Skip to content

Commit

Permalink
Rebased on #2606, swapped legacy admonitions
Browse files Browse the repository at this point in the history
  • Loading branch information
dngray committed Jun 13, 2024
1 parent a5d1a7e commit a7e8eff
Show file tree
Hide file tree
Showing 6 changed files with 156 additions and 88 deletions.
133 changes: 89 additions & 44 deletions docs/windows/hardening.md → docs/os/windows/hardening.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,17 @@ icon: material/monitor-lock

## Setting up Windows after Installation

If you wish to limit the amount of data Microsoft obtains from your device, an [offline/local account](https://answers.microsoft.com/en-us/windows/forum/all/how-to-create-a-local-or-offline-account-in/95097c32-40c4-48c0-8f3b-3bcb67afaf7c) is **recommended**.
If you wish to limit the amount of data Microsoft obtains from your device, an [offline/local account](https://answers.microsoft.com/en-us/windows/forum/all/how-to-create-a-local-or-offline-account-in/95097c32-40c4-48c0-8f3b-3bcb67afaf7c) is **recommended**.

![user-account](/assets/img/windows/user-account.webp)

!!! note
Microsoft is pushing users to use Microsoft accounts for other editions except Education and Enterprise after installation.
<div class="admonition note" markdown>
<p class="admonition-title">Note</p>

So, You could also follow the guide by [ghacks.net](https://www.ghacks.net/2022/05/13/how-to-bypass-the-microsoft-account-requirement-during-windows-setup/) to bypass the Microsoft account requirement during setup and use Local account.
Microsoft is pushing users to use Microsoft accounts for other editions except Education and Enterprise after installation.

So, You could also follow the guide by [ghacks.net](https://www.ghacks.net/2022/05/13/how-to-bypass-the-microsoft-account-requirement-during-windows-setup/) to bypass the Microsoft account requirement during setup and use Local account.
</div>

While setting up, it is recommended to use a generic name such as `user` and `host` and avoid identifying terms such as your name or operating system. This can make it more difficult for privileged `Win32` apps or attackers to discern your identity.

Expand All @@ -21,12 +24,17 @@ For security, it's recommended to set up Windows Hello on all of your accounts b
- [ ] Toggle off all privacy related settings as shown in the image:

![Privacy Settings](/assets/img/windows/privacy-settings.webp)

## Encrypting the Drive

After you have installed Windows, turn on full disk encryption (FDE) using BitLocker via the Control Panel.
After you have installed Windows, turn on full disk encryption (FDE) using BitLocker via the Control Panel.

<div class="admonition info" markdown>
<p class="admonition-title">Choosing the Way to Encrypt</p>

It is recommended to use only the Control Panel because if you go to encrypt via settings app, Microsoft named it as `Device Encryption` and designed it in a way that the encryption keys for BitLocker would be stored on Microsoft's server which is attached to your Microsoft account. This can be dangerous to your privacy and security as anyone who gains access to your account, as could an attacker if they were able to gain access to Microsoft's servers or any Law Enforcement could by a Gag order.

!!! info "Choosing the Way to Encrypt"
It is recommended to use only the Control Panel because if you go to encrypt via settings app, Microsoft named it as `Device Encryption` and designed it in a way that the encryption keys for BitLocker would be stored on Microsoft's server which is attached to your Microsoft account. This can be dangerous to your privacy and security as anyone who gains access to your account, as could an attacker if they were able to gain access to Microsoft's servers or any Law Enforcement could by a Gag order.
</div>

The best way is to go to the Control Panel by searching for it in the Start Menu or from the context menu (right-click) in File Explorer and set it up for all of the drives that you have.

Expand All @@ -38,8 +46,12 @@ Bitlocker is suggested because of the native implementation by the OS and along

Enable the Following group policies before you start encrypting your drives.

!!! tip
To go to it, search **Group Policy** in the **Windows Search Bar** and press **Enter** or type `gpedit.msc` in ++win+r++. Then, proceed as mentioned below.
<div class="admonition tip" markdown>
<p class="admonition-title">Tip</p>

To go to it, search **Group Policy** in the **Windows Search Bar** and press **Enter** or type `gpedit.msc` in ++win+r++. Then, proceed as mentioned below.

</div>

General Policies :

Expand All @@ -48,7 +60,7 @@ Go to `Computer Configuration` > `Administrative Templates` > `Windows Component
![Encryption & Cipher](/assets/img/windows/Bitlocker%20Group%20Policies/encryption-method-and-cipher.webp)
![Disable DMA](/assets/img/windows/Bitlocker%20Group%20Policies/Disable%20DMA.webp)

For OS drives :
For OS drives :

Go to `Computer Configuration` > `Administrative Templates` > `Windows Components` > `Bitlocker Drive Encryption` > `Operating System Drives`

Expand All @@ -70,36 +82,47 @@ These policies ensure that your drives are encrypted with `XTS-AES-256` Bit encr

### Setting up Pre-boot Authentication

!!! warning "Update your TPM"
Before enabling Bitlocker in your device,It is strongly recommended to update your TPM chip by downloading package only from **OEM** Websites.
<div class="admonition warning" markdown>
<p class="admonition-title">Update your TPM</p>

Before enabling Bitlocker in your device,It is strongly recommended to update your TPM chip by downloading package only from **OEM** Websites.

</div>

As you are using Windows 11, TPM is used to encrypt and decrypt the drive but it is susceptible to [cold boot attacks](https://blog.elcomsoft.com/2021/01/understanding-bitlocker-tpm-protection/). So, it is recommended to use TPM + PIN to protect the drives

After enabling all the group policies above, Go to Control panel and click on Add PIN. It can be alphanumeric if you had enabled the above policies.

You can check if it's enabled by typing `manage-bde -status`. It will normally show in **Key Protectors**: **Numerical Password** (it's the recovery key) and **TPM And PIN**.

??? abstract "Disabling pre-boot Authentication (Not Recommended)"

- open a **terminal** as an **administrator** and type this command `manage-bde -protectors -add c: -TPM`.
- You can again check if it worked by typing `manage-bde -status c:` and it will show you **Numerical Password** and **TPM**
<div class="admonition abstract" markdown>
<p class="admonition-title">Disabling pre-boot Authentication (Not Recommended)</p>

- open a **terminal** as an **administrator** and type this command `manage-bde -protectors -add c: -TPM`.
- You can again check if it worked by typing `manage-bde -status c:` and it will show you **Numerical Password** and **TPM**

</div>

<div class="admonition info" markdown>
<p class="admonition-title">Info</p>

!!! info
The above Group Policy configuration tells the TPM to release the encryption keys after entering PIN instead of releasing it on boot automatically.
The above Group Policy configuration tells the TPM to release the encryption keys after entering PIN instead of releasing it on boot automatically.

Doing this will set a double password. So, you enter the PIN to release the encryption keys from TPM & boot Windows and another credential to unlock your user account.
Doing this will set a double password. So, you enter the PIN to release the encryption keys from TPM & boot Windows and another credential to unlock your user account.

The pre-boot PIN not only protects the OS drive but also other fixed drives used just for storage if bitlocker is enabled for that drive also.
The pre-boot PIN not only protects the OS drive but also other fixed drives used just for storage if bitlocker is enabled for that drive also.

</div>

When you do this, the encryption keys of your drive are only unlocked once you enter the PIN, and the decryption happens after. If you forget or lose the PIN, you won't be able to access your drives and OS anymore, and the only way to recover is using the Recovery Key provided during the initial setup of BitLocker. **Make sure you store it in a safe place**, such as a password manager, and keep backups of your Recovery Key or even use an encrypted USB drive.

The preboot authentication is recommend to avoid data being accessed by removal of user Account passwords by methods like this - https://youtu.be/0gOZoroPNuA and access data even though Bitlocker is enabled and managed by TPM
The preboot authentication is recommend to avoid data being accessed by removal of user Account passwords by methods like this - [How to Reset Windows 11 Password Without Any Software](https://youtu.be/0gOZoroPNuA) and access data even though Bitlocker is enabled and managed by TPM

But when you use TPM + Startup PIN, nobody can restart to load the shell and bypass password. Because you need to enter your PIN to go to the Advanced Startup settings as in the video.

Enabling or not-enabling is up to the user's threat model.

If it's a personal device, Startup PIN + TPM is recommended.
If it's a personal device, Startup PIN + TPM is recommended.
If a family computer, Normal Bitlocker (Managed by TPM) for OS drive is recommended.

It is recommended to encrypt the OS drive at the least. Encrypting secondary drives either via Bitlocker or other encryption tools such as Veracrypt is upto the user's threat model.
Expand All @@ -113,13 +136,17 @@ It is recommended to encrypt the OS drive at the least. Encrypting secondary dri
- Just restrict it to the standard account created.

- Set [UAC](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings) settings to the [Highest Privilege](https://support.microsoft.com/en-us/windows/about-user-account-control-settings-d5b2046b-dcb8-54eb-f732-059f321afe18).

- Only use your account for you, if someone needs to use your computer **ALWAYS** create another standard account, even if it's for a one-time use, even if it's your family or someone you trust. This person can plug a malicious USB, can connect to malicious Wi-Fi network, download infectious files, etc... without you knowing about it.

- You might be afraid that the user accessing your device via another User account can access your Internal drive and access critical files violating your privacy. Refer, [Privacy page](windows/privacy/#restrict-access-to-data-drives) on How to restrict access to certain drives only or use EFS on a per-file basis. You can read more about EFS on [Privacy page](privacy.md).

!!! tip
You should ALWAYS do the quick shortcut ++win+l++ to lock your device when you are away to prevent unauthorized access.
<div class="admonition tip" markdown>
<p class="admonition-title">Tip</p>

You should ALWAYS do the quick shortcut ++win+l++ to lock your device when you are away to prevent unauthorized access.

</div>

- If you don't like managing a standard account, then enforce authentication for Administrator accounts too like Standard ones by following the guide by [Wikihow](https://www.wikihow.tech/Require-UAC-Passwords-on-Administrator-Accounts)
- This way, Even administrators need to use Password to approve processes instead of just clicking `Yes` or `No`.
Expand All @@ -133,7 +160,7 @@ It is recommended to encrypt the OS drive at the least. Encrypting secondary dri

- Windows 11 secures its bootloader by default by using Secure boot with the usage of TPM.

- Windows 10, on the other hand, doesn't come with Secure boot enabled by default except for new devices.
- Windows 10, on the other hand, doesn't come with Secure boot enabled by default except for new devices.

To enable Secure Boot from the PC BIOS menu. Follow this Step-by-Step Instructions by visiting this [documentation](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/disabling-secure-boot?view=windows-11#re-enable-secure-boot).

Expand All @@ -149,42 +176,55 @@ As there are thousands of PC vendors that produce many models with different UEF

You can also know how to check if it is enabled or not in the guide.

!!! note
System Guard is mostly available on Windows Secured-Core PCs not on regular consumer devices. So, Before enabling it check the requirements of your Device.
<div class="admonition note" markdown>
<p class="admonition-title">Note</p>

System Guard is mostly available on Windows Secured-Core PCs not on regular consumer devices. So, Before enabling it check the requirements of your Device.

</div>

## Protection against Malware and Viruses

- Just use the built-in Windows Defender Security to protect against threats and stick to it. Don't use any other Antivirus or Anti-Malware software [as it can weaken your security and your privacy](https://wonderfall.space/windows-hardening/#microsoft-defender-antivirus).

- [x] **Enable** [Windows Defender in a Sandbox](https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) by launching a **terminal** as an **administrator** and copy/paste this command ```setx /M MP_FORCE_USE_SANDBOX 1```. Restart your device and check if there's a process called **MsMpEngCP.exe** by typing `tasklist` in the terminal to verify.

- [ ] Disable Autoplay for devices so that malware hidden in USB don't execute on plugging in
![Disable autoplay](/assets/img/windows/autoplay.webp)
- [x] Enable [Controlled Folder Access](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders) in Windows defender settings. So, The Important folders you listed for protection doesn't get attacked or held hostage in case of a ransomware attack and also stops apps from accessing your important folders. This could also be used as a firewall for the filesystem such as Choosing the drives in the protected ones. And allowing each app when it request access to your device.

- [x] Enable [Microsoft Defender Application Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview). After installing by going to "[Turn Windows Features on or off](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard)" you can enable it. This runs Microsoft Edge in an Isolated Hyper-V container preventing unknown Malware from damaging the system.

!!! warning
When you use Microsoft Defender Application Guard it bypasses the VPN you are using as when you use WDAG is launching the application in what is essentially a virtual machine, so it bypasses the host, where the VPN is connected.
<div class="admonition warning" markdown>
<p class="admonition-title">Warning</p>

When you use Microsoft Defender Application Guard it bypasses the VPN you are using as when you use WDAG is launching the application in what is essentially a virtual machine, so it bypasses the host, where the VPN is connected.

</div>

- [x] Enable [Memory Integrity](https://support.microsoft.com/en-us/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also called Hypervisor-Protected Code Integrity) in Windows Defender settings which will run important system process isolated in an environment that cannot be attacked by viruses & malware.

- [x] Enable `Display File Extensions` as most problems start here.

??? example "Enabling file extension"
On standard Windows settings, Malware can hide itself if the filename is like: `Secure-File.txt.exe`

What you see? A file named `Secure-File.txt`
<div class="admonition example" markdown>
<p class="admonition-title">Enabling file extension</p>

Of course the attacker can add a different icon to the file, so it looks like you open the file type extension you think.
On standard Windows settings, Malware can hide itself if the filename is like: `Secure-File.txt.exe`

And if you open it, the Malware start's.
What you see? A file named `Secure-File.txt`

Just Open the File Explorer's settings and change it to show File Extensions by clicking on `View` > `Show` or by configuring via [Registry Editor](https://github.com/beerisgood/Windows11_Hardening/blob/master/always%20display%20file%20typ%20extension)
Of course the attacker can add a different icon to the file, so it looks like you open the file type extension you think.

And if you open it, the Malware start's.

Just Open the File Explorer's settings and change it to show File Extensions by clicking on `View` > `Show` or by configuring via [Registry Editor](https://github.com/beerisgood/Windows11_Hardening/blob/master/always%20display%20file%20typ%20extension)
</div>

## Apps

- Avoid any types of Cleaning software at all cost. As Microsoft is working on its own implementation specfically designed for windows.
- To Install apps, using the `winget` (Windows Package manager). More details in [Sandboxing page](/windows/sandboxing/#using-winget-to-install-sofwaret)

## Security Improvements

- Use [PeaZip](https://peazip.github.io/) archiver instead of 7-zip as it disables [Mark of the Web(MoW)](https://nolongerset.com/mark-of-the-web-details/) [support by default](https://github.com/nmantani/archiver-MOTW-support-comparison#*2) leading to execution of malicious instantly after extracting.
Expand All @@ -200,16 +240,21 @@ You can also know how to check if it is enabled or not in the guide.
- Go to `Domain`, `Private` and `Public` network settings
- Scroll and check the box under **Incoming Connections**

!!! warning "A note regarding screen casting"
If you try to cast your screen to another device or cast another device screen to your device via Wireless display (Optional feature). You won't be able to connect the devices. As we have blocked Incoming connections. Miracast (Wireless casting) requires incoming connection to send data back and forth to show the screen on other or vice versa.
<div class="admonition warning" markdown>
<p class="admonition-title">A note regarding screen casting</p>

If you try to cast your screen to another device or cast another device screen to your device via Wireless display (Optional feature). You won't be able to connect the devices. As we have blocked Incoming connections. Miracast (Wireless casting) requires incoming connection to send data back and forth to show the screen on other or vice versa.

If you want to cast, then disable incoming connections in public network and cast your device and block connection again.
If you want to cast, then disable incoming connections in public network and cast your device and block connection again.

There is no problem if you use normal Projection via cable.

</div>

There is no problem if you use normal Projection via cable.
## Keeping your device up-to-date

You should keep your Windows Device up-to-date by enabling automatic updates. It is recommended to do so to keep your device with latest security fixes and new features.

To get information about the latest updates, you can look at the [Windows Release Information](https://docs.microsoft.com/en-us/windows/release-health/windows11-release-information).

It is recommended to stick to driver updates provided via Optional Updates, as they are thoroughly vetted by Microsoft for the stability of your device, and **do not rely on third-party apps for driver updates**. This way, you get the latest updates and security patches for your drivers along with firmware updates as long as your device is supported by the OEM.
Expand All @@ -224,4 +269,4 @@ It is recommended to rather rely on Windows updates or first-party apps.
*[FDE]: Full Disk Encryption
*[UAC]: User Account Control
*[WDAG]: Windows Defender Application Guard
*[SRTM]: Static Root-of-Trust Measurement
*[SRTM]: Static Root-of-Trust Measurement
6 changes: 3 additions & 3 deletions docs/os/windows/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,9 @@ You can enhance your privacy and security on Windows without downloading any thi

- Initial Installation (coming soon)
- [Group Policy Settings](group-policies.md)
- Privacy Settings (coming soon)
- Application Sandboxing (coming soon)
- Security Hardening (coming soon)
- [Privacy Settings](privacy.md)
- [Application Sandboxing](sandboxing.md)
- [Security Hardening](hardening.md)

<div class="admonition example" markdown>
<p class="admonition-title">This section is new</p>
Expand Down
Loading

0 comments on commit a7e8eff

Please sign in to comment.