Windows Guide

anon34108895 · December 29, 2023, 7:53am

As a Windows user I totally agree that it needs a lot of time and effort to harden Windows and make it more private. If you take a look into Microsoft Security Baseline, there are hundreds of recommended policies. Also different people have different threat models and choices, especially Windows Defender. But I also hope that this Windows Guide can be finished asap.

sha123 · December 29, 2023, 8:42am

In general I would recommend to split security and privacy recommendations for Windows into different parts, also for important software like MS Office, otherwise it will just get overwhelming. Only recommend security measures which don’t compromise too much on privacy, because Microsoft has a tendency on implementing (security and other) features in the most privacy invasive ways.

Doesn’t SAC require optional diagnostic data to be turned on in Windows?

While these are good recommendations for someone who wants to buy a new device and has the money to to get these expensive devices, I think it is important for the reader to get a feeling about which recommendations are important and which are not as much. For example I would consider using WDAC on Windows, activating all VBS features and attack surface rules for often exploited applications like MS Office as much more important for most users than getting a business surface and a lot more cost-effective.

anon34108895 · December 29, 2023, 10:05am

After manually turning SAC on, you can turn telemetry off.

sha123 · December 29, 2023, 10:42am

I read that SAC will still send information to MS even with diagnostic data set to the lowest level, so the question is whether the privacy implications are worth the additional protections for people who can’t deal with WDAC?

anon34108895 · December 29, 2023, 10:45am

Btw you need to download Edge policy and office policy firstly before applying security baseline. Also remember to update them often. You can follow this rss feed.

anon34108895 · December 29, 2023, 10:52am

You are taking about This. I’m on my phone rn maybe we can discuss that later

anon34108895 · December 29, 2023, 12:11pm

In short I think it’s worth it. because the alt to this is using WDAC to whitelist every exectuables that are 100% secure. too complicated.
You can also choose to not use SAC and windows defender at all. You just deny all exectuables from running in your host machine(using WDAC) and run every executables in sandbox which is also inconvenient.
the less secure alt is to use virustotal to scan every exectuables before running or to use Windows Defender. lame choice for me.
DO NOT count on yourself to determine what can be executed on your host Windows machine.

Sprout3425 · January 1, 2024, 12:34pm

Is there anyway to turn on Smart App Control without reinstalling Windows?

Sprout3425 · January 1, 2024, 1:30pm

Are these settings covered in the Windows Security Baseline? Also, how on Earth do you set environmental variables?

rollsicecream · January 1, 2024, 2:38pm

No, there’s no way of doing that. Microsoft actually explains why :

In order to ensure a more secure experience, we only enable Smart App Control on clean installs of Microsoft Windows 11. We want to be sure that there aren’t already untrusted apps running on the device when we turn Smart App Control on.

sha123 · January 1, 2024, 3:01pm

No. But you can create a WDAC policy with ISG turned on, which activates the main feature of SAC. That’s also helpful if you need to make something run which doesn’t work with ISG and you need an exception.

anon34108895 · January 2, 2024, 1:54am

Signed and Reputable Mode in WDAC wizard is basiclly SAC. this does not require a clean install. If you decide to do a clean install, remember to select your region to EU(to uninstall Edge and Bing) and accept optional diagsnotic data(to turn on SAC) during the out-of-box-experience. I also recommend to use a Enterprise edition so there is a UI option in OOBE to skip Microsoft account.
After creating WDAC files using the wizard, you can apply it to your pc using scripts. If you are not sure if it’s suitable for you, use audit mode. SAC and default Signed and Reputable Mode is suitable for normal users imo.

anon34108895 · January 2, 2024, 2:13am

If you are a developer, if you wanna use WSL, WMIC, do not use SAC.

sha123 · January 2, 2024, 8:29am

The main problem with using SAC is that you can’t add exceptions. If you use it for a few years, the probability that something you really need is not allowed to run will be quite high.

If you use WDAC with ISG instead, here is how it works and which data is sent to Microsoft:

WDAC only checks the ISG for binaries that aren’t explicitly allowed or denied by your policy, and that weren’t installed by a managed installer. When such a binary runs on a system with WDAC enabled with the ISG option, WDAC will check the file’s reputation by sending its hash and signing information to the cloud. If the ISG reports that the file has a “known good” reputation, then the file will be allowed to run. Otherwise, it will be blocked by WDAC.

By explicitly allowing your most used applications in your wdac policy you can also make the amount of data sent to Microsoft smaller, because ISG is not consulted for these.

Getting started with WDAC is not that difficult, but it takes some time to get into. It can considerably boost security. The problem is the lack of good, concise docs and tooling. With good tooling it could be quite easy.

jerm · January 6, 2024, 11:20pm

might help

cromagnonymous · March 2, 2024, 5:34pm

Could you expand on what you mean by “if you are a developer”? Do you mean literally using IDEs like Visual Studio, or just any power user who installs less-common apps?

Also, what do you mean by “apply it using scripts”? I’m new to WDAC and not sure how to go about setting it up. I had enabled SAC Audit mode when I first installed Windows, but it looks like it decided to disable itself.

I’m running Windows 11 Enterprise and now have all telemetry disabled, mostly via GPO. What’s the bare minimum I would have to reenable to make WDAC work?

Do you have any suggestions or guides for how to get started, particularly for an existing Windows installation (which still has a pretty high confidence for being malware-free)?

anon34108895 · March 3, 2024, 2:03am

You can refer to section 5 in Instructions on Hardening Windows (What I Have Learnt So Far)
A developer would run unsigned scripts or apps on their host machine a lot.

anon34108895 · March 29, 2024, 6:44am

hey guys I created a new Windows Guide pr. everyone is welcomed to contribute!

user1 · March 29, 2024, 7:28am

I really appreciate the effort but that looks more to a list (enable this, disable that, etc.) rather than a guide. There are almost no explanations on what and why you should do the changing and what exactly you are trying to achieve.

Also there’s a LOT of setting changes, it looks like more a total hardening lockdown than a recommended general configuration. Maybe a more simplified approach would be better (or split recommended and advanced settings).

I suggest you to take a look at the other OS overviews and remodel on that.

Thanks for the so much needed work, I really hope a Windows guide will finally see the light.

anon34108895 · March 29, 2024, 10:12am

I know there’s a lot more work to do and I think it’s a good starting point