diff --git a/docs/windows/hardening.md b/docs/os/windows/hardening.md similarity index 74% rename from docs/windows/hardening.md rename to docs/os/windows/hardening.md index 71cffcdd42..cb5755db9c 100644 --- a/docs/windows/hardening.md +++ b/docs/os/windows/hardening.md @@ -5,14 +5,17 @@ icon: material/monitor-lock ## Setting up Windows after Installation -If you wish to limit the amount of data Microsoft obtains from your device, an [offline/local account](https://answers.microsoft.com/en-us/windows/forum/all/how-to-create-a-local-or-offline-account-in/95097c32-40c4-48c0-8f3b-3bcb67afaf7c) is **recommended**. +If you wish to limit the amount of data Microsoft obtains from your device, an [offline/local account](https://answers.microsoft.com/en-us/windows/forum/all/how-to-create-a-local-or-offline-account-in/95097c32-40c4-48c0-8f3b-3bcb67afaf7c) is **recommended**. ![user-account](/assets/img/windows/user-account.webp) -!!! note - Microsoft is pushing users to use Microsoft accounts for other editions except Education and Enterprise after installation. +
Note
- So, You could also follow the guide by [ghacks.net](https://www.ghacks.net/2022/05/13/how-to-bypass-the-microsoft-account-requirement-during-windows-setup/) to bypass the Microsoft account requirement during setup and use Local account. +Microsoft is pushing users to use Microsoft accounts for other editions except Education and Enterprise after installation. + +So, You could also follow the guide by [ghacks.net](https://www.ghacks.net/2022/05/13/how-to-bypass-the-microsoft-account-requirement-during-windows-setup/) to bypass the Microsoft account requirement during setup and use Local account. +Choosing the Way to Encrypt
+ +It is recommended to use only the Control Panel because if you go to encrypt via settings app, Microsoft named it as `Device Encryption` and designed it in a way that the encryption keys for BitLocker would be stored on Microsoft's server which is attached to your Microsoft account. This can be dangerous to your privacy and security as anyone who gains access to your account, as could an attacker if they were able to gain access to Microsoft's servers or any Law Enforcement could by a Gag order. -!!! info "Choosing the Way to Encrypt" - It is recommended to use only the Control Panel because if you go to encrypt via settings app, Microsoft named it as `Device Encryption` and designed it in a way that the encryption keys for BitLocker would be stored on Microsoft's server which is attached to your Microsoft account. This can be dangerous to your privacy and security as anyone who gains access to your account, as could an attacker if they were able to gain access to Microsoft's servers or any Law Enforcement could by a Gag order. +Tip
+ +To go to it, search **Group Policy** in the **Windows Search Bar** and press **Enter** or type `gpedit.msc` in ++win+r++. Then, proceed as mentioned below. + +Update your TPM
+ +Before enabling Bitlocker in your device,It is strongly recommended to update your TPM chip by downloading package only from **OEM** Websites. + +Disabling pre-boot Authentication (Not Recommended)
+ +- open a **terminal** as an **administrator** and type this command `manage-bde -protectors -add c: -TPM`. +- You can again check if it worked by typing `manage-bde -status c:` and it will show you **Numerical Password** and **TPM** + +Info
-!!! info - The above Group Policy configuration tells the TPM to release the encryption keys after entering PIN instead of releasing it on boot automatically. +The above Group Policy configuration tells the TPM to release the encryption keys after entering PIN instead of releasing it on boot automatically. - Doing this will set a double password. So, you enter the PIN to release the encryption keys from TPM & boot Windows and another credential to unlock your user account. +Doing this will set a double password. So, you enter the PIN to release the encryption keys from TPM & boot Windows and another credential to unlock your user account. - The pre-boot PIN not only protects the OS drive but also other fixed drives used just for storage if bitlocker is enabled for that drive also. +The pre-boot PIN not only protects the OS drive but also other fixed drives used just for storage if bitlocker is enabled for that drive also. + +Tip
+ +You should ALWAYS do the quick shortcut ++win+l++ to lock your device when you are away to prevent unauthorized access. + +Note
+ +System Guard is mostly available on Windows Secured-Core PCs not on regular consumer devices. So, Before enabling it check the requirements of your Device. + +Warning
+ +When you use Microsoft Defender Application Guard it bypasses the VPN you are using as when you use WDAG is launching the application in what is essentially a virtual machine, so it bypasses the host, where the VPN is connected. + +Enabling file extension
- Of course the attacker can add a different icon to the file, so it looks like you open the file type extension you think. +On standard Windows settings, Malware can hide itself if the filename is like: `Secure-File.txt.exe` - And if you open it, the Malware start's. +What you see? A file named `Secure-File.txt` - Just Open the File Explorer's settings and change it to show File Extensions by clicking on `View` > `Show` or by configuring via [Registry Editor](https://github.com/beerisgood/Windows11_Hardening/blob/master/always%20display%20file%20typ%20extension) +Of course the attacker can add a different icon to the file, so it looks like you open the file type extension you think. + +And if you open it, the Malware start's. + +Just Open the File Explorer's settings and change it to show File Extensions by clicking on `View` > `Show` or by configuring via [Registry Editor](https://github.com/beerisgood/Windows11_Hardening/blob/master/always%20display%20file%20typ%20extension) +A note regarding screen casting
+ +If you try to cast your screen to another device or cast another device screen to your device via Wireless display (Optional feature). You won't be able to connect the devices. As we have blocked Incoming connections. Miracast (Wireless casting) requires incoming connection to send data back and forth to show the screen on other or vice versa. - If you want to cast, then disable incoming connections in public network and cast your device and block connection again. +If you want to cast, then disable incoming connections in public network and cast your device and block connection again. + +There is no problem if you use normal Projection via cable. + +This section is new
diff --git a/docs/windows/privacy.md b/docs/os/windows/privacy.md similarity index 99% rename from docs/windows/privacy.md rename to docs/os/windows/privacy.md index 975859c017..96e20d7b88 100644 --- a/docs/windows/privacy.md +++ b/docs/os/windows/privacy.md @@ -13,7 +13,7 @@ It’s worth noting that according to [this study](https://www.autoriteitpersoon You should log in to that specific app only if you need to. -or +or Create another standard user account and connect it to Microsoft account if you are required for School or Work and keep the apps to that account alone. By restricting other data drive access, it is fully isolated from other profiles. @@ -30,7 +30,8 @@ If you read this article - [https://www.softscheck.com/en/blog/windows-10-enterp Disabling full telemetry or sending basic data to Microsoft is totally upto the user's threat model. - [ ] Disable `Automatic Sample Submission` in Windows Defender, as the feature will send your files as a sample for Signature Database and might leak your data. You can do it via the below Group Policy so to not prompt you again and again constantly. - ``` + + ```text Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS > Send file samples when further analysis is required to Never Send. ``` @@ -82,4 +83,4 @@ Press, ++win+r++, Then type `certmgr.msc`, Under `Personal` > `Certificates`. Cl To import in another device, simply open and install this certificate in that device and choose the above location. Then you can access EFS encrypted files in other system too. -*[EFS]: Encrypted File System \ No newline at end of file +*[EFS]: Encrypted File System diff --git a/docs/windows/sandboxing.md b/docs/os/windows/sandboxing.md similarity index 78% rename from docs/windows/sandboxing.md rename to docs/os/windows/sandboxing.md index 7dc2a36eb3..445f05423a 100644 --- a/docs/windows/sandboxing.md +++ b/docs/os/windows/sandboxing.md @@ -15,8 +15,8 @@ UWAs are processes that operate within the `AppContainer` is an application sand #### Win32 Apps -Win32 is the application platform of choice for developing and running classic Windows applications, that -is, Win32 applications, that require direct access to Windows and hardware. +Win32 is the application platform of choice for developing and running classic Windows applications, that +is, Win32 applications, that require direct access to Windows and hardware. The core of Win32 is the Win32 API implemented in the Windows SubDLLs (DLLs) and the ntdll.dll library file. With the combination of `SubDLLs` and `ntdll.dll`, the Win32 application has direct access to full system resources. @@ -25,12 +25,11 @@ The core of Win32 is the Win32 API implemented in the Windows SubDLLs (DLLs) and | UWAs | Windows | | :--------- | :---------------------------------- | |UWAs run as restricted, containerized `AppContainer` processes that run by accessing the WinRT API, a subset of COM functionalities and the Win32 API. They have specific properties that define process restrictions in terms of the system resources that processes can access.| Win32 applications run as Windows native, traditional processes that run by accessing the Win32 API and COM functionalities to their full extent and a subset of the WinRT API to directly access all system resources. They do not run as restricted processes, all system functionalities are by design directly available to them.| -|Only a single instance of a given UWA may run at a given time. | Any number of instances of a given Win32 application may run simultaneously. -|UWAs are distributed as application packages, archive files with a pre-defined format and required content that is necessary for the deployment and operation of UWAs |The way in which Win32 applications are distributed is not restricted by the operating system. It is defined by the application vendors. +|Only a single instance of a given UWA may run at a given time. | Any number of instances of a given Win32 application may run simultaneously. | +|UWAs are distributed as application packages, archive files with a pre-defined format and required content that is necessary for the deployment and operation of UWAs |The way in which Win32 applications are distributed is not restricted by the operating system. It is defined by the application vendors. | The above comparison gives a clear cut that UWA/UWP apps are the best ones to use in terms of sandboxing the app. - ### Choosing the way to install software UWA apps are primarily distributed through Microsoft store and are counter-signed by Microsoft while as third party UWA's are signed by the vendor without Microsoft's signature. @@ -51,22 +50,28 @@ When you see an app in store and scroll down to *Additional Information* sectio ![UWP in store](/assets/img/windows/UWP-in-MS-Store.webp) -If the Win32 App, Microsoft store will explicitly state that it is`Provided and Updated by `****` ` and `Uses all System resources` as in the image below: +If the Win32 App, Microsoft store will explicitly state that it is Provided and Updated by `****` and `Uses all System resources` as in the image below: ![Win32 in store](/assets/img/windows/Win32-in-MS-Store.webp) -!!! note "Un-sandboxed UWP apps" - Some UWP apps in the store due to the lift of restrictions in Microsoft store developers can submit the app with a property named `runFullTrust` which disables sandboxing of that UWP application and shows that `Uses all System Resources` in *Additional Information* section such as Firefox. By this you can know if a UWP app is sandboxed or not. +Un-sandboxed UWP apps
- If it is sandboxed, it will show only certain permissions in *Additional Information* section. +Some UWP apps in the store due to the lift of restrictions in Microsoft store developers can submit the app with a property named `runFullTrust` which disables sandboxing of that UWP application and shows that `Uses all System Resources` in *Additional Information* section such as Firefox. By this you can know if a UWP app is sandboxed or not. -!!! abstract "Note" - Most apps will ask that if the app needs to be used for all users or just for your user account. It is best you keep the app to your user Account. So, We achieve better sandboxing between different user accounts. +If it is sandboxed, it will show only certain permissions in *Additional Information* section. +Note
-[rg-adguard.net](https://store.rg-adguard.net/) is a third party Microsoft store app which can be used to download `.appx` files (Installer for UWP) and install UWP apps. You can use this site to download Age Restricted apps in store and Install it. **Note** that paid apps don't work unless you connect a Microsoft Account. +Most apps will ask that if the app needs to be used for all users or just for your user account. It is best you keep the app to your user Account. So, We achieve better sandboxing between different user accounts. + +Regarding Windows Sandbox Editor
+ +The repository doesn't provide a package. So, you need to download the whole codebase. After, extracting the zip Windows Defender or other Antivirus software may flag the [exe](https://github.com/damienvanrobaeys/Windows_Sandbox_Editor/tree/master/EXE) file as a malware. So, it is recommended to install it via the [Powershell Script](https://github.com/damienvanrobaeys/Windows_Sandbox_Editor/tree/master/Install%20on%20desktop%20(in%20case%20of%20issue%20with%20EXE)) they provide. + +By default, You cannot execute Scripts in Powershell and it is restricted to commands only. It is recommend you allow the Terminal to `Unrestricted` mode and use it to install the editor via Script after that change it back to `Restricted` [execution policy](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.2) to prevent accidental execution of malicious scripts in the future. - By default, You cannot execute Scripts in Powershell and it is restricted to commands only. It is recommend you allow the Terminal to `Unrestricted` mode and use it to install the editor via Script after that change it back to `Restricted` [execution policy](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.2) to prevent accidental execution of malicious scripts in the future. +[Criticism of Microsoft - Wikipedia](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection)
+ +User's contacts and calendar events, location data and history, "telemetry" (diagnostics data) ... and "advertising ID", as well as further data when the Cortana assistant is enabled. + +Note
+ +- The ISO will consists **only** of Professional, Education & Enterprise editions with a size of ~4.2 GB (Instead of >5.5GB when you download the Multi-Edition ISO). When you download using the above way, no other editions such as Home are included in it. +- If you want to change the language of the ISO file, Just change the `en-US` part with the appropriate language and country code as per your needs. + +Note
+ +This guide will be mostly on Windows 11 but some of the recommendations can be applied to Windows 10 too. + +Warning
+ +If you are going to install Windows 11, then install it only on supported devices. It is not recommended to use tools/scripts that are available online to bypass the requirements which would break the security of Windows 11 which it is aimed for. -!!! danger "Warning" - If you are going to install Windows 11, then install it only on supported devices. It is not recommended to use tools/scripts that are available online to bypass the requirements which would break the security of Windows 11 which it is aimed for. +**Never** download *Pirated* ISO Files - **Never** download *Pirated* ISO Files +