Andreas/noid-privacy
1
0
Fork 0
mirror of https://github.com/NexusOne23/noid-privacy.git synced 2026-02-07 12:11:53 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
noid-privacy/Modules/AntiAI/Private/Set-RecallProtection.ps1

131 lines
6 KiB
PowerShell
Raw Normal View History

v2.2.0 - Complete Security Hardening Framework (632 Settings)
2025-12-08 10:32:49 +01:00
#Requires -Version 5.1
<#
.SYNOPSIS
Applies enterprise-grade Recall protection (app/URI deny lists, storage limits).
.DESCRIPTION
Configures 4 additional Recall policies for maximum data protection:
1. SetDenyAppListForRecall - Apps never captured in snapshots (Browser, Terminal, Password managers, RDP)
2. SetDenyUriListForRecall - Websites/URLs never captured (Banking, Email, Login pages)
3. SetMaximumStorageDurationForRecallSnapshots - Max retention: 30 days
4. SetMaximumStorageSpaceForRecallSnapshots - Max storage: 10 GB
Note: These are additional protection layers BEYOND core Recall disable policies.
Even though Recall is disabled, these provide defense-in-depth.
.EXAMPLE
Set-RecallProtection
#>
function Set-RecallProtection {
[CmdletBinding()]
param(
[Parameter(Mandatory = $false)]
[switch]$DryRun
)
Write-Log -Level DEBUG -Message "Applying Recall enterprise protection (deny lists + storage limits)" -Module "AntiAI"
$result = [PSCustomObject]@{
Success = $false
Applied = 0
Errors = @()
}
try {
if ($DryRun) {
Write-Log -Level DEBUG -Message "[DRYRUN] Would set Recall protection (Deny lists + Storage limits)" -Module "AntiAI"
$result.Success = $true
return $result
}
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI"
if (-not (Test-Path $regPath)) {
New-Item -Path $regPath -Force | Out-Null
Write-Log -Level DEBUG -Message "Created registry path: $regPath" -Module "AntiAI"
}
# 1. App Deny List - Critical apps never captured in snapshots
$denyApps = @(
"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!App", # Edge Browser (Banking, passwords)
"Microsoft.WindowsTerminal_8wekyb3d8bbwe!App", # Terminal (CLI passwords, keys)
"KeePassXC_8wekyb3d8bbwe!KeePassXC", # Password Manager
"Microsoft.RemoteDesktop_8wekyb3d8bbwe!App" # RDP (remote system access)
)
# Store as proper MultiString (string array) so policies are visible to compliance checks
$existing = Get-ItemProperty -Path $regPath -Name "SetDenyAppListForRecall" -ErrorAction SilentlyContinue
if ($null -ne $existing) {
Set-ItemProperty -Path $regPath -Name "SetDenyAppListForRecall" -Value $denyApps -Force
} else {
New-ItemProperty -Path $regPath -Name "SetDenyAppListForRecall" -Value $denyApps -PropertyType MultiString -Force | Out-Null
}
Write-Log -Level DEBUG -Message "Set App Deny List: $($denyApps.Count) critical apps protected" -Module "AntiAI"
$result.Applied++
# 2. URI Deny List - Critical websites never captured in snapshots
$denyUris = @(
"*.bank.*", # All banking sites
"*.paypal.*", # Payment processor
"*.bankofamerica.*", # Major bank
"mail.*", # Email sites
"webmail.*", # Webmail sites
"*password*", # Any password-related pages
"*login*" # Any login pages
)
# Store as MultiString using string array
$existing = Get-ItemProperty -Path $regPath -Name "SetDenyUriListForRecall" -ErrorAction SilentlyContinue
if ($null -ne $existing) {
Set-ItemProperty -Path $regPath -Name "SetDenyUriListForRecall" -Value $denyUris -Force
} else {
New-ItemProperty -Path $regPath -Name "SetDenyUriListForRecall" -Value $denyUris -PropertyType MultiString -Force | Out-Null
}
Write-Log -Level DEBUG -Message "Set URI Deny List: $($denyUris.Count) URL patterns protected" -Module "AntiAI"
$result.Applied++
# 3. Storage Duration Limit - Max 30 days retention
$existing = Get-ItemProperty -Path $regPath -Name "SetMaximumStorageDurationForRecallSnapshots" -ErrorAction SilentlyContinue
if ($null -ne $existing) {
Set-ItemProperty -Path $regPath -Name "SetMaximumStorageDurationForRecallSnapshots" -Value 30 -Force
} else {
New-ItemProperty -Path $regPath -Name "SetMaximumStorageDurationForRecallSnapshots" -Value 30 -PropertyType DWord -Force | Out-Null
}
Write-Log -Level DEBUG -Message "Set max snapshot retention: 30 days" -Module "AntiAI"
$result.Applied++
# 4. Storage Space Limit - Max 10 GB
$existing = Get-ItemProperty -Path $regPath -Name "SetMaximumStorageSpaceForRecallSnapshots" -ErrorAction SilentlyContinue
if ($null -ne $existing) {
Set-ItemProperty -Path $regPath -Name "SetMaximumStorageSpaceForRecallSnapshots" -Value 10 -Force
} else {
New-ItemProperty -Path $regPath -Name "SetMaximumStorageSpaceForRecallSnapshots" -Value 10 -PropertyType DWord -Force | Out-Null
}
Write-Log -Level DEBUG -Message "Set max snapshot storage: 10 GB" -Module "AntiAI"
$result.Applied++
# Verify
$values = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue
$verified = ($null -ne $values.SetDenyAppListForRecall) -and
($null -ne $values.SetDenyUriListForRecall) -and
($values.SetMaximumStorageDurationForRecallSnapshots -eq 30) -and
($values.SetMaximumStorageSpaceForRecallSnapshots -eq 10)
if ($verified) {
Write-Log -Level DEBUG -Message "Verification SUCCESS: All Recall protection policies applied" -Module "AntiAI"
$result.Success = $true
}
else {
$result.Errors += "Verification FAILED: Not all Recall protection policies were applied"
}
}
catch {
$result.Errors += "Failed to apply Recall protection: $($_.Exception.Message)"
Write-Error $result.Errors[-1]
}
return $result
}
Reference in a new issue Copy permalink