discuss.privacyguides.net Open in urlscan Pro
2a01:4ff:f0:e86a::1  Public Scan

URL: https://discuss.privacyguides.net/t/windows-guide/250/13
Submission Tags: falconsandbox
Submission: On June 27 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

POST /login

<form id="hidden-login-form" method="post" action="/login" style="display: none;">
  <input name="username" type="text" id="signin_username">
  <input name="password" type="password" id="signin_password">
  <input name="redirect" type="hidden">
  <input type="submit" id="signin-button" value="Log In">
</form>

Text Content

Skip to main content

above-site-header
home-logo

home-logo


WINDOWS GUIDE
HEADER-TOPIC-TITLE-SUFFIX

Site Development Guide Suggestions
jonah24 votes

before-header-panel
 * Knowledge Base
 * Recommendations
 * About
 * Donate
 * Forum
 * Blog

Log In
 * 
   
   


after-header

below-site-header
before-sidebar-sections
 * Topics
   
   
   
 * Groups
   
 * More
   

Categories
 * Announcements
 * Privacy
 * Questions
 * Project Showcase
 * Tool Suggestions
 * Guide Suggestions
 * All categories

Tags
 * approved
 * completed
 * discussion
 * rejected
 * waiting
 * All tags

after-sidebar-sections
sidebar-footer-actions
before-main-outlet
above-main-container
top-notices
topic-above-post-stream

You have selected 0 posts.

select all

cancel selecting

above-timeline
topic-navigation
Oct 2022
9 / 255
Oct 2022

1h ago
timeline-footer-controls-after
topic-navigation-bottom
conditional-loading-spinner

conditional-loading-spinner
topic-above-posts
anon34719932
anon82677111
Oct 2022


> open source software like […] LibreOffice […] should be avoided as it’s less
> secure than Microsoft software.

I wasn’t aware that LibreOffice is less secure than Microsoft software (I’m
assuming you mean the Office 365 suite). I’m interested to know more (I
currently use it): do you have any references I could read?


3



anon82677111
anon34719932
Oct 2022


Microsoft Office can utilize MDAG (Microsoft Defender Application Guard). The
free versions of Microsoft Office work inside web browsers and don’t allow
active content on desktops. LibreOffice has no sandboxing preventing untrusted
files from accessing trusted resources. If there was a vulnerability in
LibreOffice like there was a few years ago 19, attackers can create documents
that can execute malicious code onto your computer.


3


 * Consider adding guides for configuring Google Chrome and Microsoft Edge11

anon34719932
anon82677111
Oct 2022


I didn’t know that the Application Guard supported Office: that’s great. And
I’ll keep an eye on The Document Foundation’s security advisories. Thanks!


2



ph00lt0Mare PolarisPrivacy Wizard
Oct 2022


I really like privacy.sexy 244 to create my windows configurations. It also has
settings i really wouldn’t recommend like disabling defender, but it’s very
transparent and easy to configure.

As Jonah pointed out the telemetry of windows is something to worry about. It
really is super invasive (especially the non-EU version). We should advice users
to limit this as much as possible.

Microsoft accounts do not automatically enable device encryption actually, but
device encryption is enabled by default under windows 11 (depending on hardware
available). In my opinion it isn’t much more secure. An attacker can still add
another administrator account and through this gain access to the user’ files
using the same attacks that are known against local accounts, so this
practically does not make any difference.

Some things I recommend using:

 * Bitlocker 53
 * Local Security Policy (application whitelisting) 45
 * Endpoint Device Control Device (external device whitelisting) 17
 * Microsoft Defender Application Guard 48
 * Turn on network protection 73
 * Enable virtualization-based protection of code integrity 16
 * Set up and use Microsoft Defender SmartScreen 38
 * Enable attack surface reduction rules 30
 * Enable firmware protection 34
 * Enable blocking of Potentionally Unwanted Applications 18
 * Use Windows Sandbox for untrusted applications 62

Note that some policies are not available under Windows Home and Windows Home N.
You probably want to be using Windows Pro if any.

1 Reply

10



anon82677111
Oct 2022

xeex

> Besides i do believe it’d be hypocritical for someone to use steam/egs/gog and
> install screw all anyways, yet reject simplewall for the purpose of reducing
> the attack surface.

There is nothing hypocritical about this. Simplewall does not add anything new
that cannot be done with the standard Windows firewall. How else is someone
going to play Steam games? It may be better to just game on consoles instead of
the PC.

xeex

> In the past privacyguides used to at least have an equal ground when it came
> to security vs privacy, if not leaning towards privacy. Now I see security
> prioritised and privacy as a bonus. What happened

PrivacyGuides became sane. One cannot have privacy without security and security
is more important than freedom. It makes much more sense to use a Google Pixel
than a Linux phone and a new Windows secured core PC or a Chromebook than a
Thinkpad older than a decade. Security researchers are more trustworthy and
reputable than free software activists.

3 Replies

5


 * Software Firewall for Windows?2

deviancy
Oct 2022


I agree with most of your points from a very high level, but this:


anon82677111:

> security is more important than freedom

is honestly a dangerous thought process to me. Putting faith into huge
organizations with outsized power in the world is a recipe for disaster.

Sure, getting malware is terrible and could potentially materially impact your
real life if your bank account got drained as a result, for example. But by
prioritizing security this much, one loses balance and view of the bigger
picture, in my opinion.


9


 * Best tool to disable telemetry on Win111

ph00lt0Mare PolarisPrivacy Wizard
Oct 2022


Since you replied to some of my recommendations. You cannot achieve privacy
without security and neither the other way around. There are definitely
differences but privacy and security more often overlap in their goals. The
balance is hard to define but a large part of privacy, in context of today, is
about data protection. Without good security you risk being infected or leak
your data somewhere. You can really put a lot of effort in hiding with projects
giving you a lot of privacy but no security until one day you get pwned and
everything you worked for is gone. In the current day security risks are really
high, especially for individuals seeking privacy. We have got enough proof for
that seeing cases like Pegasus (the possibility of this I have warned people for
for years). And many have been shocked by the wide spread of these attacks, and
we yet have seen only one of them. May it serve as an example of what is
possible and how little we know what is out there. To put it simply without
security your privacy protections are worthless. This sometimes means you need
to make compromises.

Also note we never recommended Windows in the first place. But given you already
trust Microsoft (by using it) you may as well use them to secure you instead of
being even more vulnerable. If you need a higher standard of privacy: DO NOT USE
WINDOWS.

1 Reply

3



anon82677111
Oct 2022

xeex

> This website’s called privacyguides not securityguides, i believe we should at
> least have an equal ground when it comes to privacy vs security, if not lean
> towards privacy.

Yes but you can have privacy without freedom. You can’t have privacy without
security.


Mare Polaris:

> If you need a higher standard of privacy: DO NOT USE WINDOWS.

If you need a higher standard of privacy, you should use GrapheneOS on the
newest Google Pixel and nothing else. Linux and OpenBSD are a security
nightmare.


1



anon82677111
Oct 2022

xeex

> First off, literally anything is more secure than windows right now. Apps
> outside the microsoft store (which in itself is a meme) run wild with no
> sandboxing and with a mostly yes(to everything)/no permission system.

Which is why you only install apps from the Microsoft store. Windows out of the
box is far more secure than Linux out of the box and it can be hardened like any
other operating system. Out of the box, ChromeOS is the most secure, then macOS,
then Windows, then Linux. I agree that Linux can be made secure once hardened
but most people aren’t expected to harden Linux enough to where it matters and
really are better off using Windows, macOS, or ChromeOS.

OpenBSD has no GUI isolation as it uses Xenocara (a fork of Xorg) instead of
Wayland, making it impossible to fully sandbox apps. It also lacks proper
verified boot among other mitigations and the mitigations it does have aren’t as
good as the ones found in proprietary operating systems. To call OpenBSD a
secure operating system is like calling Lynx a secure browser. OpenBSD is a
meme.

Source: https://isopenbsdsecu.re/ 35


1



samsepi0l
Oct 2022


I think sandboxie has some major security concerns afaik. Using Windows Sandbox
is better


2



anon82677111
1
samsepi0l
Oct 2022


True. Using third-party software for security usually increases attack surface
and weakens the Windows security model.


2



user1Regular
Oct 2022


I think everyone here as a valid point: security, privacy, attack surface,
freedom, etc. are all important subjects but I think we are losing sight about
threat model.
We’re talking about the Windows guide section, the average user here has a pc
probably with an office suite, some games, utilities like 7zip, pdf reader,
music and video player and more.
I’m all into minimal setup but imo it is not realistic nor useful to simply
promote “do not install anything outside MS” cause it potentially increases
attack surface. It’s quite useless to have a PC that can’t run software. So the
question for me should be how can we run software without too much compromise
security and privacy and usability.
The GrapheneOS approach is a great example, it’s secure, hardened and it still
retains a great usability and user experience. To block network use you don’t
have to install a firewall app or mess around with obscure settings, you just
flip a switch.
Now Windows it’s not so easily manageable in that regard and if it’s not simple
enough people just don’t use it, so a relatively easy approach should not be
totally dismissed (I also think disable telemetry here).
So, are third party sandboxes, firewalls, privacy scripts, etc. worth to improve
the security/privacy/usability Windows balance?


3



anon82677111
Oct 2022


user1:

> We’re talking about the Windows guide section, the average user here has a pc
> probably with an office suite, some games, utilities like 7zip, pdf reader,
> music and video player and more.
> I’m all into minimal setup but imo it is not realistic nor useful to simply
> promote “do not install anything outside MS” cause it potentially increases
> attack surface. It’s quite useless to have a PC that can’t run software. So
> the question for me should be how can we run software without too much
> compromise security and privacy and usability.

By only installing software that we need and using what’s provided by Microsoft
whenever possible. In general, it’s advised to stay away from desktop apps and
use the web browser for most activities including Email as websites in a browser
are much less privileged than native apps and installing extra software can
increase attack surface. Games and apps like Spotify and Discord are fine if
they are required but it is possible to do a lot of this inside the browser.

 * If one cannot afford Microsoft Office, they should use the free versions that
   work inside a web browser and don’t allow active contents in desktops.
 * Use your browser’s built-in PDF reader. You can download the PDFs and then
   turn off your internet connection to prevent network connections from being
   made while reading the PDF.
 * Use the default music and video players that come with Windows.
 * Use Bitlocker for encryption as Veracrypt breaks secure boot.
 * Use Bandizip 75 as 7Zip lacks anti-exploit 27 and MOTW 21 support.
 * Do not install a bunch of security software and stay away from cleanup tools
   like CCleaner, anti-spying tools like ShutUp10, backup software (use cloud
   storage or USB drives for backups), and third-party uninstallers like Revo
   Uninstaller. It’s best to use the default Windows Defender instead of
   installing a third-party antivirus.


user1:

> So, are third party sandboxes, firewalls, privacy scripts, etc. worth to
> improve the security/privacy/usability Windows balance?

Firewalls and privacy scripts are not. Use official documentation from
Microsoft. I have not used Sandboxie so I can’t really speak for it, though
generally third-party security software can weaken the desktop security model
like VeraCrypt does.

Hard_Configurator 39 may save a lot of time hardening the system.

2 Replies

1



Fossforus
Oct 2022


I’ll let others deal with the misinformarion in this thread…

To the op CSI benchmarks are the gold standard baseline that even the biggest
companies use.
Many sysadmins and Cybersecueity professionals in my professional experience
(and most sysadmin forums) will agree. You can do a search on your preferred
engine to easily verify my claims.

Note: it’s good practise to paste thinks in full, on forums and emails, where
feasible.

Non-exhaustive (sample) Sources for comments on CIS:

reddit


R/SYSADMIN - WHO USES CIS BENCHMARKS? 16

3 votes and 22 comments so far on Reddit



Linux Security Expert


LINUX SECURITY AND SYSTEM HARDENING CHECKLIST 46

Increase the security of your Linux system with this hardening checklist. With
the step-by-step guide, every Linux system can be improved.




Link:
https://downloads.cisecurity.org/#/all 28

Search for “Windows Desktop” and your Linux distro for Linux users.

NIST and STIGs are also considered authoratative standards in the industry
NIST (National Institute of Standards and Technology)
STIGs (Security Technical Implementation Guides).

Aside from these resources you should identify common threat models and usage
goals to tailor the benchmarks accordingly into different ‘profiles’ that are
relevant to readers.

From memory when running through BeerIsGood’s guide there were some flaws in his
thinking, that caused me to stop reading part way through, I’m no longer a
windows user so I’m not going to review it again to be more specific.


7



JimmyAnonymous
anon82677111
Oct 2022

>  * Do not install a bunch of security software and stay away from cleanup
>    tools like CCleaner, anti-spying tools like ShutUp10, backup software (use
>    cloud storage or USB drives for backups), and third-party uninstallers like
>    Revo Uninstaller. It’s best to use the default Windows Defender instead of
>    installing a third-party antivirus.

It’s worth noting that Microsoft lets you uninstall a lot of apps with the
winget package manager 21 (If you don’t like Cortana it’s as simple as winget
uninstall Cortana for example), so third party uninstallers aren’t really
needed. Though of course it’s best to clean install Enterprise/Education so as
to be able to have minimal bloatware and easy disabling of telemetry out of the
box. If one isn’t a student/can’t afford either/isn’t willing to use MAS, then I
think Pro still has less bloatware out of the box (though telemetry can’t be
fully disabled like on Enterprise/Education).


2



Register3435
Oct 2022


https://www.softscheck.com/en/privacy-analysis-windows-10-enterprise-telemetry-level-0/
15

If you are going to forgo clean-up and blocking scripts, then I think the
suggested Group Policy edits need to be quite extensive. Telemetry: Level 0
isn’t a catch all to stop Windows from sending data completely.


1



anon82677111
Oct 2022


I think Sandboxie should not be recommended as it doesn’t have any hardware
isolation unlike Windows Sandbox 14, which uses Hyper-V 1, making it much harder
for malware to escape.

Sources:

MalwareTips Forums


QUESTION - WINDOWS SANDBOX VS EDGE APPLICATION GUARD WINDOW (WHICH IS SAFER ?) 9

Hi- Which is the best way of browsing potentially unsafe websites ? Is it by
running Edge in the Windows 10 Sandbox OR by opening an Application Guard Window
in Edge ? I assume that browsing a site within the Sandbox guards against
canvas...



MalwareTips Forums


QUESTION - WINDOWS SANDBOX VS EDGE APPLICATION GUARD WINDOW (WHICH IS SAFER ?) 9

I'm right about all of it. The answer is as simple as I've been making it out.
There's no need to over-complicate this. ... This conversation can go on for
decades but the obsession of Sandboxie being more powerful than Microsoft's
sandbox technology...



MalwareTips Forums


SANDBOXIE SHOULD BE AVOIDED IN 2019 AND ABOVE 12

Sandboxie should be avoided in 2019 and above. 1. Sandboxie messes with the
memory of processes belonging to other people's software. First of all, messing
with memory of other people's software can introduce additional vulnerabilities
in other...




2



8 days later
anon86352167
Oct 2022


I’m currently in the process of helping @Edward make this Windows guide. Our
main question is if using a Microsoft account in Windows adds anything
beneficial security wise? A local account is better privacy wise and could have
a reduced attack surface since it isn’t tied to an account but is there any real
justification to have it tied to an account?
P.S if y’all have any additional ideas or recommendations for the Windows guide
I’d love to hear them!

2 Replies

1



user1Regular
anon86352167
Oct 2022


Here’s some subjects I would like the windows guide could clarify/suggest:

 * Intro on secure boot, bios security settings
 * Differences between Windows 10 home vs Windows 10 pro/enterprise ?
 * Offline account vs Online account (also user account vs admin)
 * Privacy settings
 * Telemetry (do we need some third party disabler?)
 * Group policies settings
 * Bitlocker (also on external devices, probably merge the os full disk
   encryption section)
 * Security settings / Hardening
 * Windows Store pro and cons
 * Windows Firewall
 * Windows Sandbox use cases
 * Windows Defender
 * Recommended third party privacy software (sandboxes/firewalls/privacy
   scripts/etc.)

1 Reply

6



jonahJonah AragonTeam Member
Oct 2022


anon86352167:

> Our main question is if using a Microsoft account in Windows adds anything
> beneficial security wise?

As far as I’m aware using a Microsoft Account is the only way to enable Device
Encryption on Windows 10/11 Home, however we already have a guide to enable
Bitlocker as an alternative on the Home edition instead.

1 Reply

1



conditional-loading-spinner

conditional-loading-spinner

conditional-loading-spinner

conditional-loading-spinner
topic-area-bottom



main-outlet-bottom
after-main-outlet
above-footer
below-footer



Invalid date Invalid date