Hello, good people at Privacy Guides (PG)! My post is in regard to Windows ‘hardening’. More specifically, I am currently using Windows 10 Pro, thus, I have been following this Windows guide: https://deploy-preview-1659--privacyguides.netlify.app/windows/overview/. I have numerous questions about this guide, no one is obliged to answer them, but I do appreciate it if you can. Also, I would like to thank the author of the guide, as well as the PG team, and the PG community, you are all very hospitable. I would also like to mention that I am a complete noob in this field, my ‘expertise’ is in the field of biology and more generally science, and not in computer science. I am possibly way too deep into this.
To begin with, will this guide ever be officially released on PG? In addition, are there any recommendations that anyone has, that may not be covered in this guide?
Next, I will discuss some of the problems and questions I have related to this guide. Firstly, I have confirmed that my BitLocker recovery keys are being stored on my University Microsoft account, but not on any of my personal accounts, is this problematic? I assume the Azure AD option here represents my University Microsoft account:
I cannot remove these keys from my University Microsoft account, as I only have two options:
Now, my primary question about this guide pertains to the following recommendation: ‘By Default Windows gives administrator access to the user account. Create another standard user account to reduce the attack surface enormously as most vulnerabilities today come from the fact that the user is always in administrator mode. In addition, you shouldn’t use the same password for standard and administrator account.’
If I’m not mistaken, isn’t the alternative recommendation: ‘If you don’t like managing a standard account, then enforce authentication for Administrator accounts too like Standard ones by following the guide by Wikihow. This way, Even administrators need to use Password to approve processes instead of just clicking Yes or No’, essentially as secure as the first one? The only difference between the two recommendations, seems to be that two different passwords are required in the first recommendation, compared to one in the alternative recommendation. Aside from this, are there any other technical differences?
Moreover, one might argue that the alternative recommendation becomes redundant if you simply lock your computer when stepping away, as an attacker that can unlock your computer, can already change administrative settings with the same password used to unlock your computer in the first place. In addition, since applying the alternative recommendation would still allow users to access your files if your computer was unlocked, this could give you a false sense of confidence, something mitigated by locking your computer.
I have another important question about the guide, regarding the Security policies for Bitlocker subtopic. I do not want to have to enter a PIN twice as is recommended by the guide. So, how do I get maximum protection using group policies, without having to enter a password twice? I assume I have to change some options differently compared to what the guide recommends, options which I assume I found in the Require additional authentication at startup setting, under group policies. Should I change any other setting back to their defaults?
Also, the guide says: ‘Using MS edge or brave over Firefox. Edge is recommended with MDAG mode for secure browsing if security is your priority. Brave is recommended if content blocking is important for you (Brave shields)’, I am pretty sure not everyone here would agree with this.
I have yet another question (unfortunately, there are more to come) regarding Windows hardening, how do I disable my password as a sign in method, so that only a Windows Hello PIN can be used? I could not do so using the options below, and it might be important to note that I am currently using a local (not signed-in) administrator account, do I first need to log into my Microsoft account?
I have encountered an issue with this guide, or more likely I am misunderstanding the guide. The guide says: ‘To prevent other users from accessing your secondary data drives. Type gpedit.msc in Windows Run dialog box. Go to User Configuration > Administrative Templates > Windows Components > File Explorer and set the Group Policy as below.’ When I do this, and I am on my local administrator account I can not open any file! How do I fix this?
My second last question is: I need help with the sandboxing portion of the guide, specifically how do I use it, when do I use it, the latter of which could be answered by including why I should use it.
Finally, the guide claims it was inspired by this: GitHub - beerisgood/Windows11_Hardening: a collection about Windows 11. However, my question is why are there some recommendations not present in this guide, that are present in the GitHub guide? Furthermore, should I follow this other GitHub guide as well? Again, kudos, to this guide because unlike the GitHub guide it walks you through how to apply recommendations, rather than linking you to long articles.
Also sorry I forgot, merry xmas everyone!
