privacyguides
/
privacyguides.org
mirror of https://github.com/privacyguides/privacyguides.org.git
1
0
Fork 0
Code Issues Activity

Changes as per Forum discussion - 1 

This is done with respect to comment by 128bitpotato - https://discuss.privacyguides.net/t/windows-guide/250/81
This commit is contained in:
Ikel Atomig 2022-12-27 13:07:49 +00:00 committed by Jonah Aragon
parent 10e58c21ff
commit 778cd6c22b
Signed by: jonah
SSH Key Fingerprint: SHA256:oJSBSFgpWl4g+IwjL96Ya8ocGfI7r6VKnQw+257pZZ0
3 changed files with 10 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
docs/windows/hardening.md
View File

@ -3,8 +3,6 @@ title: System Hardening
icon: material/monitor-lock
---
If on Win11 be sure that you use it on supported hardware on
## Setting up Windows after Installation
If you wish to limit the amount of data Microsoft obtains from your device, an [offline/local account](https://answers.microsoft.com/en-us/windows/forum/all/how-to-create-a-local-or-offline-account-in/95097c32-40c4-48c0-8f3b-3bcb67afaf7c) is **recommended**.
@ -23,22 +21,19 @@ For security, it's recommended to set up Windows Hello on all of your accounts b
- [ ] Toggle off all privacy related settings as shown in the image:
![Privacy Settings](/assets/img/windows/privacy-settings.webp)
## Security
UAC with password
## Encrypting the Drive
After you have installed Windows, turn on full disk encryption (FDE) using BitLocker via the Control Panel.
!!! info "Choosing the Way to Encrypt"
It is recommended to use only the Control Panel because if you go to encrypt via settings app, Microsoft named it as `Device Encryption` and designed it in a way that the encryption keys for BitLocker would be stored on Microsoft's server which is attached to your Microsoft account. This can be dangerous to your privacy and security as Microsoft could easily view your encrypted files, as could an attacker if they were able to gain access to Microsoft's servers or any Law Enforcement could by a Gag order.
It is recommended to use only the Control Panel because if you go to encrypt via settings app, Microsoft named it as `Device Encryption` and designed it in a way that the encryption keys for BitLocker would be stored on Microsoft's server which is attached to your Microsoft account. This can be dangerous to your privacy and security as anyone who gains access to your account, as could an attacker if they were able to gain access to Microsoft's servers or any Law Enforcement could by a Gag order.
The best way is to go to the Control Panel by searching for it in the Start Menu or from the context menu (right-click) in File Explorer and set it up for all of the drives that you have.
![Bitlocker in Control Panel](/assets/img/windows/Bitlocker%20Group%20Policies/bitlocker-control%20panel.webp)
Bitlocker is suggested because of the native implementation by the OS and along with the usage of hardware to be resistant against encryption flaws.
### Security policies for Bitlocker
Enable the Following group policies before you start encrypting your drives.
@ -188,7 +183,7 @@ You can also know how to check if it is enabled or not in the guide.
## Apps
- Avoid any types of Cleaning software at all cost.
- Avoid any types of Cleaning software at all cost. As Microsoft is working on its own implementation specfically designed for windows.
- To Install apps, using the `winget` (Windows Package manager). More details in [Sandboxing page](/windows/sandboxing/#using-winget-to-install-sofwaret)
## Security Improvements

6
docs/windows/overview.md
View File

@ -30,13 +30,13 @@ With the launch of Windows 11, a lot of [other](https://www.windowscentral.com/o
While using Windows, it is better to select either Windows **Enterprise** Edition or **Education** Edition because it gives more control over the system for hardening it for privacy and security by giving access to stops the OS from sending any Telemetry data using GP Editor.
If you cannot get the above editions, you must opt for **Professional** Edition.
If you cannot get the above editions, you should opt for **Professional** Edition.
#### Editions to avoid
- It is not recommended to use forks or modified versions of Windows such as Windows AME. It should be avoided at all cost. Since modified versions of Windows, such as AME, don't get updates, antivirus programs like Defender can fall out of date or be disabled entirely, opening you up to attacks.
- Windows **Home** edition is **not** recommended as it does not have many advantages that Professional edition provides such as BitLocker Drive Encryption, Hyper-V, Windows Sandbox, etc. It also uploads Bitlocker Encryption keys to Microsoft servers which actually defies the aspect of encryption implemented in a different way.
- Windows **Home** edition is **not** recommended as it does not have many advantages that Professional edition provides such as BitLocker Drive Encryption, Hyper-V, Windows Sandbox, etc. It also uploads Bitlocker Encryption keys to Microsoft servers which actually defies the aspect of the encryption implemented as the key was supposed to be hold by the user.
##### Recommendations
@ -78,6 +78,8 @@ If you are currently using Pro and want to upgrade to Enterprise. Then, Follow t
!!! danger "Warning"
If you are going to install Windows 11, Then install it only on supported devices and it is not recommended to use tools/scripts that are available online to bypass the requirements which totally breaks the security of Windows 11 which it is aimed for.
Never download **Pirated ISO Files**
*[GP]: Group Policy
*[VBS]: Virtualization-Based Security
*[HVCI]: Hypervisor-Protected Code Integrity

2
docs/windows/privacy.md
View File

@ -7,6 +7,8 @@ icon: material/incognito
You should never sign-in to Windows with a Microsoft account. Signing-in to applications like Microsoft Office (which some users are required to do for their school or company) will trigger a dark pattern offering you to sign in to Windows, which will connect your device to your Microsoft account, and make it easier to send data to Microsoft servers and it is critical to reject this offer.
Its worth noting that according to [this study](https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/public_version_dutch_dpa_informal_translation_summary_of_investigation_report.pdf) it seems that Windows collects more telemetry when signed into a Microsoft Account.
![Using account for specific app](/assets/img/windows/signin-one-app.webp)
You should log in to that specific app only if you need to.