Windows Guide

I think this ain’t the place for Windows vs Linux other than recommending stuff for the guide.

You can only open one at a time.

Sandboxie :
It just escapes Hardware isolation provided by Hyper-V which ain’t good, IMO.

Something other than Bandizip would be better. Maybe PeaZip ?

Agreeable with lot of other stuff.

This makes me thinking.

You are right, the guide is sort of built from beerisgood. He will be credited when I finish this.

I am currently trying to work back in the guide. I need to know a explanation of the following from Beerisgood guide :

• What would be the use of Microsoft defender Credential Guard, Network Protection, Attack surface Reduction rules from an average user Standpoint ? (It doesn’t make sense for me as these are focused towards Enterprise protection)
• Cloud Delivered protection which is basically opting into sending metadata about the files to Microsoft for increased Security but loosing privacy when we try to balance.

I think I won’t add the above.

Addition I will make :

• Validating enabled stuff
• Disable Autoplay of USB or other devices to prevent malware execution.
• List about Smart App control and use in Evaluation mode only and enable if it is best for your setup
• Suggest using EFS for sensitive files if there are other people using the PC from another user account or just stick to Bitlocker if the device is only used by you
• Other Zip software instead of 7-zip to consider MoW feature.

& several others that seem fit for general users.

Privacy :

• Restriction of data access by other users.
• Disabling Full Telemetry or suggesting required Telemetry
• Randomizing MAC address
• Tell about Delivery Optimization
• Disabling Advertising ID in settings

Other stuff by @user1

I don’t know what else to add. I will try to refresh the preview

Regarding 7-zip with the Mark of Web (MoW) thing. Peazip works as expected. Open Source, No need for Bandicap.

How to Require UAC Passwords on Administrator Accounts: 8 Steps - This will fix the the issue of using Basic User account along side unused Administrator account.

Do you think UAC could be bypassed this way ?

I don’t think it could be .

I dont think so either, good find!

I’m excited for the Windows guide. I have clients that require Windows so a Windows guide will be a great addition to the privacyguides site.

Well, Everybody are. Thing is When I get the right time or a single day without other works. I can finish and publish it as soon as possible.

Another thing to note down here :

• I recommend PeaZip instead of 7-zip
• For PC Cleaner tools such as CCleaner, It will be avoided at most cases even FOSS alternatives like Bleachbit as you can use Disk Cleanup and Storage Sense in Settings. At the same time Microsoft is developing its own cleaning utility for Windows. So, I think it would be the best case.
• Any Chromium based browser is recommeneded as Firefox sandboxing is weaker than chromium.

Also here’s an actual example of how an app like simplewall could, and actually did increase attack surface: Security: Unprivileged users have full access to the filter engine · Issue #680 · henrypp/simplewall · GitHub

I am telling about reducing attack without using SimpleWall rather Built-in solutions

KISS guys, I think the most obvious things to do on Windows is to encrypt the drives, and update the OS. Installing third-party apps/solutions is subpar (or even useless) imho.

The reason why there’s so Linux servers is not related with security.

Windows is quite secure, but Linux is not (even with hardened kernel).

https://madaidans-insecurities.github.io/linux.html

I activated UAC for my admin account and it works perfectly, however it asks for password even when I open the task manager which is not required on a user account. Is there a way to avoid the UAC just for the task manager?

Same on my end, likely no since task manager has the power to stop/mofify services and applications so its a privileged application.

Sure but it is weird that on a user account you don’t have to pass UAC for the same task manager

It is because you can run a new malicious process via Task Manager using

in the Top Right corner with Admin privileges as below. To avoid it, It asks for a prompt. You can say that we need to click the option below the text box. But process can be opened in UAC as Task Manager is in admin mode sort of without any authentication.