Correct configuration

2023-03-27 10:22:23 -05:00 · 2023-03-27 10:22:23 -05:00 · 0ad0f31086
parent 778cd6c22b
commit 0ad0f31086
9 changed files with 48 additions and 23 deletions
--- a/config/mkdocs.en.yml
+++ b/config/mkdocs.en.yml
@ -109,6 +109,11 @@ nav:
      - 'os/android-overview.md'
      - 'os/linux-overview.md'
      - 'os/qubes-overview.md'
+      - Windows Overview:
+        - 'os/windows/index.md'
+        - 'os/windows/hardening.md'
+        - 'os/windows/privacy.md'
+        - 'os/windows/sandboxing.md'
    - Advanced Topics:
      - 'advanced/dns-overview.md'
      - 'advanced/tor-overview.md'
--- a/config/mkdocs.fr.yml
+++ b/config/mkdocs.fr.yml
@ -109,6 +109,11 @@ nav:
      - 'os/android-overview.md'
      - 'os/linux-overview.md'
      - 'os/qubes-overview.md'
+      - Windows Overview:
+        - 'os/windows/index.md'
+        - 'os/windows/hardening.md'
+        - 'os/windows/privacy.md'
+        - 'os/windows/sandboxing.md'
    - "Sujets avancés":
      - 'advanced/dns-overview.md'
      - 'advanced/tor-overview.md'
--- a/config/mkdocs.he.yml
+++ b/config/mkdocs.he.yml
@ -113,6 +113,11 @@ nav:
      - 'os/android-overview.md'
      - 'os/linux-overview.md'
      - 'os/qubes-overview.md'
+      - Windows Overview:
+        - 'os/windows/index.md'
+        - 'os/windows/hardening.md'
+        - 'os/windows/privacy.md'
+        - 'os/windows/sandboxing.md'
    - "נושאים מתקדמים":
      - 'advanced/dns-overview.md'
      - 'advanced/tor-overview.md'
--- a/config/mkdocs.nl.yml
+++ b/config/mkdocs.nl.yml
@ -109,6 +109,11 @@ nav:
      - 'os/android-overview.md'
      - 'os/linux-overview.md'
      - 'os/qubes-overview.md'
+      - Windows Overview:
+        - 'os/windows/index.md'
+        - 'os/windows/hardening.md'
+        - 'os/windows/privacy.md'
+        - 'os/windows/sandboxing.md'
    - Gevorderde onderwerpen:
      - 'advanced/dns-overview.md'
      - 'advanced/tor-overview.md'
--- a/config/mkdocs.offline.yml
+++ b/config/mkdocs.offline.yml
@ -98,6 +98,11 @@ nav:
      - 'os/android-overview.md'
      - 'os/linux-overview.md'
      - 'os/qubes-overview.md'
+      - Windows Overview:
+        - 'os/windows/index.md'
+        - 'os/windows/hardening.md'
+        - 'os/windows/privacy.md'
+        - 'os/windows/sandboxing.md'
    - Advanced Topics:
      - 'advanced/dns-overview.md'
      - 'advanced/tor-overview.md'
--- a/docs/os/windows/hardening.md
+++ b/docs/os/windows/hardening.md
@ -7,7 +7,7 @@ icon: material/monitor-lock

 If you wish to limit the amount of data Microsoft obtains from your device, an [offline/local account](https://answers.microsoft.com/en-us/windows/forum/all/how-to-create-a-local-or-offline-account-in/95097c32-40c4-48c0-8f3b-3bcb67afaf7c) is **recommended**. 

-![user-account](/assets/img/windows/user-account.webp)
+![user-account](../../assets/img/windows/user-account.webp)

 !!! note
    Microsoft is pushing users to use Microsoft accounts for other editions except Education and Enterprise after installation. 
@ -20,7 +20,7 @@ For security, it's recommended to set up Windows Hello on all of your accounts b

 - [ ] Toggle off all privacy related settings as shown in the image:

-![Privacy Settings](/assets/img/windows/privacy-settings.webp)
+![Privacy Settings](../../assets/img/windows/privacy-settings.webp)
 ## Encrypting the Drive

 After you have installed Windows, turn on full disk encryption (FDE) using BitLocker via the Control Panel. 
@ -30,7 +30,7 @@ After you have installed Windows, turn on full disk encryption (FDE) using BitLo

 The best way is to go to the Control Panel by searching for it in the Start Menu or from the context menu (right-click) in File Explorer and set it up for all of the drives that you have.

-![Bitlocker in Control Panel](/assets/img/windows/Bitlocker%20Group%20Policies/bitlocker-control%20panel.webp)
+![Bitlocker in Control Panel](../../assets/img/windows/Bitlocker%20Group%20Policies/bitlocker-control%20panel.webp)

 Bitlocker is suggested because of the native implementation by the OS and along with the usage of hardware to be resistant against encryption flaws.

@ -45,8 +45,8 @@ General Policies :

 Go to `Computer Configuration` > `Administrative Templates` > `Windows Components` > `Bitlocker Drive Encryption`

-![Encryption & Cipher](/assets/img/windows/Bitlocker%20Group%20Policies/encryption-method-and-cipher.webp)
-![Disable DMA](/assets/img/windows/Bitlocker%20Group%20Policies/Disable%20DMA.webp)
+![Encryption & Cipher](../../assets/img/windows/Bitlocker%20Group%20Policies/encryption-method-and-cipher.webp)
+![Disable DMA](../../assets/img/windows/Bitlocker%20Group%20Policies/Disable%20DMA.webp)

 For OS drives : 

@ -54,17 +54,17 @@ Go to `Computer Configuration` > `Administrative Templates` > `Windows Component

 Enable Group policies as in the images below <!--(Check images side by side)--> :

-![Enforcing full encryption](/assets/img/windows/Bitlocker%20Group%20Policies/enforce-full-encryption.webp)
-![secure boot integrity validation](/assets/img/windows/Bitlocker%20Group%20Policies/Secure-boot-integrity-validation.webp)
-![TPM & PIN](/assets/img/windows/Bitlocker%20Group%20Policies/TPM+PIN.webp)
-![enhanced PINS](/assets/img/windows/Bitlocker%20Group%20Policies/enhanced-pins.webp)
-![Disallow others changing PIN](/assets/img/windows/Bitlocker%20Group%20Policies/disallow-user-from-changing-PIN.webp)
+![Enforcing full encryption](../../assets/img/windows/Bitlocker%20Group%20Policies/enforce-full-encryption.webp)
+![secure boot integrity validation](../../assets/img/windows/Bitlocker%20Group%20Policies/Secure-boot-integrity-validation.webp)
+![TPM & PIN](../../assets/img/windows/Bitlocker%20Group%20Policies/TPM+PIN.webp)
+![enhanced PINS](../../assets/img/windows/Bitlocker%20Group%20Policies/enhanced-pins.webp)
+![Disallow others changing PIN](../../assets/img/windows/Bitlocker%20Group%20Policies/disallow-user-from-changing-PIN.webp)

 For Fixed Drives :

 Go to `Computer Configuration` > `Administrative Templates` > `Windows Components` > `Bitlocker Drive Encryption` > `Fixed Data Drives` > `Enforce drive encryption type on fixed data drives`

-![Encryption Type](/assets/img/windows/Bitlocker%20Group%20Policies/fixed-drives.webp)
+![Encryption Type](../../assets/img/windows/Bitlocker%20Group%20Policies/fixed-drives.webp)

 These policies ensure that your drives are encrypted with `XTS-AES-256` Bit encryption, **fully**.

@ -158,7 +158,7 @@ You can also know how to check if it is enabled or not in the guide.
 - [x] **Enable** [Windows Defender in a Sandbox](https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/) by launching a **terminal** as an **administrator** and copy/paste this command ```setx /M MP_FORCE_USE_SANDBOX 1```. Restart your device and check if there's a process called **MsMpEngCP.exe** by typing `tasklist` in the terminal to verify.
    
 - [ ] Disable Autoplay for devices so that malware hidden in USB don't execute on plugging in
-    ![Disable autoplay](/assets/img/windows/autoplay.webp)
+    ![Disable autoplay](../../assets/img/windows/autoplay.webp)
 - [x] Enable [Controlled Folder Access](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders) in Windows defender settings. So, The Important folders you listed for protection doesn't get attacked or held hostage in case of a ransomware attack and also stops apps from accessing your important folders. This could also be used as a firewall for the filesystem such as Choosing the drives in the protected ones. And allowing each app when it request access to your device.

 - [x] Enable [Microsoft Defender Application Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview). After installing by going to "[Turn Windows Features on or off](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard)" you can enable it. This runs Microsoft Edge in an Isolated Hyper-V container preventing unknown Malware from damaging the system.
@ -224,4 +224,4 @@ It is recommended to rather rely on Windows updates or first-party apps.
 *[FDE]: Full Disk Encryption
 *[UAC]: User Account Control
 *[WDAG]: Windows Defender Application Guard
-*[SRTM]: Static Root-of-Trust Measurement
+*[SRTM]: Static Root-of-Trust Measurement
--- a/docs/os/windows/index.md
+++ b/docs/os/windows/index.md
--- a/docs/os/windows/privacy.md
+++ b/docs/os/windows/privacy.md
@ -9,7 +9,7 @@ You should never sign-in to Windows with a Microsoft account. Signing-in to appl

 It’s worth noting that according to [this study](https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/public_version_dutch_dpa_informal_translation_summary_of_investigation_report.pdf) it seems that Windows collects more telemetry when signed into a Microsoft Account.

-![Using account for specific app](/assets/img/windows/signin-one-app.webp)
+![Using account for specific app](../../assets/img/windows/signin-one-app.webp)

 You should log in to that specific app only if you need to.

@ -21,7 +21,7 @@ Create another standard user account and connect it to Microsoft account if you

 To disable telemetry at full level, Open Group policy and navigate to `Computer Configuration` > `Administrative Templates` > `Windows Components` > `Data Collection and Preview builds` and choose as required

-![Disable telemtry](/assets/img/windows/disable-telemetry.webp)
+![Disable telemtry](../../assets/img/windows/disable-telemetry.webp)

 The above works only if you use Enterprise or Education edition. If Professional, It will send required (Basic) data.

@ -41,11 +41,11 @@ Disabling full telemtry or sending basic data to Microsoft is totally upto the u
 - [ ] Disable in Bing integration in Windows search, by navigating to `Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results`. This way your search queries for local indexed data is not sent to Microsoft.

 - [ ] Disable notification in the Lock screen in Windows settings
-    ![Lock screen notification](/assets/img/windows/lock-screen-notifications.webp)
+    ![Lock screen notification](../../assets/img/windows/lock-screen-notifications.webp)

 - [ ] Disable Online Speech recognition and Voice activation
        ![Alt text](/docs/assets/img/windows/online-speech.webp)
-        ![Alt text](/assets/img/windows/voice-activation.webp)
+        ![Alt text](../../assets/img/windows/voice-activation.webp)

 - [ ] Disable delivery optimization in Windows Update settings.

@ -63,13 +63,13 @@ To prevent other users from accessing your secondary data drives. Type `gpedit.m

 Go to `User Configuration` > `Administrative Templates` > `Windows Components` > `File Explorer` and set the Group Policy as below.

-![Restrict-drive](/assets/img/windows/drive-restriction.webp)
+![Restrict-drive](../../assets/img/windows/drive-restriction.webp)

 The above configuration will restrict other users to the OS drive where Windows is installed. Making total isolation between your Account and other user account.

 If it's a shared drive with another person but you don't want the user to access sensitive data then use EFS. EFS encrypts the documents so that the user who encrypted it can only access it and not others.

-![EFS](/assets/img/windows/EFS.gif)
+![EFS](../../assets/img/windows/EFS.gif)

 It is better to export the Private key certificate and store in a safe place so as to use the file later in other devices. To do so,

@ -77,4 +77,4 @@ Press, ++win+r++, Then type `certmgr.msc`, Under `Personal` > `Certificates`. Cl

 To import in another device, simply open and install this certificate in that device and choose the above location. Then you can access EFS encrypted files in other system too.

-*[EFS]: Encrypted File System
+*[EFS]: Encrypted File System
--- a/docs/os/windows/sandboxing.md
+++ b/docs/os/windows/sandboxing.md
@ -49,11 +49,11 @@ At this point, it is difficult to differentiate between Win32 and UWP apps. To f

 When you see an app in store and scroll down to *Additional Information*  section and see if it asks for certain permissions like in the image below:

-![UWP in store](/assets/img/windows/UWP-in-MS-Store.webp)
+![UWP in store](../../assets/img/windows/UWP-in-MS-Store.webp)

 If the Win32 App, Microsoft store will explicitly state that it is`Provided and Updated by `****` ` and `Uses all System resources` as in the image below:

-![Win32 in store](/assets/img/windows/Win32-in-MS-Store.webp)
+![Win32 in store](../../assets/img/windows/Win32-in-MS-Store.webp)

 !!! note "Un-sandboxed UWP apps"
    Some UWP apps in the store due to the lift of restrictions in Microsoft store developers can submit the app with a property named `runFullTrust` which disables sandboxing of that UWP application and shows that `Uses all System Resources` in *Additional Information* section such as Firefox. By this you can know if a UWP app is sandboxed or not.
@ -144,4 +144,4 @@ Use this at your own Risk !
 *[SubDLLs]: Subsystem Dynamic link libraries
 *[ntdll.dll]: A core Windows library file that implements functions for interaction with the kernel.
 *[WinRT]: Windows Runtime
-*[COM]: Component Object Model
+*[COM]: Component Object Model