dword:00000000
+"BingSearchEnabled"=dword:00000000
+
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
+"PublishUserActivities"=dword:00000000
+
+;; ;disable communication with microsoft account servers
+;; ;FIXME: Does this break Teams or something?
+;; ;https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services
+;; [Registry_hklm_wlid]
+;; openkey [HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc]
+;; set "Start"=dword:4
+
+
+;https://msdn.microsoft.com/en-us/library/dd405474(v=vs.85).aspx
+; https://www.windowsmanagementexperts.com/disabling-windows-10-consumer-experience/disabling-windows-10-consumer-experience.htm
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient]
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows]
+"CEIPEnable"=dword:00000000
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent]
+"DisableWindowsConsumerFeatures"=dword:00000001
+
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall]
+"DisablePushToInstall"=dword:00000000
+
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OOBE]
+"DisablePrivacyExperience"=dword:00000001
+
+;https://www.stigviewer.com/stig/windows_7/2012-08-22/finding/V-15704
+;https://www.windows-security.org/c60f66da12d91f4f0be57445a827e366/turn-off-handwriting-personalization-data-sharing
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC]
+"PreventHandwritingDataSharing"=dword:00000001
+[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports]
+"PreventHandwritingErrorReports"=dword:00000001
+
+
+; https://translate.google.com/translate?sl=auto&tl=en&u=http://www-pc.uni-regensburg.de/systemsw/win10/settings.htm
+; https://www.stigviewer.com/stig/windows_7/2014-04-02/finding/V-21971
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat]
+"AITEnable"=dword:00000000
+"DisableUAR"=dword:00000001
+"DisableInventory"=dword:00000001
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo]
+"Enabled"=dword:00000000
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo]
+"DisabledByGroupPolicy"=dword:00000001
+
+
+[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications]
+"NoTileApplicationNotification"=dword:00000001
+
+;;;; DISABLE ONEDRIVE - copied from OPSI config-win10
+;https://techjourney.net/disable-or-uninstall-onedrive-completely-in-windows-10/
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows]
+"DisableFileSyncNGSC"=dword:00000001
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Onedrive]
+"DisableLibrariesDefaultSaveToOneDrive"=dword:00000001
+"DisableFileSync"=dword:00000001
+"DisableFileSynciNGSC"=dword:00000001
+"DisableMeteredNetworkFileSync"=dword:00000000
+[HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}]
+"System.IsPinnedToNameSpaceTree"=dword:00000000
+[HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}]
+"System.IsPinnedToNameSpaceTree"=dword:00000000
+;;;; / DISABLE ONEDRIVE
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps]
+"AutoDownloadAndUpdateMapData"=dword:00000000
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
+"EnableSmartScreen"=dword:00000000
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting]
+"Disabled"=dword:00000001
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer]
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety]
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Safety\PrivacIE]
+"DisableLogging"=dword:00000001
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FindMyDevice]
+"AllowFindMyDevice"=dword:00000000
+
+; Disable the AppReadiness service that installs a lot of bloatware apps from MS store
+; on first user login. Note that this includes important apps such as the Windows
+; Settings app. These have to be installed manually.
+[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppReadiness]
+"Start"=dword:00000004
+

postproc/debloat/setup.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+mnt="$(readlink -f "$1")"
+cd "$(dirname "$0")"
+../../reg_import.sh "$mnt" "$PWD/debloat.reg"

postproc/openssh-server/openssh_acl.py

@@ -20,5 +20,7 @@ apply_sd_recursively(
             ACE(ACE.ALLOW, MASK_FULL_CONTROL, SID_SYSTEM),
             ACE(ACE.ALLOW, MASK_FULL_CONTROL, SID_ADMINISTRATORS) ,
             ACE(ACE.ALLOW, MASK_READ_EXECUTE, SID_EVERYONE)
-        ], dacl_inherit=False)
+        ], dacl_inherit=False),
+        set_owner=True,
+        set_group=True,
 )

postproc/openssh-server/setup.sh

@@ -14,5 +14,6 @@ fi
 cp -rT OpenSSH-Win64 "$mnt/Program Files/OpenSSH"
 
 hivexregedit --merge --prefix 'HKEY_LOCAL_MACHINE\SYSTEM' "$mnt"/Windows/System32/config/SYSTEM "$my_dir/sshd_service.reg"
+hivexregedit --merge --prefix 'HKEY_LOCAL_MACHINE\SYSTEM' "$mnt"/Windows/System32/config/SYSTEM "$my_dir/sshd_firewall.reg"
 "$my_dir/openssh_acl.py" "$mnt"
 

postproc/openssh-server/sshd_firewall.reg

@@ -0,0 +1,5 @@
+Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
+"sshd"="v2.30|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=22|Name=sshd|"
+

reg_import.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+mnt="$1"
+regfile="$2"
+
+extract_prefix() {
+    local regfile="$1"
+    local prefix="$2"
+    local prefix_esc="$(echo "$prefix" | sed -re 's#\\#\\\\#g')"
+    cat "$regfile" \
+        | dos2unix \
+        | grep -E '^[^;]' \
+        | awk '/^Windows Re/ { print;  want=1;   next;} /^\['"$prefix_esc"'/ { want=1; print ""; print; next;} /^\[/ { want=0; } (want) { print;}' \
+        | sed -re 's/CurrentControlSet/ControlSet001/g'
+}
+
+import_hive() {
+    local regfile="$1"
+    local prefix="$2"
+    local hive="$3"
+    if grep -qF "[$prefix" "$regfile"; then
+        echo "Importing $prefix -> $hive"
+        extract_prefix "$regfile" "$prefix" | hivexregedit --merge --prefix "$prefix" "$hive"
+    fi
+}
+
+import_hive "$regfile" 'HKEY_LOCAL_MACHINE\SYSTEM'   "$mnt/Windows/System32/config/SYSTEM"
+import_hive "$regfile" 'HKEY_LOCAL_MACHINE\SOFTWARE' "$mnt/Windows/System32/config/SOFTWARE"
+

setup_win10.py

@@ -150,13 +150,15 @@ def exactly_one(*a):
 
 def main(*, disk=None, part=None, wim=None, iso=None, image_name=None, unattend=None,
         postproc:(str,clize.parameters.multi())=[], openssh_server=False,
-        postproc_only=False):
+        debloat=False, postproc_only=False):
     if not exactly_one(disk, part):
         raise ArgumentError("You must specify exactly one of 'disk', 'part'")
     if not (exactly_one(wim, iso) or postproc_only):
         raise ArgumentError("You must specify exactly one of 'wim', 'iso'")
     if openssh_server:
         postproc.append(my_dir / 'postproc/openssh-server/setup.sh')
+    if debloat:
+        postproc.append(my_dir / 'postproc/debloat/setup.sh')
     with ExitStack() as es:
         if iso:
             wim = es.enter_context(with_iso(iso))