Windows Guide

Somewhy the backslash was automatically dropped by this forum. Seems like it doesn’t like \ + % combo. Here’s the edit with a “dummy” space:
C:\Users\ %username%\AppData\Local

Edge’s hardware isolation requires using Application Guard, and using it is redundant and unnecessary for most users.
The only practical use-case for end-users is if they know in advance that the website is potentially malicious, and if they still really want to access the website despite being suspicious, then they can access it via MDAG in just two clicks. Another option would be to just check website’s safety online, via services like Quad9, URLVoid for links, and Virus Total (works for links too) and Hybrid Analysis for files, to test whether the file you want to download is malicious. Additionally, using Safe Browsing + a security-focused DNS would prevent them from accessing the website in the first place.

Microsoft Defender Application Guard creates a virtualized environment: a Hyper-V Krypton container, which runs outside of Windows. This creates an overhead and takes resources, decreasing the UX of the user. It’s a classic “security vs convenience” dilemma. Furthermore, besides allocating hardware resources for isolation/virtualization, Edge’s MDAG must create a new (isolated) Edge window for an untrusted website, which is inconvenient for most users.

Now, the documentation says that Edge runs only untrusted websites in MDAG.
But what are untrusted websites? From the documentation:

The enterprise administrator defines what are trusted sites, cloud resources, and internal networks. Everything that’s not in the trusted sites list is considered untrusted.

Emphasis mine.
So, to conclude: Edge doesn’t have any “untrusted websites list”, which could be preinstalled or fetched from the cloud. SmartScreen is responsible for that. Very obviously, MDAG for Edge is an enterprise-oriented feature, and Microsoft makes it very clear in their documentation. Administrator creates a list of trusted websites for an organization — a whitelist. All other websites run in an untrusted mode, which is a hardware isolation. This feature is really useful (even mandatory) in an enterprise environment, but not at all for end-users. Theoretically, an end-user could create a list of trusted websites for themselves, that they visit often (for example Twitter, Youtube, etc), and then all other websites would be automatically run in an isolated environment. However, as I said — this is really unnecessary.

For maximum protection (i. e. a paranoid mode) one could just force MDAG to treat all websites as untrusted and therefore run all websites in an isolated environment, but this is not an appropriate solution for end-users at all and is even more unnecessary, for the reasons mentioned in my first paragraph.

As for browsing protection for end-users:

For those who use Edge: it has SmartScreen, and SmartScreen is a very good protection for users. It was benchmarked against a list of dangerous websites and gave very-very good results, better than Google Safe Browsing.
Also, Edge runs in an AppContainer, unlike other browsers. So Edge really is secure enough for most users.

For those who use other browsers (both Chromium and Gecko-based): most of the browsers fetch a list of dangerous websites from Google Safe Browsing. Even Gecko-browsers use it: Firefox uses it, Librewolf uses it (but disables it by default). Gecko-based browsers are less secure in regards to their technology, however they are fine for users who are educated regarding internet safety, have good security hygiene and are able to recognize a threat (simple rules, like “don’t click suspicious links”, and so on). For the general majority it’s best to use up-to-date Chromium-based browsers, preferably installed from Microsoft Store, due to MSIX. In Microsoft Store there are: Edge, Brave, Vivaldi, Opera. I would recommend only Brave, despite all the controversies and the fact that it isn’t recommended by Daniel Micay. I also fully understand the frustrations and annoyances of other people regarding all that integrated crypto-stuff and other unneeded/unwanted features, which I dislike too. (I only like its WebTorrent extension, which allows to download torrents without having a desktop client, and its ability to set custom keyboard shortcuts for any action in the browser — it’s a killer feature for keyboard power-users, and for productivity in general. Really speeds up my workflow.) Nonetheless, we have to choose from what we have and I think Brave is the only decent option we have among Chromium-based browsers, despite the controversies and the CEO. There’s also an option to download Chromium directly from Chromium developers and auto-update it (and it’s very simple), however Chromium isn’t appropriate for general usage at all for many reasons.

Security-paranoia related to Edge’s MDAG is highly unnecessary and using MDAG for Edge is an overkill for most users. We shouldn’t be trading all the bits of our privacy and shouldn’t expose ourselves to the intrusiveness and nagging that Edge has, in exchange to just get Edge’s native isolation feature, which is redundant for most users. It is the pursuit of imaginary protection, disregarding the means by which this protection is achieved (using Edge). For most people, there is no security benefit in using MDAG in Edge. The benefit for privacy from not using Edge, however, is big, as Edge has lots of privacy concerns. It records your PC’s hardware UUID¹ and sends it to Microsoft’s servers, thus creating a completely unique identifier which cannot be deleted, and which can track you not only in Edge itself, but across all apps from Microsoft). There are lots of other concerns. A browser is a very intimate thing which we need to be mindful with, and we shouldn’t disregard the privacy aspect of a browser. People do lots of personal stuff there and store private, personal data: browsing history, bookmarks, and some people store passwords in their browser, which they shouldn’t do.
Safe Browsing feature, which in combination with a security-focused DNS (such as Quad9 or NextDNS) acting as a fallback — protects most users from accessing harmful websites in the first place, and it is extremely easy to set up and configure. The fact that Edge has only one specific feature, which is a native hardware isolation — really cannot act as an excuse and justification for all the invasiveness, nagware, and privacy-concers that Edge has. This is an enterprise-oriented feature and it provides little value for most users/for casual browsing.

Besides MDAG for Edge, advanced security-paranoid users can also configure an additional sandboxing option in Edge and other Chromium-based browsers via Group Policy Editor or Registry Editor: they can can turn on Network isolation, which is disabled by default in all Chromium-based browsers. Currently this feature is being tested and is not enabled by default in ‘edge://sandbox’.

¹ However, Microsoft has been storing hardware’s UUIDs on their servers for a long time already, but for legit purposes, for example to activate your Windows automatically when you re-install it. Even if you completely wipe your hard drive, install Linux, uninstall Linux, and install Windows — Windows will activate itself automatically (if you were using it before), as your hardware UUID is already stored on their servers. They match your hardware UUID with your activation key, and activate Windows for you.

1 Like

Wow crazy how your view is soo different.

How can you say any proprietary Software is secure if no neutral entity looked at their code?

Prefer Edge over Firefox “because isolation”?? Its a privacy nightmare.

You have to admit THIS view is security only, and not even really provable in some cases. When where you hacked through an unisolated Browser? When has your Browser spied on you?


Why not just use UBlock and Noscript? No website will hack you if its blocked (in a privacy respecting way) or malicious Javascript is opt-in?

Isnt most malware vectors come from clicked links in browsers?

NoScript is unnecessary because browsers can block/allow Javascript natively (without any extension) per-site. Using similar “privacy/security-enhancing extensions” is a wrong approach and is a so-called badness enumeration.

Yeah, that person is clearly oversaturated on security and their priorities are shifted towards security exclusively. They also mentioned disabling JIT. Like, tell me: among the general population, who the f*** would deliberately degrade their browser UX by disabling JIT, which heavily slows down browser’s performance (especially on Android, as per my tests)? The most annoying aspect of disabling JIT for most people would be the page loading delay. Or, simply put: with JIT disabled, users will have to wait much more until their page gets rendered.
Disabling JIT for most users = a giant degradation of browser experience, and a very tiny, maybe even impalpable security benefit, because the chance of an average user getting exploited via a JIT compiler vulnerability is very low. We shouldn’t say “I only recommend Edge due to MDAG, also disable JIT cuz sekuritee! :shield:”, but we should take into consideration in what environments/under what circumstances we should use MDAG and disable JIT. Both MDAG for Edge and JIT are not applicable for casual/general web-browsing.

We shouldn’t get too security-frenzied here and just ignore all the privacy- and telemetry-related concerns (by ‘telemetry’ I mean the bad kind of telemetry, that which is not used for the benefit of the user). We should instead find ‘the golden mean’ between privacy and security. MDAG does nothing for most user’s security. For it to be doing something, one should configure a whitelist of trusted websites for themselves, which will run without MDAG, and all other websites, in turn, will run in an untrusted mode — in MDAG, and this all is extremely bothersome and ridiculously unnecessary. Otherwise there’s no use for it for the overwhelming majority, except for an enterprise environment, where it can really be necessary.

1 Like

That’s right: phishing is the most common/one the most common attack vectors. But as I said, MDAG and disabling JIT is not an appropriate approach to deal with it for regular people and for general web-browsing. If we are talking about Edge, SmartScreen already prevents you from accessing dangerous links in the first place. MDAG is of no use here. Except theoretically, we could set up MDAG so that it would open dangerous links based on the list of dangerous websites fetched from SmartScreen, and so a curious user would be able to observe with awe how their isolated-virtualized environment gets infected. Then the user closes that tab which runs isolated, all the malware gets dropped, and the user goes on about their business, as if nothing happened. Or, we could just rely on using SmartScreen/Google Safe Browsing + some secure DNS, and they would prevent opening harmful links in the first place. In an enterprise environment, however, such measures wouldn’t not be very efficient, because this is a different threat model, and risks of compromise are much higher. Enterprises are very often under attacks. I think it’s quite necessary for an enterprise to set up Edge in MDAG mode. An admin makes a whitelist of trusted websites for their organization, and all other websites automatically run in an isolated environment, in a small sandbox — very neat. There were millions of cases when security-uneducated employees clicked phishing links in their emails. Then the whole company gets compromised very badly. MDAG could be really useful here. The difference, however, between phishing links for regular users and for an enterprise, is that attackers make a specifically crafted, very “personalized” phishing scheme for an employee or several employees of a company. And these have a much higher success rate of compromise than the usual, “all-inclusive” type of phishing.

I forgot to mention that Safari as well uses Google Safe Browsing list. For those who set their region to China, It also uses a Chinese-specific counterpart of Google Safe Browsing —Tencent Safe Browsing. So basically all the browsers use Google Safe Browsing.

I think this thread is derailing. Arguments like “how likely to be hacked vs privacy concerns” are meaningless because it depends on the threat model which varies greatly from person to person.
It’s the Windows thread, if someone is all in for privacy concerns or attacking surface maybe is using the wrong operating system.

There is good points on both side, let’s try to not see all in black or white.
I hope the PG team will be able to finalize the windows guide section soon to sum up and address all these concerns.

I thought it was always downloading software or any executable file locally?

Again the same thing lots of people think. NoScript has features NO BROWSER has. You can disable and enable different Javascript types, and most importantly handle each origin differently.

Only problem is, there is no “safe browsint JS list” I would use. May be worth maintaining one for Noscript?

Using Noscript you can have actually working websites, but block every unnecessary JS thats simply useless and just tracking.

Disabling Javascript breaks nearly all sites, its a useless feature nowadays. Its why Vanadium and other mobile browsers suck.

Also it sometimes gives me XSS warnings, mostly when microsoft tries to access othee domains data I think.

Everyone should use NoScript.

I mean best way is probably by group policies and UAC. I remember a old-looking GUI that configures group policies for windows 10, I can’t seem to remember that.

And I don’t see any mentions of these so here it goes:


You don’t need source code to evaluate security, although it can be helpful.

What do you do, if a website breaks without JS from some origin? Are you consequent enough to not just simply allow it to get it to work? Most people aren’t and even usually good origins can suddenly serve malicious content (e.g. CDNs). In my opinion that’s just cumbersome. Disabling JIT and using a browser with a good security architecture is way more suitable for everyday use. If you want to go a step further either confine with MAC (on Linux) or use a lightweight VM.

Yes having the browser run in a virtualized environment or simply a container may be helpful. But Noscript not only improves security (where I was never hacked since ditching Windows and shady executables) but also daily privacy breaches.

You can’t significantly improve security of a browser with a typical Linux container, because the browser’s own sandboxing already extensively uses this, better than you could with using it inside a container.

Sandbox escape mechanisms are starting to be a part of a exploits. In general, adding defensive layers that does not significant impact performance is desirable these days.

But not with a container. Use MAC or a VM.

All this focus on sandboxing browsers - I thought modern browsers were pretty good at limiting malicious code? Even if you open a “dangerous link,” what’s the worst that an unsafe website could do? Start a file downloading? (which, if you have your browser set to always ask, is already mitigated.) I didn’t think browsers allow malicious websites to execute any code outside of the website’s own context, and certainly not to escape the browser and run cause problems on the system.

Or am I mistaken, and viruses can actually tunnel straight from the DOM into my operating system, without even needing me to downlaod and run a file first?

I basically suggested it because I used my Fingerprint reader to allow the UAC prompt instead of entering password manually.