If you block Outgoing connections you won’t be able to use Internet at all and need to approve connections on a per-domain or per-app basis which might be frustating for the user.
If you want to use multiple Apps in Windows Sandbox creating a Configuration or using Run in Sandbox tool would be better for you - Run in Sandbox: a quick way to run/extract files in Windows Sandbox from a right-click on a file | Syst & Deploy
Thing with Sandboxie is it ain’t actual sandbox if you see technically just another user session inside it rather than actual containment.
2 Likes
The file system and registry virtualization is implemented on the user level in SbieDll, which is responsible for combining the data from the real system with the ones from the sandbox and for properly redirecting all access attempts. If that mechanism is improperly bypassed, it results in an access denied error.
We can’t say it’s more useful than full virtualization in a VM but it’s still not “just a user-level runbox” or whatever it is you’re implying. At least use documentation to back your claims.
I would just like to comment, since this portion will be read and prescribed to normies in the future:
- Ease of use should be considered a top priority because if a process gets really complex or takes a lot of steps, you will lose your Win10 user to the guide.
- If your privacy/security measure significantly alters or slows down the user’s workflow, they will revert back out of sheer laziness.
- In line with this, something with a 1-click install is always desirable, and should cover common use cases. This is inherently difficult to do due to the variety of workflow.
- Part of the 1-click install should be given 3 choices:
- Easy - with mild changes to their workflow and whatever else maximum benefit we can provide to them
- Intermediate - for those that are familiar with enough computers, mainly give the option to revert some changes so things stop breaking
- Advanced - for people deep enough knowledge that should be using Linux but are too lazy. The idea is maximum protection, and let them fend for themselves, whatever breakage they encounter.
- Now what Easy, Intermediate and Advanced does could be up for discussion here.
1 Like
I have finished the Windows guide in my own way and did my best to it. These are the previews generated.
Comment your opinions and tell what else you would like to be added.
I ain’t a native english speaker. So, pointing out grammar errors are also welcome.
9 Likes
Didn’t have time to read it, but here are my suggestions (OS is used for productivity & gaming) with focus on privacy.
The guide could include
How you could turn some of the telemetry in the registry or GPO.
How to create an Installation USB Stick with Rufus, which can removes some telemetry stuff beforehand and also remove the requirement of the otherwise mandatory Windows Account Login at the installation process.
Installaton of something like Portmaster, Simplewall or Adguard (paid) to block remaining telemetry.
Using a piHole or Adguard Home with OS and application related blocklists, like Windows Spy Blocker (basic) and/or Kodo Pengins Mainlist (advanced).
An important note to only use a local account.
Imo Privacy and performance & compatibility should be valued over further security hardening since performance and compatibility of applications and games are the usual reasons why people use Windows instead of Linux.
I’ve read through the guide and it’s a thorough piece of work with a lot of essential information, much appreciated!
I’d be happy to contribute with correcting grammar and make the text a bit more fluid. I basically work with writing all day at a job where being academically and grammatically correct is essential, so even if English isn’t my native language I’m fairly confident in text.
I had a lot of spare time today so here comes a deep dive in some thoughts I had while reading through. I’ll go through them in the same order as the guide.
Under Choosing your Windows edition in the second paragraph it says
If you cannot get the above editions, you must opt for Professional Edition.
I would suggest using the word should instead of must. This since the word must is quite definite, making it seem like you have no other option. Even if Windows Home is severely limited we always have an option. People are usually more susceptible to suggestions rather than demands, and it makes for a more pleasant reading.
Further down under Editions to avoid in the second paragraph concerning windows Home edition it says
It also uploads Bitlocker Encryption keys to Microsoft servers which actually defies the aspect of encryption implemented in a different way.
I think this needs some more clarification. In what way does it defy the aspect of encryption?
Furthermore, in the overview under Installing windows I don’t really understand why suggesting the use of command prompt to flash iso? Why not just use media creation tool to easily format a USB in a user-friendly UI? I see it mentioned in a note further down that you just get the desired version that way and therefore save space, but 1gb more or less shouldn’t be a problem nowadays? Maybe instead suggest the command prompt way as a second solution or tip?
Also, might be a good idea to point out to NOT download pirated versions since it the risk of it containing malware very high (yes people actually do this since it’s free, I never paid for Windows until finding the privacy community and started reading up on it).
Moving on to the hardening section
First sentence
If on Win11 be sure that you use it on supported hardware on
I understand this is incomplete. But wanted to suggest elaborating on this a bit more, as in why it’s important to be on supported hardware.
Under Security it says
UAC with password
Not sure if this is incomplete, but also here I think it could be good to have a short explanation on why it’s important.
Furthermore, under Encrypting the drive in the info box about Choosing the Way to Encrypt, when talking about storing encryption keys on Microsoft account it says
This can be dangerous to your privacy and security as Microsoft could easily view your encrypted files, as could an attacker if they were able to gain access to Microsoft’s servers or any Law Enforcement could by a Gag order.
I would suggest changing Microsoft could easily view your files to “anyone who gains access to your account”. Not sure if we should imply that Microsoft views our encrypted files without proof that they actually do so, also it seems highly unlikely since it would gravely jeopardize their trust. With that said, a hacker or government gaining access is absolutely a real concern.
Might also be good to inform here on why Bitlocker is preferred above other encryption software like Veracrypt.
Next, under Security policies for Bitlocker I think it could be good to add some more insight as to why we change this. Personally I want to know what I’m tampering with to feel comfortable doing it.
Setting up pre-boot authentication should probably come before Bitlocker setup since it’s clearly advised to configure pre-boot authentication first. Else people might do it in the wrong order if not reading through the whole guide first.
In Apps first section says
Avoid any types of Cleaning software at all cost.
I think this needs some more explanation. Why should we avoid it?
The same applies under Security improvements where it suggests to use Winget tool to remove Bloatware instead of third party apps. Why not third party? I think it would help to be clearer about how it increases attack surface by adding a third party to trust and that there are windows tools, a lot of them built in, that does the same thing.
Lastly in the privacy section
The first section, Using Microsoft account states that
You should never sign-in to Windows with a Microsoft account. Signing-in to applications like Microsoft Office (which some users are required to do for their school or company) will trigger a dark pattern offering you to sign in to Windows, which will connect your device to your Microsoft account, and make it easier to send data to Microsoft servers and it is critical to reject this offer.
Why should we never do this? Why is it critical to reject the offer? These statements makes it sound dangerous, and when something is dangerous we need to back it up with facts for it to be legitimate.
Signing in to Microsoft isn’t dangerous to the average user. I think that instead of demonizing it the guide should suggest not doing it if the user strives for more privacy. But I also think there should be a section on how to adjust account settings for more privacy and recommendations on using a disposable mail, phone number, etc.
Also, all telemetry isn’t bad, even if it might not be appreciated. Of course there’s the question about trust, but I’d be more than surprised if it turned out Windows privacy switches were just “dummies”. After configuring privacy settings to minimum telemetry the information sent is mainly diagnostic data and not very usable for tracking compared to full telemetry that tracks app usage, browser history and specifically aims to provide the user with a personalized “experience”. If you already trust Microsoft enough to use it, you might as well trust their privacy policy. Else your going to have to run it without plugging it to the internet at all.
So that’s all. It’s a long awaited guide and with some tweaking I truly think it can help a lot of people. As you can see I’m a lot for educating the reader. I believe that it’s impotent to know why you do something, else you won’t learn anything and it’s hard to understand the point of it. There doesn’t need to be thorough explanations, but rather one or two sentences with a link to further reading. This is already done in the guide, it just needs to be applied a bit more.
5 Likes
Signing in to Microsoft isn’t dangerous to the average user. I think that instead of demonizing it the guide should suggest not doing it if the user strives for more privacy. But I also think there should be a section on how to adjust account settings for more privacy and recommendations on using a disposable mail, phone number, etc.
It’s worth noting that according to this study it seems that Windows collects more telemetry when signed into a Microsoft Account. (Look at the list of identifiers sent on page 5-6.)
3 Likes
That’s indeed some good information that needs to be weighed against a persons threat model when considering signing up for an account.
Done.
Please check the new preview
Because doing so, Will only have Enterprise, Education and Professional and removes Home edition from the ISO totally
Done
I think doing some copy paste work it made it upto the Top. Removing now.
Redundant, because of the last point under Creation of User Account and usage. There have been some conflicts while I am merging stuff, etc. Probably. I don’t know how.
Done.
I stated a stuff. Check it for yourself.
Without enabling policies you can’t setup pre-boot authentication and the images are self explanatory.
Because using Winget (Official Package manager) is better than breaking stuff with 3rd party tools.
That’s why I suggested signing into that app alone.
They aren’t. Group policies are there to do thing strictly as follows.
2 Likes
Hi, I checked the Edge privacy settings, and if you turn off remote sensing in Group Policy, it seems to turn off Edge remote sensing as well.
From: Microsoft Edge enterprise privacy settings | Microsoft Learn
May be useful.
2 Likes
Disable Windows spotlight by navigating to
User Configuration>Administrative Templates>Windows Components>Cloud Contentand setting Turn off all Windows Spotlight features policy to disabled. !!! note This explicitly disables Windows spotlight features in Lockscreen and Desktop to severe unnecessary between Microsoft servers and the device.
I could not find this particular spotlight entry. There were 4 entries in the Cloud Content policy folder and on cursory glance, none of it seem to have the word spotlight on it.
Is this how I’m supposed to avoid seeing Candy Crush and the like in the start menu?
Since we are here in Windows land anyway, can we now discuss about responsible computer gaming like an adult? How should a dedicated Windows only device strictly for gaming ought to look like? I think I should open a different thread…
This script here might be worth a look: GitHub - troennes/private-secure-windows: Privacy and security baseline for personal Windows 10 and Windows 11
It basically applies a bunch of group policies from Microsoft’s restricted traffic baseline + windows security baseline/security compliance toolkit, and is compatible with Pro/Enterprise/Education. From what I can tell, it uses Microsoft’s own official tools to do so, so it might not need placing full trust in the author (as opposed to something like shutup10 which is not as easy to verify due to being closed source).
Hello everyone following here. Quick and Straight to the point.
I loved doing and working on this PR and did a lot of research and wrote everything on my own personal experience. But the approval and many help I expected were disappointment.
I have been a windows user. I still am. But I am unsure about my guide.
So, It is to say that I am no longer working on this PR. This discussion and PR will be open though. I would work on further if there is attention and discussion with people and from PG team.
If anybody want, they could help me in my PR by forking it or if the team wishes. They could close mine and create a new one. Even then, Old data could be used from mine.
5 Likes
Windows by far has the most users, a lot more than MacOS or Linux, so it would make sense to prioritize it because it will be useful to a lot more people. But Windows guide isn’t made yet, meanwhile MacOS guide is already done (and I think we all know why).
Anyway, is there any Windows guide that I could use right now to configure my Windows install?
theres a macos guide? link pls?
1 Like
Thanks for creating a Windows guide and recognizing that many users are “stuck” with using Windows, even though they would prefer to run an OS that fundamentally respects privacy.
However, I would like to contest the point that argue for the necessity of running Windows under a standard user account. I would like to clear up that the default user account that Windows setup creates, and which it gives the user access to, is not the actual Administrator account. To quote Microsoft:
Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group.
(Source: Local Accounts - Windows Security | Microsoft Learn)
That might seem like nitpick, but note that user accounts with administrator access (members of the Administrator group) do not run the entire user session with administrator access. To quote Microsoft again (and I recommend reading this resource for more context):
By default, both standard and administrator users access resources and execute apps in the security context of a standard user.
(Source: How User Account Control works - Windows Security | Microsoft Learn)
To execute apps in the context of an administrator user, the explicit approval of the UAC prompt is needed in all cases (always assuming that UAC notifications are set to a high level).
As such, for home users on non-managed systems* it doesn’t seem to add any security benefit, as far as I can see, to run a local account as a standard user.
Furthermore, it adds the inconvenience of having to enter a password for each and every UAC prompt; which I think only the most patient users are actually willing to do (I personally don’t expect most people to be willing to enter a long and complex passphrase simply for opening Task Manager).
*For managed systems, such as enterprises, it of course makes sense to limit administrator privileges to only a select group of people, and Microsoft naturally notes this in the second source I provided.
4 Likes
Worth elaborating this in the Windows kb.
Local accounts don’t need to enter any passwords to access Task Manager. That is: Local accounts don’t have to have Administrator privileges to access Task Manager. I’ve been using a Local account for a very long time, and I had the need to run ‘taskmgr.exe’ as an Admin only like 3-4 times during all the years that I’ve used a local account. Accessing Task Manager as an Admin is needed if a user wants to manage a process that runs with Admin privileges. For example: if you open Task Manager as a Local account and try to close a process which runs as an Admin — it will prohibit you from doing so. A better and more relevant example would be that Local accounts can’t access Group Policy Editor (gpedit.msc) with a Local user rights. They have to run it as an Admin. Anyway, during all the time I’ve been using a Local account, I’ve never been bothered by the need to enter a password to access/manage tasks which require Admin privileges exclusively. I’m fully okay with it and feel safer knowing that every process which wants to access Admin rights — will explicitly give me a UAC prompt.
Furthermore, your first link says:
As a security best practice, use your local (non-Administrator) account to sign in and then use Run as administrator to accomplish tasks that require a higher level of rights than a standard user account. Don’t use the Administrator account to sign in to your computer unless it’s entirely necessary.
Besides that, I still think that it’s the best practice to isolate as much as possible, and create a dedicated, explicit Local account when installing and setting up Windows for the first time.
You said:
but note that user accounts with administrator access (members of the Administrator group) do not run the entire user session with administrator access.
The keyword is “entire”. They may not run an entire session as an Admin, but some other parts of the profile can run as an Admin. So, when a user uses an Admin account, can they be aware of all the stuff that runs as an Admin? Can we precisely know what runs as an Admin, and what doesn’t? There are no simple ways, but there are of course tools to know what process runs with what privileges (like Sysinternals Suite), but we won’t and don’t want to be opening it every time just to see under what privileges the app runs.
Try installing any Gecko/Chromium-based on an Admin account. It won’t give you a UAC prompt. Try installing it in a Local account — it will give a UAC prompt for an Admin password. If you refuse to enter the password, it then shows a pop-up (suppose we are installing Chrome):
Google Chrome can be installed without administrator privileges. Continue?
You click “Yes”, and Chrome proceeds to install itself entirely in the Local account (%localappdata% or C:\Users%username%\AppData\Local). It sets registry keys only for the Local account (an Admin-installed app can set system-wide registry keys in HKEY_LOCAL_MACHINE, for example), and so on.
Last time I checked (and that was long ago), this won’t happen when you are using a default, Admin account. There’ll be no UAC prompt. Chrome will be installed as an Admin.
My opinion is that using an explicit Local account is safer, and you don’t have to bother thinking which stuff runs as Admin, and which is not. When using a Local account, you will be notified every time when something needs Admin privileges. It’s just more clean, really. I agree however that for most users entering passwords in UAC prompts for installing, for example, games (or doing some other similar casual tasks), can be bothersome.
Interesting fact is that (but that was in 2012) a Chrome developer said that they allowed installing Chrome without Admin rights not for security reasons:
Installing in AppData was never a security measure
They only did so out of usability/UX concern:
Our data shows that preferring a system level (Program Files) install with a fallback to user level improves the install success rate.