-
-
Notifications
You must be signed in to change notification settings - Fork 207
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This is refresh commit made due to merge conflicts that came when trying to sync the fork
- Loading branch information
1 parent
0c2b119
commit 9242cc7
Showing
26 changed files
with
547 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file added
BIN
+84.6 KB
docs/assets/img/windows/Bitlocker Group Policies/Secure-boot-integrity-validation.webp
Binary file not shown.
Binary file not shown.
Binary file added
BIN
+55.9 KB
docs/assets/img/windows/Bitlocker Group Policies/bitlocker-control panel.webp
Binary file not shown.
Binary file added
BIN
+55.8 KB
docs/assets/img/windows/Bitlocker Group Policies/disallow-user-from-changing-PIN.webp
Binary file not shown.
Binary file added
BIN
+111 KB
docs/assets/img/windows/Bitlocker Group Policies/encryption-method-and-cipher.webp
Binary file not shown.
Binary file added
BIN
+82.5 KB
docs/assets/img/windows/Bitlocker Group Policies/enforce-full-encryption.webp
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
--- | ||
title: Windows Overview | ||
icon: material/microsoft-windows | ||
--- | ||
|
||
## Windows | ||
|
||
Windows is a proprietary operating system created by Microsoft Inc. in 1985. It is primarily focused on personal computing and is now the most popular desktop OS, used by about [75%](https://gs.statcounter.com/os-market-share/desktop/worldwide) of all desktop users. However, it has its own privacy and security issues. | ||
|
||
## Issues present in Windows | ||
|
||
Over the years, Microsoft has demonstrated a lot of privacy-invasive behaviour with their software and services. They have continually taken advantage of the fact that Windows is the most wide-used desktop OS, and that most people don't change the default settings, in order to collect users' personal information. | ||
|
||
Windows 10 was [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, including: | ||
|
||
!!! quote "[Criticism of Microsoft - Wikipedia](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection)" | ||
User's contacts and calendar events, location data and history, "telemetry" (diagnostics data) ... and "advertising ID", as well as further data when the Cortana assistant is enabled. | ||
|
||
At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. Only after [criticism](https://www.theverge.com/2016/7/21/12246266/france-microsoft-privacy-windows-10-cnil) from the France data protection commission, the [Electronic Frontier Foundation](https://www.eff.org/deeplinks/2016/08/windows-10-microsoft-blatantly-disregards-user-choice-and-privacy-deep-dive) and the [European Union](https://www.reuters.com/article/us-microsoft-dataprotection-eu-idUSKBN15Z1UI), Microsoft changed the way they collect telemetry, allowing users to choose between "Basic" (now renamed as `Required`) and "Full", with "Basic" mode collecting [much less telemetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects). Along with that, Microsoft collects a [lot more data from Windows 10](https://web.archive.org/web/20210711143017/https://privacytools.io/operating-systems/#win10). | ||
|
||
With the launch of Windows 11, a lot of [other](https://www.windowscentral.com/one-thing-microsoft-didnt-discuss-windows-11-privacy) [concerns](https://www.pcworld.com/article/539183/windows-11-review-an-unnecessary-replacement-for-windows-10.html) were raised, such as: | ||
|
||
- Integration of Microsoft Teams into the OS, which would encourage users to switch to the service, allowing Microsoft to collect even more data. | ||
- Removing the ability to have local accounts in Windows 11 Home, therefore forcing you to log into a Microsoft account so as to collect more data. | ||
- Having all data collection options on by default | ||
- Working with Amazon to bring Android apps to Windows through the Windows Subsystem for Android, likely allowing both Microsoft and Amazon to collect data about Android app usage on Windows. | ||
- Using users in a P2P way to distribute Windows updates to reduce load in Microsoft's servers without users' consent. | ||
|
||
## Choosing your Windows edition | ||
|
||
While using Windows, it is better to select either Windows **Enterprise** Edition or **Education** Edition because it gives more control over the system for hardening it for privacy and security by giving access to stops the OS from sending any Telemetry data using GP Editor. | ||
|
||
If you cannot get the above editions, you must opt for **Professional** Edition. | ||
|
||
#### Editions to avoid | ||
|
||
- It is not recommended to use forks or modified versions of Windows such as Windows AME. It should be avoided at all cost. Since modified versions of Windows, such as AME, don't get updates, antivirus programs like Defender can fall out of date or be disabled entirely, opening you up to attacks. | ||
|
||
- Windows **Home** edition is **not** recommended as it does not have many advantages that Professional edition provides such as BitLocker Drive Encryption, Hyper-V, Windows Sandbox, etc. It also uploads Bitlocker Encryption keys to Microsoft servers which actually defies the aspect of encryption implemented in a different way. | ||
|
||
##### Recommendations | ||
|
||
We recommend you choose Windows 11 over Windows 10 as it is the latest version and brings many security-related improvements with it by default such as [Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot), [VBS](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs), [HVCI](https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/device-guard-and-credential-guard), etc. Windows 10 will stop getting updates after [October 14, 2025](https://docs.microsoft.com/en-us/lifecycle/products/windows-10-home-and-pro). | ||
|
||
### Installing Windows | ||
|
||
We recommend that you use the official [Media Creation tool](https://www.microsoft.com/software-download/windows11) to flash the ISO to the USB, over third-party options such as Rufus, Balena Etcher, etc., so that you don't tamper the ISO. | ||
|
||
#### Downloading ISO | ||
|
||
To download the ISO. Follow these steps : | ||
|
||
- Download Media Creation tool under `Windows 11 Installation Media` | ||
- Open a Command prompt terminal in the directory where `mediacreationtool.exe` is downloaded. | ||
- And Input the following Command : | ||
``` | ||
mediacreationtool.exe /Eula Accept /Retail /MediaArch x64 /MediaLangCode en-US /MediaEdition Enterprise | ||
``` | ||
- If it asks for Activation key, Use this Generic Key `XGVPP-NMH47-7TTHJ-W3FW7-8HV2C`. This will just allow you to download the ISO but activation is totally upon the user. | ||
- Accept the UAC prompt | ||
- Download the ISO file or flash to a USB as you wish | ||
!!! info "Note" | ||
- The ISO will consists **only** of Professional, Education & Enterprise edition with a size of ~4.2 GB (Instead of >5.5GB when you download the Multi-Edition ISO) when you download using the above way no other editions such as Home included in it. | ||
- If you want to change the Language of the ISO file, Just change the `en-US` part with the appropriate language and country code as per your needs. | ||
### Activating Windows | ||
Activating Education/Enterprise edition is different because for Enterprise Edition it needs to be a part of an enterprise network or buying an enterprise License for several devices and use it for your one device & for Education Edition it needs to be a part of school network or managed by a school administrator. | ||
For activating Professional edition, you can buy the license key from resellers (not recommended) or the [Microsoft Store](https://www.microsoft.com/d/windows-11-pro/dg7gmgf0d8h4?rtc=1). | ||
If you are currently using Pro and want to upgrade to Enterprise. Then, Follow the guide [here](https://www.kapilarya.com/how-to-upgrade-windows-11-pro-to-enterprise-edition) | ||
!!! abstract "Note" | ||
This guide will be mostly on Windows 11 but some of the recommendations can be applied to Windows 10 too. | ||
!!! danger "Warning" | ||
If you are going to install Windows 11, Then install it only on supported devices and it is not recommended to use tools/scripts that are available online to bypass the requirements which totally breaks the security of Windows 11 which it is aimed for. | ||
*[GP]: Group Policy | ||
*[VBS]: Virtualization-Based Security | ||
*[HVCI]: Hypervisor-Protected Code Integrity | ||
*[AME]: Ameliorated | ||
*[P2P]: Peer-to-Peer |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
--- | ||
title: Privacy in Windows | ||
icon: material/incognito | ||
--- | ||
|
||
## Using Microsoft account | ||
|
||
You should never sign-in to Windows with a Microsoft account. Signing-in to applications like Microsoft Office (which some users are required to do for their school or company) will trigger a dark pattern offering you to sign in to Windows, which will connect your device to your Microsoft account, and make it easier to send data to Microsoft servers and it is critical to reject this offer. | ||
|
||
![Using account for specific app](/assets/img/windows/signin-one-app.webp) | ||
|
||
You should log in to that specific app only if you need to. | ||
|
||
or | ||
|
||
Create another standard user account and connect it to Microsoft account if you are required for School or Work and keep the apps to that account alone. By restricting other data drive access, it is fully isolated from other profiles. | ||
|
||
## Telemetry | ||
|
||
To disable telemetry at full level, Open Group policy and navigate to `Computer Configuration` > `Administrative Templates` > `Windows Components` > `Data Collection and Preview builds` and choose as required | ||
|
||
![Disable telemtry](/assets/img/windows/disable-telemetry.webp) | ||
|
||
The above works only if you use Enterprise or Education edition. If Professional, It will send required (Basic) data. | ||
|
||
If you read this article - [https://www.softscheck.com/en/blog/windows-10-enterprise-telemetry-analysis/](https://www.softscheck.com/en/blog/windows-10-enterprise-telemetry-analysis/), Enterprise even sends data even though telemetry is disabled. But there is no updated info about this available. | ||
|
||
Disabling full telemtry or sending basic data to Microsoft is totally upto the user's threat model. | ||
|
||
- [ ] Disable `Automatic Sample Submission` in Windows Defender will send your files as a sample for Signature Database and might leak your data. You can do it via the below Group Policy so to not prompt you again and again constantly. | ||
``` | ||
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS > Send file samples when further analysis is required to Never Send. | ||
``` | ||
- [ ] Disable Windows spotlight by navigating to `User Configuration` > `Administrative Templates` > `Windows Components` > `Cloud Content` and setting **Turn off all Windows Spotlight features** policy to disabled. | ||
!!! note | ||
This explicitly disables Windows spotlight features in Lockscreen and Desktop to severe unnecessary between Microsoft servers and the device. | ||
- [ ] Disable in Bing integration in Windows search, by navigating to `Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results`. This way your search queries for local indexed data is not sent to Microsoft. | ||
- [ ] Disable notification in the Lock screen in Windows settings | ||
![Lock screen notification](/assets/img/windows/lock-screen-notifications.webp) | ||
- [ ] Disable Online Speech recognition and Voice activation | ||
![Alt text](/docs/assets/img/windows/online-speech.webp) | ||
![Alt text](/assets/img/windows/voice-activation.webp) | ||
- [ ] Disable delivery optimization in Windows Update settings. | ||
- Check all the App permissions and allow only necessary ones. | ||
## Hide MAC Address | ||
Go to `Settings` > `Network & Internet` > `Wifi` | ||
Enable **Random hardware addresses** | ||
## Restrict access to data drives | ||
To prevent other users from accessing your secondary data drives. Type `gpedit.msc` in Windows Run dialog box. | ||
Go to `User Configuration` > `Administrative Templates` > `Windows Components` > `File Explorer` and set the Group Policy as below. | ||
![Restrict-drive](/assets/img/windows/drive-restriction.webp) | ||
The above configuration will restrict other users to the OS drive where Windows is installed. Making total isolation between your Account and other user account. | ||
If it's a shared drive with another person but you don't want the user to access sensitive data then use EFS. EFS encrypts the documents so that the user who encrypted it can only access it and not others. | ||
![EFS](/assets/img/windows/EFS.gif) | ||
It is better to export the Private key certificate and store in a safe place so as to use the file later in other devices. To do so, | ||
Press, ++win+r++, Then type `certmgr.msc`, Under `Personal` > `Certificates`. Click the certificate that contains your username. Right Click and choose export. If you find this too tricky, then after using EFS for first time. You will see an encrypted locker Icon in system tray which help you in exporting on clicking it. | ||
To import in another device, simply open and install this certificate in that device and choose the above location. Then you can access EFS encrypted files in other system too. | ||
*[EFS]: Encrypted File System |
Oops, something went wrong.