'Hardening' Windows

Hello, good people at Privacy Guides (PG)! My post is in regard to Windows ‘hardening’. More specifically, I am currently using Windows 10 Pro, thus, I have been following this Windows guide: Windows Overview - Privacy Guides. I have numerous questions about this guide, no one is obliged to answer them, but I do appreciate it if you can. Also, I would like to thank the author of the guide, as well as the PG team, and the PG community, you are all very hospitable. I would also like to mention that I am a complete noob in this field, my ‘expertise’ is in the field of biology and more generally science, and not in computer science. I am possibly way too deep into this.

To begin with, will this guide ever be officially released on PG? In addition, are there any recommendations that anyone has, that may not be covered in this guide?

Next, I will discuss some of the problems and questions I have related to this guide. Firstly, I have confirmed that my BitLocker recovery keys are being stored on my University Microsoft account, but not on any of my personal accounts, is this problematic? I assume the Azure AD option here represents my University Microsoft account:

I cannot remove these keys from my University Microsoft account, as I only have two options:

Now, my primary question about this guide pertains to the following recommendation: ‘By Default Windows gives administrator access to the user account. Create another standard user account to reduce the attack surface enormously as most vulnerabilities today come from the fact that the user is always in administrator mode. In addition, you shouldn’t use the same password for standard and administrator account.’

If I’m not mistaken, isn’t the alternative recommendation: ‘If you don’t like managing a standard account, then enforce authentication for Administrator accounts too like Standard ones by following the guide by Wikihow. This way, Even administrators need to use Password to approve processes instead of just clicking Yes or No’, essentially as secure as the first one? The only difference between the two recommendations, seems to be that two different passwords are required in the first recommendation, compared to one in the alternative recommendation. Aside from this, are there any other technical differences?

Moreover, one might argue that the alternative recommendation becomes redundant if you simply lock your computer when stepping away, as an attacker that can unlock your computer, can already change administrative settings with the same password used to unlock your computer in the first place. In addition, since applying the alternative recommendation would still allow users to access your files if your computer was unlocked, this could give you a false sense of confidence, something mitigated by locking your computer.

I have another important question about the guide, regarding the Security policies for Bitlocker subtopic. I do not want to have to enter a PIN twice as is recommended by the guide. So, how do I get maximum protection using group policies, without having to enter a password twice? I assume I have to change some options differently compared to what the guide recommends, options which I assume I found in the Require additional authentication at startup setting, under group policies. Should I change any other setting back to their defaults?

Also, the guide says: ‘Using MS edge or brave over Firefox. Edge is recommended with MDAG mode for secure browsing if security is your priority. Brave is recommended if content blocking is important for you (Brave shields)’, I am pretty sure not everyone here would agree with this.

I have yet another question (unfortunately, there are more to come) regarding Windows hardening, how do I disable my password as a sign in method, so that only a Windows Hello PIN can be used? I could not do so using the options below, and it might be important to note that I am currently using a local (not signed-in) administrator account, do I first need to log into my Microsoft account?

I have encountered an issue with this guide, or more likely I am misunderstanding the guide. The guide says: ‘To prevent other users from accessing your secondary data drives. Type gpedit.msc in Windows Run dialog box. Go to User Configuration > Administrative Templates > Windows Components > File Explorer and set the Group Policy as below.’ When I do this, and I am on my local administrator account I can not open any file! How do I fix this?

My second last question is: I need help with the sandboxing portion of the guide, specifically how do I use it, when do I use it, the latter of which could be answered by including why I should use it.

Finally, the guide claims it was inspired by this: GitHub - beerisgood/Windows11_Hardening: a collection about Windows 11. However, my question is why are there some recommendations not present in this guide, that are present in the GitHub guide? Furthermore, should I follow this other GitHub guide as well? Again, kudos, to this guide because unlike the GitHub guide it walks you through how to apply recommendations, rather than linking you to long articles.

Also sorry I forgot, merry xmas everyone!

It should soon

Some would agree and some won’t. Like the guide preview says : ‘If security is your priority’. If it isn’t your priority, then use the regular options recommended here.

Sandboxing really sucks on Windows, while on Linux, we have Flatpaks which have decent sandboxing and macOS having their own things. At Windows, we have nothing, though it seems to be in the works.

Speaking of the guide itself, when I have used Windows 11 a year ago. Most of the apps available in the MS Store just aren’t sandboxed.

Update on:

I was able to solve this, basically when you setup BitLocker after encrypting your OS you are asked for three backup options, do not click the save to your Azure AD account option, unless you want to save these keys on your ‘business’ and/or educational account. Plus, if you change your mind you can always go back to BitLocker and click the backup your recovery key option. If you do click the save to your Azure AD account option, the only way to undo this as I unfortunately found out, was to decrypt and then re-crypt my entire OS being careful not to select this option. I hope this is highlighted in the guide!

One thing to note is that my previous BitLocker keys are still stored on my University Microsoft account (Azure AD account), however, I do not know if they are still operational.

Update on:

I can confirm that you have to enter a BitLocker PIN and then your start up password/PIN to enter your computer. This is honestly not a huge deal. Just make them the same if you want.

Only a few important unanswered questions remain (as well as, some other un-important questions not listed here), which I have condensed. Firstly:

Secondly:

My final question could be considered un-important:

Correct me if I am wrong, but @Ikel are you the creator of this guide and could you offer any help?

Firstly, the recommend approach is to use Yubikey as 2FA for you local accont. You can also refer to passwordless Windows which is not recommended (as safe mode needs passwords).
Secondly, I donot know what policy you are setting.
Finally, I donot know what items you are talking about.

If you really wanna know how to configure Windows to be secure and private, I suggest you take some time and read this and this. Then the most of your questions can be answered by yourself.

Thanks for citing these comprehensive resources. However, it appears they are tediously long, for me personally, someone who does not have the time to understand how all these features work or what they do, but wants to take advantage of them.

You can install security baselines from MS. They are covering most of the recommendations.
https://www.microsoft.com/en-us/download/details.aspx?id=55319

Nice find, I think it could be useful for the upcoming Windows guide.

This is just an FYI for those interested in setting up Yubico for Windows.

I had a ton of trouble getting yubico for windows initially setup and working. If you are like me and for some reason it installs and does not work and you have to go into safe mode and uninstall it. Please note there is still a regkey entry that gets left over that will cause your next install to error out. This Microsoft Answers was the solution to getting it fixed.

imo if you’re short of time, at least you should read complete privacy settings for Windows , security baseline for Microsoft products , privacy settings for Edge , privacy settings for Office

thank u but I’m currently fine with yubikey login

I really do not know whether I would get a hardware authentication device. I have no knowledge in this field whatsoever, aside from reading EFF’s SSD guide.

Thanks so much, I will give them a read.

I have asked about automating privacy hardening in another post, this is life saving! This should be the default for lay people like me!

Go to yubico’s site, pick out whichever key suits your needs (probably a 5C or a 5, realistically) and order a pair. getting two is important because some services don’t let you use a hardware authenticator without a backup and you probably shouldn’t use them without have a backup regardless.

Thank you for your advice, I will consider this, however, I am a University student, with as I said previously ZERO knowledge in this field. I will need to educate myself to properly weigh the pros and cons of using hardware authentication.

One question, since I have already followed most of the recommendations in the guide made by PG, should I install these baselines still?

I read the first two large paragraphs, along with the ‘important’ and ‘warning’ boxes, from the Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services page.

I am using Windows 11 Pro, so after reading the readme.txt file in the WindowsRTLFB folder, which read: “‘Version 23H2_Win11’ can be applied to version 23H2 of Windows 11 Enterprise, Windows Server Datacenter and Windows Server Standard.” I had a question, which was: should I run this script anyway? All of this was a lot for a university Biology student, especially considering I barely know how to use a computer. Nevertheless, I appreciate the help.

Next, I moved on to skimming through the Use policy settings to manage privacy controls for Microsoft 365 Apps for enterprise page, to skip myself a headache, do I need to apply the settings recommended in this page manually, and read this page in its entirety, or these are these recommendations covered in the Security baselines guide? I will read the Security baselines and Microsoft Edge Privacy Whitepaper pages tomorrow, wish me luck.