discuss.privacyguides.net
Open in
urlscan Pro
2a01:4ff:f0:e86a::1
Public Scan
URL:
https://discuss.privacyguides.net/t/windows-guide/250/13
Submission Tags: falconsandbox
Submission: On June 27 via api from US — Scanned from DE
Submission Tags: falconsandbox
Submission: On June 27 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
POST /login
<form id="hidden-login-form" method="post" action="/login" style="display: none;">
<input name="username" type="text" id="signin_username">
<input name="password" type="password" id="signin_password">
<input name="redirect" type="hidden">
<input type="submit" id="signin-button" value="Log In">
</form>Text Content
Skip to main content above-site-header home-logo home-logo WINDOWS GUIDE HEADER-TOPIC-TITLE-SUFFIX Site Development Guide Suggestions jonah24 votes before-header-panel * Knowledge Base * Recommendations * About * Donate * Forum * Blog Log In * after-header below-site-header before-sidebar-sections * Topics * Groups * More Categories * Announcements * Privacy * Questions * Project Showcase * Tool Suggestions * Guide Suggestions * All categories Tags * approved * completed * discussion * rejected * waiting * All tags after-sidebar-sections sidebar-footer-actions before-main-outlet above-main-container top-notices topic-above-post-stream You have selected 0 posts. select all cancel selecting above-timeline topic-navigation Oct 2022 9 / 255 Oct 2022 7h ago timeline-footer-controls-after topic-navigation-bottom conditional-loading-spinner conditional-loading-spinner topic-above-posts anon34719932 anon82677111 Oct 2022 > open source software like […] LibreOffice […] should be avoided as it’s less > secure than Microsoft software. I wasn’t aware that LibreOffice is less secure than Microsoft software (I’m assuming you mean the Office 365 suite). I’m interested to know more (I currently use it): do you have any references I could read? 3 anon82677111 anon34719932 Oct 2022 Microsoft Office can utilize MDAG (Microsoft Defender Application Guard). The free versions of Microsoft Office work inside web browsers and don’t allow active content on desktops. LibreOffice has no sandboxing preventing untrusted files from accessing trusted resources. If there was a vulnerability in LibreOffice like there was a few years ago 19, attackers can create documents that can execute malicious code onto your computer. 3 * Consider adding guides for configuring Google Chrome and Microsoft Edge11 anon34719932 anon82677111 Oct 2022 I didn’t know that the Application Guard supported Office: that’s great. And I’ll keep an eye on The Document Foundation’s security advisories. Thanks! 2 ph00lt0Mare PolarisPrivacy Wizard Oct 2022 I really like privacy.sexy 244 to create my windows configurations. It also has settings i really wouldn’t recommend like disabling defender, but it’s very transparent and easy to configure. As Jonah pointed out the telemetry of windows is something to worry about. It really is super invasive (especially the non-EU version). We should advice users to limit this as much as possible. Microsoft accounts do not automatically enable device encryption actually, but device encryption is enabled by default under windows 11 (depending on hardware available). In my opinion it isn’t much more secure. An attacker can still add another administrator account and through this gain access to the user’ files using the same attacks that are known against local accounts, so this practically does not make any difference. Some things I recommend using: * Bitlocker 53 * Local Security Policy (application whitelisting) 45 * Endpoint Device Control Device (external device whitelisting) 17 * Microsoft Defender Application Guard 48 * Turn on network protection 73 * Enable virtualization-based protection of code integrity 16 * Set up and use Microsoft Defender SmartScreen 38 * Enable attack surface reduction rules 30 * Enable firmware protection 34 * Enable blocking of Potentionally Unwanted Applications 18 * Use Windows Sandbox for untrusted applications 62 Note that some policies are not available under Windows Home and Windows Home N. You probably want to be using Windows Pro if any. 1 Reply 10 anon82677111 Oct 2022 xeex > Besides i do believe it’d be hypocritical for someone to use steam/egs/gog and > install screw all anyways, yet reject simplewall for the purpose of reducing > the attack surface. There is nothing hypocritical about this. Simplewall does not add anything new that cannot be done with the standard Windows firewall. How else is someone going to play Steam games? It may be better to just game on consoles instead of the PC. xeex > In the past privacyguides used to at least have an equal ground when it came > to security vs privacy, if not leaning towards privacy. Now I see security > prioritised and privacy as a bonus. What happened PrivacyGuides became sane. One cannot have privacy without security and security is more important than freedom. It makes much more sense to use a Google Pixel than a Linux phone and a new Windows secured core PC or a Chromebook than a Thinkpad older than a decade. Security researchers are more trustworthy and reputable than free software activists. 3 Replies 5 * Software Firewall for Windows?2 deviancy Oct 2022 I agree with most of your points from a very high level, but this: anon82677111: > security is more important than freedom is honestly a dangerous thought process to me. Putting faith into huge organizations with outsized power in the world is a recipe for disaster. Sure, getting malware is terrible and could potentially materially impact your real life if your bank account got drained as a result, for example. But by prioritizing security this much, one loses balance and view of the bigger picture, in my opinion. 9 * Best tool to disable telemetry on Win111 ph00lt0Mare PolarisPrivacy Wizard Oct 2022 Since you replied to some of my recommendations. You cannot achieve privacy without security and neither the other way around. There are definitely differences but privacy and security more often overlap in their goals. The balance is hard to define but a large part of privacy, in context of today, is about data protection. Without good security you risk being infected or leak your data somewhere. You can really put a lot of effort in hiding with projects giving you a lot of privacy but no security until one day you get pwned and everything you worked for is gone. In the current day security risks are really high, especially for individuals seeking privacy. We have got enough proof for that seeing cases like Pegasus (the possibility of this I have warned people for for years). And many have been shocked by the wide spread of these attacks, and we yet have seen only one of them. May it serve as an example of what is possible and how little we know what is out there. To put it simply without security your privacy protections are worthless. This sometimes means you need to make compromises. Also note we never recommended Windows in the first place. But given you already trust Microsoft (by using it) you may as well use them to secure you instead of being even more vulnerable. If you need a higher standard of privacy: DO NOT USE WINDOWS. 1 Reply 3 anon82677111 Oct 2022 xeex > This website’s called privacyguides not securityguides, i believe we should at > least have an equal ground when it comes to privacy vs security, if not lean > towards privacy. Yes but you can have privacy without freedom. You can’t have privacy without security. Mare Polaris: > If you need a higher standard of privacy: DO NOT USE WINDOWS. If you need a higher standard of privacy, you should use GrapheneOS on the newest Google Pixel and nothing else. Linux and OpenBSD are a security nightmare. 1 anon82677111 Oct 2022 xeex > First off, literally anything is more secure than windows right now. Apps > outside the microsoft store (which in itself is a meme) run wild with no > sandboxing and with a mostly yes(to everything)/no permission system. Which is why you only install apps from the Microsoft store. Windows out of the box is far more secure than Linux out of the box and it can be hardened like any other operating system. Out of the box, ChromeOS is the most secure, then macOS, then Windows, then Linux. I agree that Linux can be made secure once hardened but most people aren’t expected to harden Linux enough to where it matters and really are better off using Windows, macOS, or ChromeOS. OpenBSD has no GUI isolation as it uses Xenocara (a fork of Xorg) instead of Wayland, making it impossible to fully sandbox apps. It also lacks proper verified boot among other mitigations and the mitigations it does have aren’t as good as the ones found in proprietary operating systems. To call OpenBSD a secure operating system is like calling Lynx a secure browser. OpenBSD is a meme. Source: https://isopenbsdsecu.re/ 35 1 samsepi0l Oct 2022 I think sandboxie has some major security concerns afaik. Using Windows Sandbox is better 2 anon82677111 1 samsepi0l Oct 2022 True. Using third-party software for security usually increases attack surface and weakens the Windows security model. 2 user1Regular Oct 2022 I think everyone here as a valid point: security, privacy, attack surface, freedom, etc. are all important subjects but I think we are losing sight about threat model. We’re talking about the Windows guide section, the average user here has a pc probably with an office suite, some games, utilities like 7zip, pdf reader, music and video player and more. I’m all into minimal setup but imo it is not realistic nor useful to simply promote “do not install anything outside MS” cause it potentially increases attack surface. It’s quite useless to have a PC that can’t run software. So the question for me should be how can we run software without too much compromise security and privacy and usability. The GrapheneOS approach is a great example, it’s secure, hardened and it still retains a great usability and user experience. To block network use you don’t have to install a firewall app or mess around with obscure settings, you just flip a switch. Now Windows it’s not so easily manageable in that regard and if it’s not simple enough people just don’t use it, so a relatively easy approach should not be totally dismissed (I also think disable telemetry here). So, are third party sandboxes, firewalls, privacy scripts, etc. worth to improve the security/privacy/usability Windows balance? 3 anon82677111 Oct 2022 user1: > We’re talking about the Windows guide section, the average user here has a pc > probably with an office suite, some games, utilities like 7zip, pdf reader, > music and video player and more. > I’m all into minimal setup but imo it is not realistic nor useful to simply > promote “do not install anything outside MS” cause it potentially increases > attack surface. It’s quite useless to have a PC that can’t run software. So > the question for me should be how can we run software without too much > compromise security and privacy and usability. By only installing software that we need and using what’s provided by Microsoft whenever possible. In general, it’s advised to stay away from desktop apps and use the web browser for most activities including Email as websites in a browser are much less privileged than native apps and installing extra software can increase attack surface. Games and apps like Spotify and Discord are fine if they are required but it is possible to do a lot of this inside the browser. * If one cannot afford Microsoft Office, they should use the free versions that work inside a web browser and don’t allow active contents in desktops. * Use your browser’s built-in PDF reader. You can download the PDFs and then turn off your internet connection to prevent network connections from being made while reading the PDF. * Use the default music and video players that come with Windows. * Use Bitlocker for encryption as Veracrypt breaks secure boot. * Use Bandizip 75 as 7Zip lacks anti-exploit 27 and MOTW 21 support. * Do not install a bunch of security software and stay away from cleanup tools like CCleaner, anti-spying tools like ShutUp10, backup software (use cloud storage or USB drives for backups), and third-party uninstallers like Revo Uninstaller. It’s best to use the default Windows Defender instead of installing a third-party antivirus. user1: > So, are third party sandboxes, firewalls, privacy scripts, etc. worth to > improve the security/privacy/usability Windows balance? Firewalls and privacy scripts are not. Use official documentation from Microsoft. I have not used Sandboxie so I can’t really speak for it, though generally third-party security software can weaken the desktop security model like VeraCrypt does. Hard_Configurator 39 may save a lot of time hardening the system. 2 Replies 1 Fossforus Oct 2022 I’ll let others deal with the misinformarion in this thread… To the op CSI benchmarks are the gold standard baseline that even the biggest companies use. Many sysadmins and Cybersecueity professionals in my professional experience (and most sysadmin forums) will agree. You can do a search on your preferred engine to easily verify my claims. Note: it’s good practise to paste thinks in full, on forums and emails, where feasible. Non-exhaustive (sample) Sources for comments on CIS: reddit R/SYSADMIN - WHO USES CIS BENCHMARKS? 16 3 votes and 22 comments so far on Reddit Linux Security Expert LINUX SECURITY AND SYSTEM HARDENING CHECKLIST 46 Increase the security of your Linux system with this hardening checklist. With the step-by-step guide, every Linux system can be improved. Link: https://downloads.cisecurity.org/#/all 28 Search for “Windows Desktop” and your Linux distro for Linux users. NIST and STIGs are also considered authoratative standards in the industry NIST (National Institute of Standards and Technology) STIGs (Security Technical Implementation Guides). Aside from these resources you should identify common threat models and usage goals to tailor the benchmarks accordingly into different ‘profiles’ that are relevant to readers. From memory when running through BeerIsGood’s guide there were some flaws in his thinking, that caused me to stop reading part way through, I’m no longer a windows user so I’m not going to review it again to be more specific. 7 JimmyAnonymous anon82677111 Oct 2022 > * Do not install a bunch of security software and stay away from cleanup > tools like CCleaner, anti-spying tools like ShutUp10, backup software (use > cloud storage or USB drives for backups), and third-party uninstallers like > Revo Uninstaller. It’s best to use the default Windows Defender instead of > installing a third-party antivirus. It’s worth noting that Microsoft lets you uninstall a lot of apps with the winget package manager 21 (If you don’t like Cortana it’s as simple as winget uninstall Cortana for example), so third party uninstallers aren’t really needed. Though of course it’s best to clean install Enterprise/Education so as to be able to have minimal bloatware and easy disabling of telemetry out of the box. If one isn’t a student/can’t afford either/isn’t willing to use MAS, then I think Pro still has less bloatware out of the box (though telemetry can’t be fully disabled like on Enterprise/Education). 2 Register3435 Oct 2022 https://www.softscheck.com/en/privacy-analysis-windows-10-enterprise-telemetry-level-0/ 15 If you are going to forgo clean-up and blocking scripts, then I think the suggested Group Policy edits need to be quite extensive. Telemetry: Level 0 isn’t a catch all to stop Windows from sending data completely. 1 anon82677111 Oct 2022 I think Sandboxie should not be recommended as it doesn’t have any hardware isolation unlike Windows Sandbox 14, which uses Hyper-V 1, making it much harder for malware to escape. Sources: MalwareTips Forums QUESTION - WINDOWS SANDBOX VS EDGE APPLICATION GUARD WINDOW (WHICH IS SAFER ?) 9 Hi- Which is the best way of browsing potentially unsafe websites ? Is it by running Edge in the Windows 10 Sandbox OR by opening an Application Guard Window in Edge ? I assume that browsing a site within the Sandbox guards against canvas... MalwareTips Forums QUESTION - WINDOWS SANDBOX VS EDGE APPLICATION GUARD WINDOW (WHICH IS SAFER ?) 9 I'm right about all of it. The answer is as simple as I've been making it out. There's no need to over-complicate this. ... This conversation can go on for decades but the obsession of Sandboxie being more powerful than Microsoft's sandbox technology... MalwareTips Forums SANDBOXIE SHOULD BE AVOIDED IN 2019 AND ABOVE 12 Sandboxie should be avoided in 2019 and above. 1. Sandboxie messes with the memory of processes belonging to other people's software. First of all, messing with memory of other people's software can introduce additional vulnerabilities in other... 2 8 days later anon86352167 Oct 2022 I’m currently in the process of helping @Edward make this Windows guide. Our main question is if using a Microsoft account in Windows adds anything beneficial security wise? A local account is better privacy wise and could have a reduced attack surface since it isn’t tied to an account but is there any real justification to have it tied to an account? P.S if y’all have any additional ideas or recommendations for the Windows guide I’d love to hear them! 2 Replies 1 user1Regular anon86352167 Oct 2022 Here’s some subjects I would like the windows guide could clarify/suggest: * Intro on secure boot, bios security settings * Differences between Windows 10 home vs Windows 10 pro/enterprise ? * Offline account vs Online account (also user account vs admin) * Privacy settings * Telemetry (do we need some third party disabler?) * Group policies settings * Bitlocker (also on external devices, probably merge the os full disk encryption section) * Security settings / Hardening * Windows Store pro and cons * Windows Firewall * Windows Sandbox use cases * Windows Defender * Recommended third party privacy software (sandboxes/firewalls/privacy scripts/etc.) 1 Reply 6 jonahJonah AragonTeam Member Oct 2022 anon86352167: > Our main question is if using a Microsoft account in Windows adds anything > beneficial security wise? As far as I’m aware using a Microsoft Account is the only way to enable Device Encryption on Windows 10/11 Home, however we already have a guide to enable Bitlocker as an alternative on the Home edition instead. 1 Reply 1 conditional-loading-spinner conditional-loading-spinner conditional-loading-spinner conditional-loading-spinner topic-area-bottom main-outlet-bottom after-main-outlet above-footer below-footer Invalid date Invalid date