Windows Guide

Hi, Some people know me by name in the Matrix room. I am working on the Windows Guide for PG.

I am following Windows Hardening and Privacy Guide by Beerisgood on Github for this. I worked a lot on it. But due to many conflicts in the PR. I closed it and working on the same in a new one.

I would like to get some advice on what should I add in my guide.

The Guide will consists of 4 pages

  • Overview (Which you can see a preview in the PR)
  • Hardening
  • Sandboxing
  • Privacy

Looking forward for your ideas, fellas.

I think a Windows guide is a good idea as many people cannot switch to Linux as it lacks software like Microsoft Office, Adobe Creative Cloud, and many games. Also Windows is a lot more secure than Linux. I agree with Beerisgood on a lot of things:

  1. It’s a good idea not to install anti-spying tools like ShutUp10 but to use official documentation instead as installing extra tools increases attack surface and gives you another party to trust, and it’s always best to get information from first-party resources and not third-party ones, hence why TOS;DR was removed. In general it’s best to use first-party software as much as possible and avoid installing extra software.
  2. Microsoft edge is the only browser I’d recommend for Windows users as it is the only one that natively supports hardware isolation and allows disabling JIT.
  3. I agree that open source software like 7-Zip, LibreOffice, Veracrypt, and Firefox should be avoided as it’s less secure than Microsoft software.
  4. I agree with most of the Microsoft recommendations for the average home user. Paranoia about Microsoft telemetry is worse than the telemetry itself and using a Microsoft account does have security benefits and I see why Microsoft requires using a Microsoft account with Windows now, though it does allow Microsoft to spy on you even more. It depends on whether you prioritize privacy or security.

Not really. You’re adding another party to trust simply for convenience. It’s best people learn to use Windows firewall.

2 Likes

Hardly a cut and dry case. Microsoft Edge is also known for showing ads for malware on its home screen, bundling bloatware like invasive “buy now, pay later” services, and integrating “features” like automatic coupon/deal finding (which send your browsing history and bookmarks to Microsoft). It also doesn’t implement privacy features even Chrome has standard, like end-to-end encrypted sync.

Microsoft does not have native tools which do what 7-Zip does (i.e. opening anything other than a .zip file).

Microsoft telemetry is literally a keylogger.* Besides maybe Facebook and their complete lack of ethics and boundaries I’m having a hard time thinking of something pushed by a big tech company which is more invasive than Microsoft telemetry on Windows 10/11.

I also can’t find any sources indicating a Microsoft Account user is more secure than a Local user at a glance, but I could be wrong about this. The only security advantage which comes to mind is automatic device encryption, which we specifically recommend against already in favor of a manual Bitlocker setup because “Device Encryption” sends your recovery key to Microsoft.

* Microsoft telemetry is better than it was, I remember a lot of overblown articles about it when Windows 10 was Insiders-only, when pretty much all beta software will require deeper analytics/telemetry for product improvement because it’s… in beta. But Microsoft’s privacy defaults are still unsafe, their whole approach to privacy is a giant “just trust us!” black box.

8 Likes

open source software like […] LibreOffice […] should be avoided as it’s less secure than Microsoft software.

I wasn’t aware that LibreOffice is less secure than Microsoft software (I’m assuming you mean the Office 365 suite). I’m interested to know more (I currently use it): do you have any references I could read?

3 Likes

Microsoft Office can utilize MDAG (Microsoft Defender Application Guard). The free versions of Microsoft Office work inside web browsers and don’t allow active content on desktops. LibreOffice has no sandboxing preventing untrusted files from accessing trusted resources. If there was a vulnerability in LibreOffice like there was a few years ago, attackers can create documents that can execute malicious code onto your computer.

2 Likes

I didn’t know that the Application Guard supported Office: that’s great. And I’ll keep an eye on The Document Foundation’s security advisories. Thanks! :+1:

2 Likes

I really like privacy.sexy to create my windows configurations. It also has settings i really wouldn’t recommend like disabling defender, but it’s very transparent and easy to configure.

As Jonah pointed out the telemetry of windows is something to worry about. It really is super invasive (especially the non-EU version). We should advice users to limit this as much as possible.

Microsoft accounts do not automatically enable device encryption actually, but device encryption is enabled by default under windows 11 (depending on hardware available). In my opinion it isn’t much more secure. An attacker can still add another administrator account and through this gain access to the user’ files using the same attacks that are known against local accounts, so this practically does not make any difference.

Some things I recommend using:

Note that some policies are not available under Windows Home and Windows Home N. You probably want to be using Windows Pro if any.

10 Likes

There is nothing hypocritical about this. Simplewall does not add anything new that cannot be done with the standard Windows firewall. How else is someone going to play Steam games? It may be better to just game on consoles instead of the PC.

PrivacyGuides became sane. One cannot have privacy without security and security is more important than freedom. It makes much more sense to use a Google Pixel than a Linux phone and a new Windows secured core PC or a Chromebook than a Thinkpad older than a decade. Security researchers are more trustworthy and reputable than free software activists.

4 Likes

I agree with most of your points from a very high level, but this:

is honestly a dangerous thought process to me. Putting faith into huge organizations with outsized power in the world is a recipe for disaster.

Sure, getting malware is terrible and could potentially materially impact your real life if your bank account got drained as a result, for example. But by prioritizing security this much, one loses balance and view of the bigger picture, in my opinion.

8 Likes

Since you replied to some of my recommendations. You cannot achieve privacy without security and neither the other way around. There are definitely differences but privacy and security more often overlap in their goals. The balance is hard to define but a large part of privacy, in context of today, is about data protection. Without good security you risk being infected or leak your data somewhere. You can really put a lot of effort in hiding with projects giving you a lot of privacy but no security until one day you get pwned and everything you worked for is gone. In the current day security risks are really high, especially for individuals seeking privacy. We have got enough proof for that seeing cases like Pegasus (the possibility of this I have warned people for for years). And many have been shocked by the wide spread of these attacks, and we yet have seen only one of them. May it serve as an example of what is possible and how little we know what is out there. To put it simply without security your privacy protections are worthless. This sometimes means you need to make compromises.

Also note we never recommended Windows in the first place. But given you already trust Microsoft (by using it) you may as well use them to secure you instead of being even more vulnerable. If you need a higher standard of privacy: DO NOT USE WINDOWS.

3 Likes

Yes but you can have privacy without freedom. You can’t have privacy without security.

If you need a higher standard of privacy, you should use GrapheneOS on the newest Google Pixel and nothing else. Linux and OpenBSD are a security nightmare.

1 Like

Which is why you only install apps from the Microsoft store. Windows out of the box is far more secure than Linux out of the box and it can be hardened like any other operating system. Out of the box, ChromeOS is the most secure, then macOS, then Windows, then Linux. I agree that Linux can be made secure once hardened but most people aren’t expected to harden Linux enough to where it matters and really are better off using Windows, macOS, or ChromeOS.

OpenBSD has no GUI isolation as it uses Xenocara (a fork of Xorg) instead of Wayland, making it impossible to fully sandbox apps. It also lacks proper verified boot among other mitigations and the mitigations it does have aren’t as good as the ones found in proprietary operating systems. To call OpenBSD a secure operating system is like calling Lynx a secure browser. OpenBSD is a meme.

Source: https://isopenbsdsecu.re/

1 Like

I think sandboxie has some major security concerns afaik. Using Windows Sandbox is better

2 Likes

True. Using third-party software for security usually increases attack surface and weakens the Windows security model.

2 Likes

I think everyone here as a valid point: security, privacy, attack surface, freedom, etc. are all important subjects but I think we are losing sight about threat model.
We’re talking about the Windows guide section, the average user here has a pc probably with an office suite, some games, utilities like 7zip, pdf reader, music and video player and more.
I’m all into minimal setup but imo it is not realistic nor useful to simply promote “do not install anything outside MS” cause it potentially increases attack surface. It’s quite useless to have a PC that can’t run software. So the question for me should be how can we run software without too much compromise security and privacy and usability.
The GrapheneOS approach is a great example, it’s secure, hardened and it still retains a great usability and user experience. To block network use you don’t have to install a firewall app or mess around with obscure settings, you just flip a switch.
Now Windows it’s not so easily manageable in that regard and if it’s not simple enough people just don’t use it, so a relatively easy approach should not be totally dismissed (I also think disable telemetry here).
So, are third party sandboxes, firewalls, privacy scripts, etc. worth to improve the security/privacy/usability Windows balance?

3 Likes

By only installing software that we need and using what’s provided by Microsoft whenever possible. In general, it’s advised to stay away from desktop apps and use the web browser for most activities including Email as websites in a browser are much less privileged than native apps and installing extra software can increase attack surface. Games and apps like Spotify and Discord are fine if they are required but it is possible to do a lot of this inside the browser.

  • If one cannot afford Microsoft Office, they should use the free versions that work inside a web browser and don’t allow active contents in desktops.
  • Use your browser’s built-in PDF reader. You can download the PDFs and then turn off your internet connection to prevent network connections from being made while reading the PDF.
  • Use the default music and video players that come with Windows.
  • Use Bitlocker for encryption as Veracrypt breaks secure boot.
  • Use Bandizip as 7Zip lacks anti-exploit and MOTW support.
  • Do not install a bunch of security software and stay away from cleanup tools like CCleaner, anti-spying tools like ShutUp10, backup software (use cloud storage or USB drives for backups), and third-party uninstallers like Revo Uninstaller. It’s best to use the default Windows Defender instead of installing a third-party antivirus.

Firewalls and privacy scripts are not. Use official documentation from Microsoft. I have not used Sandboxie so I can’t really speak for it, though generally third-party security software can weaken the desktop security model like VeraCrypt does.

Hard_Configurator may save a lot of time hardening the system.

1 Like

I’ll let others deal with the misinformarion in this thread…

To the op CSI benchmarks are the gold standard baseline that even the biggest companies use.
Many sysadmins and Cybersecueity professionals in my professional experience (and most sysadmin forums) will agree. You can do a search on your preferred engine to easily verify my claims.

Note: it’s good practise to paste thinks in full, on forums and emails, where feasible.

Non-exhaustive (sample) Sources for comments on CIS:

Link:
https://downloads.cisecurity.org/#/all

Search for “Windows Desktop” and your Linux distro for Linux users.

NIST and STIGs are also considered authoratative standards in the industry
NIST (National Institute of Standards and Technology)
STIGs (Security Technical Implementation Guides).

Aside from these resources you should identify common threat models and usage goals to tailor the benchmarks accordingly into different ‘profiles’ that are relevant to readers.

From memory when running through BeerIsGood’s guide there were some flaws in his thinking, that caused me to stop reading part way through, I’m no longer a windows user so I’m not going to review it again to be more specific.

7 Likes
  • Do not install a bunch of security software and stay away from cleanup tools like CCleaner, anti-spying tools like ShutUp10, backup software (use cloud storage or USB drives for backups), and third-party uninstallers like Revo Uninstaller. It’s best to use the default Windows Defender instead of installing a third-party antivirus.

It’s worth noting that Microsoft lets you uninstall a lot of apps with the winget package manager (If you don’t like Cortana it’s as simple as winget uninstall Cortana for example), so third party uninstallers aren’t really needed. Though of course it’s best to clean install Enterprise/Education so as to be able to have minimal bloatware and easy disabling of telemetry out of the box. If one isn’t a student/can’t afford either/isn’t willing to use MAS, then I think Pro still has less bloatware out of the box (though telemetry can’t be fully disabled like on Enterprise/Education).

2 Likes

https://www.softscheck.com/en/privacy-analysis-windows-10-enterprise-telemetry-level-0/

If you are going to forgo clean-up and blocking scripts, then I think the suggested Group Policy edits need to be quite extensive. Telemetry: Level 0 isn’t a catch all to stop Windows from sending data completely.

1 Like

I think Sandboxie should not be recommended as it doesn’t have any hardware isolation unlike Windows Sandbox, which uses Hyper-V, making it much harder for malware to escape.

Sources:

2 Likes