Windows Guide

I’m currently in the process of helping @Edward make this Windows guide. Our main question is if using a Microsoft account in Windows adds anything beneficial security wise? A local account is better privacy wise and could have a reduced attack surface since it isn’t tied to an account but is there any real justification to have it tied to an account?
P.S if y’all have any additional ideas or recommendations for the Windows guide I’d love to hear them!

Here’s some subjects I would like the windows guide could clarify/suggest:

• Intro on secure boot, bios security settings
• Differences between Windows 10 home vs Windows 10 pro/enterprise ?
• Offline account vs Online account (also user account vs admin)
• Privacy settings
• Telemetry (do we need some third party disabler?)
• Group policies settings
• Bitlocker (also on external devices, probably merge the os full disk encryption section)
• Security settings / Hardening
• Windows Store pro and cons
• Windows Firewall
• Windows Sandbox use cases
• Windows Defender
• Recommended third party privacy software (sandboxes/firewalls/privacy scripts/etc.)

As far as I’m aware using a Microsoft Account is the only way to enable Device Encryption on Windows 10/11 Home, however we already have a guide to enable Bitlocker as an alternative on the Home edition instead.

Perhaps so, i’ll have to look into it more. Also Home would be the least recommended edition of Windows ofc but i know that is hard to avoid sometimes

We’ll keep this in mind, thanks!

I’m relatively new to the privacy/security subject and really looking forward to the windows guide since I use it for my gaming PC. Though besides gaming I also use it for other stuff like banking, mail, excel and word. I’ve done some hardening with help from beerisgood and tried to weigh security and privacy along with functionality. My threat model is mainly focused on surveillance capitalism and passive attacks, maybe mass surveillance to some degree; I’m not looking for complete anonymity.

Really eager to know when we can expect this guide to be released? (sorry for the impatience)

Privacy guides is my go to because of its simplicity yet educating format. Some things I’d like to learn more about in the guide are:

• Microsoft account pros and cons, as opposed to local account

• If Microsoft account is needed (in my case since I got a family 365 account through a relative), how to enhance privacy and security

• How to minimize telemetry, and information on what will actually be sent to Microsoft (assuming they aren’t actively ignoring settings) when configuring it as low as possible

• Recommended backup configuration

• I know beerisgood only recommends Edge as browser, of course there’s been different opinions on this, though I can understand the point made. How does this apply to email clients? Would outlook be a preferred client over Thunderbird if one has office?

• Again I see the ongoing discussion and recommendation to use Bitlocker for system encryption. Does this go for external drives as well, or does it matter in that case?

• A major bonus would be if there were any information if certain settings have major performance impact. I understand it’s not prime focus but read that some security settings, like memory integrity, can have a noticeable impact on performance. When gaming performance is essential and It’s really hard to find hands on info on what your sacrificing by turning it off, like performance vs security gain.

Thanks for all the work on this, it is greatly appreciated!

Also good points to consider as well. I’ll look them over. Thanks!
P.S do you have a link about the beerisgood edge recommendation?

Sure, I got the impression before that his windows hardening guide was partly being used for the PG windows section, but I might be wrong?

Anyway, in his Windows 11 hardening guide there is first a section under “Requirements” that reads:

avoid insecure software like 7-Zip (which e.g. lacks Anti-Exploit and MOTW support), Open/ LibreOffice, Firefox, True/Veracrypt, …

And then under “Hardening” there’s another section that reads:

use the only browser on Windows that natively supports hardware isolation: Edge

Now I’m not sure if this is completely up to date since from what I understand Firefox has made some significant security progress the last year? Though the application guard used in edge is probably as isolated as a browser gets from the rest of the system?

At the moment I use Firefox myself for everyday use and edge when sites brake because of settings in Firefox or when I want the full isolation.

(more links with info in the guide, couldn’t link in this post since new users only gets 2 links per post)

Edward may know about this guide but if not i’ll share it
I didn’t know about 7-zip but that’s good to know
FF has improved quite a lot but the core issue is the engine/sandboxing, FF is pretty behind Chromium’s sandboxing so unless they really tighten it up they can’t fix it properly unless they improve it.
Thanks for sharing the guide!

From what I’ve read here, Bitlocker is only recommended for Windows because it minimizes evil maid attacks. For external drives, I would use VeraCrypt.

I believe we say this on the website, that Bitlocker is only recommended for the boot drive. So it’s perfectly acceptable and probably better to use Veracrypt on external drives, if that’s not clear we should make it clear.

It’s better to use Bitlocker for fixed drives on PC and use Veracrypt for removable/External drives ?

I don’t think there’s a reason to use Bitlocker for fixed, secondary drives either. Only for operating system drives.

It depends on the user though. If you use Bitlocker for both Drives with a Startup PIN.

The Boot follows like this.

Enter PIN → TPM releases Keys → OS drive gets decrypted → key for secondary drive gets released and decrypted → OS boots → Login Screen

I prefer this way because without Startup PIN. No data can be accessed.

Why do you prefer Veracrypt for Secondary drives - for Cross compatibility & accessing in other devices in case you screw something on OS & you can’t access data forever or something else ?

I will mention this though.

I am suggesting this as it is a built-in solution and better than third-party, Veracrypt.
This might feel as 1 factor but not until I add Startup Key + PIN.

I don’t think Bitlocker is a problem to be clear, it’s perfectly fine to use it for all your drives IMO. But Veracrypt is open source and gives you a lot more flexibility in regard to every aspect to encrypting your drive compared to Bitlocker. And it doesn’t try and trick you into uploading your keys to your Microsoft account. And it’s cross-platform. All I’m saying is that Bitlocker is objectively better at encrypting your boot drive if you run Windows, but when it comes to all other drives then alternatives like Veracrypt are equally fine.

If I am right, It does provide Isolation when you use Microsoft Defender Application Guard but not sure in normal ones.

Do remember that MDAG bypasses VPN as it is isolated from host totally.

I agree. I will suggest both and emphasis on to use Veracrypt with the use case I mentioned previously. You wanna add anything to it ?

I might need some help on understanding ASR rules.

Network protection seems like Badness enumeration. I presume we need to apply the rules.

I agree with idea of Application Whitelisting. A brilliant one.

I don’t recommend privacy.sexy to disable stuff but things that it recommends to disable could be taken into account.

You can’t say so because of upliftments in restrictions on store by Microsoft there are Win32 apps without Sandboxing & also UWP apps without sandboxing. You can’t determine if it’s sandboxed or not unless you see Use All System Resources in the permissions that the app request for in store. If you see it, It has no Sandbox.

Blocking all Incoming connections reduces attack surface by large scale. Which can be done with few clicks in Windows Firewall settings.

You don’t need SimpleWall in that case ?