Windows Guide

Hi, Some people know me by name in the Matrix room. I am working on the Windows Guide for PG.

I am following Windows Hardening and Privacy Guide by Beerisgood on Github for this. I worked a lot on it. But due to many conflicts in the PR. I closed it and working on the same in a new one.

I would like to get some advice on what should I add in my guide.

The Guide will consists of 4 pages

  • Overview (Which you can see a preview in the PR)
  • Hardening
  • Sandboxing
  • Privacy

Looking forward for your ideas, fellas.

Sandboxie plus would be a good recommendation for sandboxing, i’ve tested dozens of different malware on it including ransomware and it protected against each one. Also good for privacy in general as you can limit permissions for invasive apps.

Simplewall is also good for security/privacy, user friendly ui for windows firewall to restrict internet access for apps

Also a package manager should be recommended instead of the current risky approach of users downloading any software from the internet, scoop (installs directly from official domains, can verify by using scoop cat on an app, also bundles a virustotal checker) or winget (microsoft) would be great for this.

1 Like

I think a Windows guide is a good idea as many people cannot switch to Linux as it lacks software like Microsoft Office, Adobe Creative Cloud, and many games. Also Windows is a lot more secure than Linux. I agree with Beerisgood on a lot of things:

  1. It’s a good idea not to install anti-spying tools like ShutUp10 but to use official documentation instead as installing extra tools increases attack surface and gives you another party to trust, and it’s always best to get information from first-party resources and not third-party ones, hence why TOS;DR was removed. In general it’s best to use first-party software as much as possible and avoid installing extra software.
  2. Microsoft edge is the only browser I’d recommend for Windows users as it is the only one that natively supports hardware isolation and allows disabling JIT.
  3. I agree that open source software like 7-Zip, LibreOffice, Veracrypt, and Firefox should be avoided as it’s less secure than Microsoft software.
  4. I agree with most of the Microsoft recommendations for the average home user. Paranoia about Microsoft telemetry is worse than the telemetry itself and using a Microsoft account does have security benefits and I see why Microsoft requires using a Microsoft account with Windows now, though it does allow Microsoft to spy on you even more. It depends on whether you prioritize privacy or security.

Not really. You’re adding another party to trust simply for convenience. It’s best people learn to use Windows firewall.

1 Like

Hardly a cut and dry case. Microsoft Edge is also known for showing ads for malware on its home screen, bundling bloatware like invasive “buy now, pay later” services, and integrating “features” like automatic coupon/deal finding (which send your browsing history and bookmarks to Microsoft). It also doesn’t implement privacy features even Chrome has standard, like end-to-end encrypted sync.

Microsoft does not have native tools which do what 7-Zip does (i.e. opening anything other than a .zip file).

Microsoft telemetry is literally a keylogger.* Besides maybe Facebook and their complete lack of ethics and boundaries I’m having a hard time thinking of something pushed by a big tech company which is more invasive than Microsoft telemetry on Windows 10/11.

I also can’t find any sources indicating a Microsoft Account user is more secure than a Local user at a glance, but I could be wrong about this. The only security advantage which comes to mind is automatic device encryption, which we specifically recommend against already in favor of a manual Bitlocker setup because “Device Encryption” sends your recovery key to Microsoft.

* Microsoft telemetry is better than it was, I remember a lot of overblown articles about it when Windows 10 was Insiders-only, when pretty much all beta software will require deeper analytics/telemetry for product improvement because it’s… in beta. But Microsoft’s privacy defaults are still unsafe, their whole approach to privacy is a giant “just trust us!” black box.

4 Likes

open source software like […] LibreOffice […] should be avoided as it’s less secure than Microsoft software.

I wasn’t aware that LibreOffice is less secure than Microsoft software (I’m assuming you mean the Office 365 suite). I’m interested to know more (I currently use it): do you have any references I could read?

2 Likes

Microsoft Office can utilize MDAG (Microsoft Defender Application Guard). The free versions of Microsoft Office work inside web browsers and don’t allow active content on desktops. LibreOffice has no sandboxing preventing untrusted files from accessing trusted resources. If there was a vulnerability in LibreOffice like there was a few years ago, attackers can create documents that can execute malicious code onto your computer.

1 Like

I didn’t know that the Application Guard supported Office: that’s great. And I’ll keep an eye on The Document Foundation’s security advisories. Thanks! :+1:

1 Like

I really like privacy.sexy to create my windows configurations. It also has settings i really wouldn’t recommend like disabling defender, but it’s very transparent and easy to configure.

As Jonah pointed out the telemetry of windows is something to worry about. It really is super invasive (especially the non-EU version). We should advice users to limit this as much as possible.

Microsoft accounts do not automatically enable device encryption actually, but device encryption is enabled by default under windows 11 (depending on hardware available). In my opinion it isn’t much more secure. An attacker can still add another administrator account and through this gain access to the user’ files using the same attacks that are known against local accounts, so this practically does not make any difference.

Some things I recommend using:

Note that some policies are not available under Windows Home and Windows Home N. You probably want to be using Windows Pro if any.

6 Likes

as installing extra tools increases attack surface and gives you another party to trust

Not really. You’re adding another party to trust simply for convenience. It’s best people learn to use Windows firewall.

For standard business usage sure, but for the average home user: an os isn’t just a browser anymore. Recommending less technical people to learn windows firewall as opposed to simplewall’s yes/no interface will likely throw them off and not have them limit internet access anyways, which would greatly increase attacks. Besides i do believe it’d be hypocritical for someone to use steam/egs/gog and install screw all anyways, yet reject simplewall for the purpose of reducing the attack surface.

open source software like 7-Zip, LibreOffice, Veracrypt, and Firefox should be avoided as it’s less secure than Microsoft software

why the term open source specifically? lack of sandboxing would apply to any non microsoft store application, proprietary or open source.

and again for the average user I do believe this’d be extreme, besides the option of sandboxing via sandboxie plus is always open for this reason.

Microsoft Defender SmartScreen

In the past privacyguides used to at least have an equal ground when it came to security vs privacy, if not leaning towards privacy. Now I see security prioritised and privacy as a bonus. What happened

2 Likes

There is nothing hypocritical about this. Simplewall does not add anything new that cannot be done with the standard Windows firewall. How else is someone going to play Steam games? It may be better to just game on consoles instead of the PC.

PrivacyGuides became sane. One cannot have privacy without security and security is more important than freedom. It makes much more sense to use a Google Pixel than a Linux phone and a new Windows secured core PC or a Chromebook than a Thinkpad older than a decade. Security researchers are more trustworthy and reputable than free software activists.

1 Like

I agree with most of your points from a very high level, but this:

is honestly a dangerous thought process to me. Putting faith into huge organizations with outsized power in the world is a recipe for disaster.

Sure, getting malware is terrible and could potentially materially impact your real life if your bank account got drained as a result, for example. But by prioritizing security this much, one loses balance and view of the bigger picture, in my opinion.

3 Likes

There is nothing hypocritical about this. Simplewall does not add anything new that cannot be done with the standard Windows firewall. How else is someone going to play Steam games?

It certainly is, because you agree with users installing random games from the internet, yet make a big deal over a single app as it increases the users attack surface. By this same logic a GUI should be ditched entirely as its a security risk over a TTY.

Simplewall does not add anything new that cannot be done with the standard Windows firewall

Simplewall would achieve the same result as just using windows firewall sure, but it makes the task accessible to all users, despite their technical background. As instead of launching windows firewall manually for each service & app they have, manually adding the path and adding an outbound rule, the user is auto-prompted with a yes/no GUI the first time an app/service attempts to connect to the internet.

security is more important than freedom

This website’s called privacyguides not securityguides, i believe we should at least have an equal ground when it comes to privacy vs security, if not lean towards privacy.

1 Like

Since you replied to some of my recommendations. You cannot achieve privacy without security and neither the other way around. There are definitely differences but privacy and security more often overlap in their goals. The balance is hard to define but a large part of privacy, in context of today, is about data protection. Without good security you risk being infected or leak your data somewhere. You can really put a lot of effort in hiding with projects giving you a lot of privacy but no security until one day you get pwned and everything you worked for is gone. In the current day security risks are really high, especially for individuals seeking privacy. We have got enough proof for that seeing cases like Pegasus (the possibility of this I have warned people for for years). And many have been shocked by the wide spread of these attacks, and we yet have seen only one of them. May it serve as an example of what is possible and how little we know what is out there. To put it simply without security your privacy protections are worthless. This sometimes means you need to make compromises.

Also note we never recommended Windows in the first place. But given you already trust Microsoft (by using it) you may as well use them to secure you instead of being even more vulnerable. If you need a higher standard of privacy: DO NOT USE WINDOWS.

1 Like

Yes but you can have privacy without freedom. You can’t have privacy without security.

If you need a higher standard of privacy, you should use GrapheneOS on the newest Google Pixel and nothing else. Linux and OpenBSD are a security nightmare.

Linux and OpenBSD are a security nightmare

Explanation? Because this is straight up false.

First off, literally anything is more secure than windows right now. Apps outside the microsoft store (which in itself is a meme) run wild with no sandboxing and with a mostly yes(to everything)/no permission system.

When it comes to security, macos is probably the best for stock, out of the box, security.

However linux can be very secure when hardened, there’s a reason almost all servers run on it. Everything is configurable, and as for sandboxing there’s many apparmor & bubblewrap templates online: e.g 1, two, three, and for user friendly options flatpak or preferably bubblejail which is a gui for configuring bubblewrap are also good options.

Fedora silverblue is also a good OOTB option.

Yes but you can have privacy without freedom

I never even mentioned freedom, I was talking about security vs privacy.

Which is why you only install apps from the Microsoft store. Windows out of the box is far more secure than Linux out of the box and it can be hardened like any other operating system. Out of the box, ChromeOS is the most secure, then macOS, then Windows, then Linux. I agree that Linux can be made secure once hardened but most people aren’t expected to harden Linux enough to where it matters and really are better off using Windows, macOS, or ChromeOS.

OpenBSD has no GUI isolation as it uses Xenocara (a fork of Xorg) instead of Wayland, making it impossible to fully sandbox apps. It also lacks proper verified boot among other mitigations and the mitigations it does have aren’t as good as the ones found in proprietary operating systems. To call OpenBSD a secure operating system is like calling Lynx a secure browser. OpenBSD is a meme.

Source: https://isopenbsdsecu.re/

Which is why you only install apps from the Microsoft store

Which is great security-wise until you see no official gimp app, but rather a paid version uploaded by some random person, (for e.g). The issue with the MS store is that imo it’s not very useable, and lacks moderation which then leads 90% of people to install apps externally.

most people aren’t expected to harden Linux enough to where it matters

True but even a very simple fedora silverblue install as well as flatpaks which have a one click install button from the package manager of choice, would be sufficient. Not perfect, as flatpak does have its issues, but combined with the fact that there’s fewer malware on linux to begin with, it’d be enough to mitigate a lot of attacks.

can be hardened like any other operating system

Barely, you mostly end up relying on microsoft for this.

1 Like

I think sandboxie has some major security concerns afaik. Using Windows Sandbox is better

1 Like

True. Using third-party software for security usually increases attack surface and weakens the Windows security model.

1 Like

I think sandboxie has some major security concerns afaik. Using Windows Sandbox is better

They have different usecases, unless you’re planning on manually opening 20 windows sandbox sessions which would likely hang your pc, sandboxie let’s u sandbox apps automatically on launch whilst still looking native/normal. Not to mention windows sandbox is limited solely to windows pro, which costs roughly 100 quid more than home.

Not a silver bullet, but I’ve ran dozens of malware/ransomware on it when trying it out, and on terminating the sandbox, no traces remained. As for the privacy aspect of it, unless you think discord dev’s (for e.g) will go out of their way to bypass a very niche sandbox, it should be fine.

Also just to be clear, I’m talking about sandboxie plus as opposed to the classic version, which has had a lot of improvements since the original version.