# UAML Operator Workstation Hardening — Windows
# Run as Administrator. Review before executing.
# PowerShell 5.1 or 7+
$ErrorActionPreference = "Stop"
$applied = @()
$findings = @()

# 1. Defender Firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
$applied += "defender-firewall"

# 2. Windows Update (set to automatic)
$AUSettings = (New-Object -ComObject Microsoft.Update.AutoUpdate).Settings
$AUSettings.NotificationLevel = 4  # Auto download and install
try { $AUSettings.Save(); $applied += "windows-update-auto" } catch { $findings += "could not save WU settings: $_" }

# 3. BitLocker check
$bl = Get-BitLockerVolume -MountPoint "C:" -ErrorAction SilentlyContinue
if (-not $bl -or $bl.ProtectionStatus -ne "On") {
    $findings += "BitLocker on C: is not enabled — turn on via Control Panel"
} else {
    $applied += "bitlocker-on"
}

# 4. SSH server (if installed)
if (Get-Service sshd -ErrorAction SilentlyContinue) {
    $cfg = "C:\ProgramData\ssh\sshd_config.d\00-uaml-operator-hardening.conf"
    $cfgDir = Split-Path $cfg
    if (-not (Test-Path $cfgDir)) { New-Item -ItemType Directory -Path $cfgDir | Out-Null }
@"
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
"@ | Set-Content -Path $cfg
    Restart-Service sshd
    $applied += "ssh-hardening"
}

# 5. UAC enforcement (informational)
$uac = Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -ErrorAction SilentlyContinue
if ($uac.EnableLUA -ne 1) { $findings += "UAC (EnableLUA) is OFF — turn on" }

Write-Host ""
Write-Host "Applied: $($applied -join ', ')"
Write-Host "Findings: $($findings -join ', ')"