├── windows-sandbox
├── Tor Browser
│ ├── README.md
│ └── Tor Browser.wsb
└── libreoffice
│ ├── README.md
│ └── LibreOffice.wsb
├── regedits.reg
├── policies
├── Edge
│ ├── README.md
│ └── Edge.txt
├── windows-only
│ ├── user.txt
│ ├── README.md
│ └── machine.txt
├── testing
│ ├── user.txt
│ └── machine.txt
└── README.md
├── README.md
├── Boot Security
└── Readme.md
├── LICENSE
├── WDAC
├── update_policies.ps1
└── readme.md
└── guide.md
/windows-sandbox/Tor Browser/README.md:
--------------------------------------------------------------------------------
1 | Example config with Tor Browser
2 |
--------------------------------------------------------------------------------
/regedits.reg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/starchturrets/windows-shenanigans/HEAD/regedits.reg
--------------------------------------------------------------------------------
/policies/Edge/README.md:
--------------------------------------------------------------------------------
1 | Policies for Microsoft Edge, combines debloating with hardening stuff.
2 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # windows-shenanigans
2 | Just my notes on how to somewhat improve Windows 11 privacy and security
3 |
4 | Objective: to provide usable, actionable advice for not so advanced users.
5 |
6 | Inspired by:
7 |
8 | https://github.com/beerisgood/Windows11_Hardening
9 |
10 | https://github.com/troennes/private-secure-windows
11 |
12 | Prioritizes security as much as possible when not to the detriment of privacy
13 |
14 |
--------------------------------------------------------------------------------
/windows-sandbox/Tor Browser/Tor Browser.wsb:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | C:\Users\Admin\Sandboxing\Tor Browser
5 | C:\Users\WDAGUtilityAccount\Documents\Tor Browser
6 | True
7 |
8 |
9 |
10 |
11 | C:\Users\WDAGUtilityAccount\Documents\Tor Browser\Browser\firefox.exe
12 |
13 | Enable
14 | Enable
15 |
16 |
--------------------------------------------------------------------------------
/windows-sandbox/libreoffice/README.md:
--------------------------------------------------------------------------------
1 | - LibreOffice msi is downloaded and stored under `C:\Users\Admin\Sandboxing\Office Apps\LibreOffice\` (you can put it anywhere you want but make sure to change the directory in the config file. Also, make sure it reflects whatever your username is.)
2 | - The directory is then shared with Windows Sandbox.
3 | - `msiexec.exe /I C:\Users\WDAGUtilityAccount\LibreOffice\LibreOffice_7.5.5_Win_x86-64.msi /quiet` auto installs the MSI, quietly.
4 | - (`.wsb` files can be edited in notepad.)
5 | - It can then be placed on the desktop folder or opened from Windows Search.
6 |
--------------------------------------------------------------------------------
/windows-sandbox/libreoffice/LibreOffice.wsb:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | C:\Users\Admin\Sandboxing\Office Apps\LibreOffice\
5 | C:\Users\WDAGUtilityAccount\LibreOffice\
6 | True
7 |
8 |
9 | C:\Users\Admin\Downloads\
10 | C:\Users\WDAGUtilityAccount\Downloads\
11 | False
12 |
13 |
14 |
15 | msiexec.exe /I C:\Users\WDAGUtilityAccount\LibreOffice\LibreOffice_7.5.5_Win_x86-64.msi /quiet
16 |
17 |
18 | True
19 |
20 |
--------------------------------------------------------------------------------
/policies/windows-only/user.txt:
--------------------------------------------------------------------------------
1 | ; ----------------------------------------------------------------------
2 | ; PARSING User POLICY
3 | ; Source file: .\user.pol
4 |
5 | User
6 | Software\Policies\Microsoft\Windows\CloudContent
7 | DisableWindowsSpotlightFeatures
8 | DWORD:1
9 |
10 | User
11 | Software\Policies\Microsoft\Windows\CloudContent
12 | DisableTailoredExperiencesWithDiagnosticData
13 | DWORD:1
14 |
15 | User
16 | Software\Policies\Microsoft\Windows\CloudContent
17 | DisableSpotlightCollectionOnDesktop
18 | DWORD:1
19 |
20 | User
21 | Software\Policies\Microsoft\Windows\Explorer
22 | DisableSearchBoxSuggestions
23 | DWORD:1
24 |
25 | User
26 | Software\Policies\Microsoft\Windows\WindowsCopilot
27 | TurnOffWindowsCopilot
28 | DWORD:1
29 |
30 | ; PARSING COMPLETED.
31 | ; ----------------------------------------------------------------------
32 |
--------------------------------------------------------------------------------
/policies/testing/user.txt:
--------------------------------------------------------------------------------
1 | ; ----------------------------------------------------------------------
2 | ; PARSING User POLICY
3 | ; Source file: .\user.pol
4 |
5 | User
6 | Software\Policies\Microsoft\Windows\CloudContent
7 | DisableWindowsSpotlightFeatures
8 | DWORD:1
9 |
10 | User
11 | Software\Policies\Microsoft\Windows\CloudContent
12 | DisableTailoredExperiencesWithDiagnosticData
13 | DWORD:1
14 |
15 | User
16 | Software\Policies\Microsoft\Windows\CloudContent
17 | DisableSpotlightCollectionOnDesktop
18 | DWORD:1
19 |
20 | User
21 | Software\Policies\Microsoft\Windows\Explorer
22 | DisableSearchBoxSuggestions
23 | DWORD:1
24 |
25 | User
26 | Software\Policies\Microsoft\Windows\Explorer
27 | HideRecommendedPersonalizedSites
28 | DWORD:1
29 |
30 | User
31 | Software\Policies\Microsoft\Windows\WindowsCopilot
32 | TurnOffWindowsCopilot
33 | DWORD:1
34 |
35 | ; PARSING COMPLETED.
36 | ; ----------------------------------------------------------------------
37 |
38 |
--------------------------------------------------------------------------------
/Boot Security/Readme.md:
--------------------------------------------------------------------------------
1 | Just my (very rough) notes about boot security on desktop
2 |
3 | # Firmware
4 |
5 | HSTI / HSI Level
6 |
7 | Self tests done to show how much the firmware protects itself. Passing HSTI (see msinfo32 device encryption section) means Windows will do automatic encryption upon sign in to a Microsoft account.
8 |
9 | Linux equivalent is doing `sudo fwupdmgr security` (can also be done on a live USB). Not sure what HSI level HSTI passing is equivalent to - HSI 2?
10 |
11 | # Intel Bootguard / AMD Platform Secure Boot
12 |
13 | # Intel ME / AMD PSP
14 |
15 | # TPMs
16 |
17 | fTPMs vs discrete TPMs, Pluton, uses?
18 |
19 |
20 | TPM uses in a non enterprise environment:
21 | - Bitlocker
22 | - Windows Hello PIN ratelimiting
23 | - Passkey storage?
24 |
25 | # Secure Boot
26 |
27 | - Trusted certs - Windows vs Microsoft certs, issues with revoking things signed by them (Blacklotus and Boothole respectively)
28 |
29 | # Bitlocker
30 |
31 | PCR 7 binding vs 0, 2, 4, and 11. Explain why firmware updates often lead to recovery screens.
32 | # OEM Nonsense
33 |
34 | - MSI
35 | - Dell
36 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2023 #1 Powershell Fan
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/policies/windows-only/README.md:
--------------------------------------------------------------------------------
1 | Policies for only windows, kept relatively minimal. Limits diagnostic data, spotlight, and bing nonsense as much as possible per edition. Also turns off copilot. Smartscreen is left up to the individual user to configure as it is threat model dependent.
2 |
3 | - Disables required diagnostic data, or prevents sending device name with it if on pro
4 | - Disables tailored experiences with diagnostics data (prolly redundant tho due to it being asked in the OOBE on OS install)
5 | - Disables bing web search in the start menu
6 | - Disables spotlight completely, or disables the desktop background slideshows only if on pro (lockscreen tips can be disabled manually from settings)
7 | - Disables annoying notifications if on enterprise (can be turned off manually from notifications settings if not)
8 | - Disables recovery questions/OOBE so making a new user account is less annoying
9 | - Disables Widgets
10 | - Disables automatic sample submission in Windows Security
11 | - Disables cloud optimized content (annoying pinned apps in start menu) for new user accounts
12 | - Disables Windows Plug and Play auto installers (https://www.bleepingcomputer.com/news/microsoft/how-to-block-windows-plug-and-play-auto-installing-insecure-apps/)
13 | - Disables Windows Copilot
14 | - Disables Online Tips in the settings app
15 | - Disables file explorer requesting cloud metadata for insights (prolly redundant with a local account but I set it anyways)
16 |
--------------------------------------------------------------------------------
/WDAC/update_policies.ps1:
--------------------------------------------------------------------------------
1 | $FilePaths = "C:\Users\Admin\Group Policies\LGPO", "C:\Users\Admin\AppData\Local\PowerToys"
2 |
3 | Foreach ($ScanPath in $FilePaths)
4 |
5 | {
6 | $PolicyName = ($ScanPath. Split("\"))[-1]
7 | Write-Host $PolicyName
8 | $OutputPath = "C:\Users\Admin\WDAC Experiments\Component Policies\" + $PolicyName + ".xml"
9 |
10 | New-CIPolicy -Level FilePublisher -Fallback Hash -UserPEs -ScanPath $ScanPath -FilePath $OutputPath
11 | New-CIPolicy -Level FilePublisher -Fallback Hash -UserPEs -ScanPath $ScanPath -FilePath $OutputPath
12 |
13 | }
14 |
15 | $PoliciesToBeMerged = (dir "C:\Users\Admin\WDAC Experiments\Component Policies\*.xml").FullName
16 |
17 | Merge-CIPolicy -PolicyPaths $PoliciesToBeMerged -OutputFilePath 'C:\Users\Admin\WDAC Experiments\MergedPolicy.xml'
18 |
19 |
20 | Set-RuleOption -FilePath 'C:\Users\Admin\WDAC Experiments\MergedPolicy.xml' -Option 3 -Delete
21 | Set-RuleOption -FilePath 'C:\Users\Admin\WDAC Experiments\MergedPolicy.xml' -Option 4
22 | Set-HVCIOptions -Strict -FilePath 'C:\Users\Admin\WDAC Experiments\MergedPolicy.xml'
23 |
24 | [xml] $XmlFile = get-content "C:\Users\Admin\WDAC Experiments\MergedPolicy.xml"
25 | $PolicyID = $XmlFile.SiPolicy.PolicyID
26 |
27 | # ConvertFrom-CIPolicy -XmlFilePath "C:\Users\Admin\WDAC Experiments\MergedPolicy.xml" -BinaryFilePath "C:\Users\Admin\WDAC Experiments\$PolicyID.cip"
28 |
29 | # citool.exe --update-policy "C:\Users\Admin\WDAC Experiments\$PolicyID.cip"
30 |
31 |
32 |
--------------------------------------------------------------------------------
/policies/README.md:
--------------------------------------------------------------------------------
1 | # Group Policy deployment with LGPO
2 |
3 | Since it is a pain to configure a lot of group policies manually, here is a way to apply them automatically.
4 |
5 | 1. Download and extract the policies.zip from the releases section.
6 | 2. Open the policies directory in an elevated powershell Terminal.
7 | 3. Read through the `machine.txt` and `user.txt` files to see what settings are being applied.
8 | 4. You can verify that the `LGPO.exe` is legitimate by right clicking and checking the digital signature, but if you don't trust me you can download it from [Microsoft](https://www.microsoft.com/en-US/download/details.aspx?id=55319) (click on Download and select LGPO.zip).
9 | 5. Build the policy files by running
10 | ```
11 | .\LGPO.exe /r .\machine.txt /w .\machine.pol
12 | .\LGPO.exe /r .\user.txt /w .\user.pol
13 | ```
14 | 6. Apply the policies by running
15 | ```
16 | .\LGPO.exe /m .\machine.pol
17 | .\LGPO.exe /u .\user.pol
18 | ```
19 | (If you want to apply policies for Microsoft Edge just repeat the above steps, but with Edge.txt instead of machine.txt).
20 |
21 | 7. Reboot
22 |
23 | There are three settings that are not set by this for various reasons:
24 |
25 | - Disabling of smartscreen in Microsoft Edge settings (needs a domain joined device to apply).
26 | - Get Notifications of related things you can explore with Discover in Microsoft Edge settings (doesn't have a group policy available).
27 | - Disabling of Windows Media Player autofetching metadata (I forgot to include it).
28 |
--------------------------------------------------------------------------------
/policies/windows-only/machine.txt:
--------------------------------------------------------------------------------
1 | ; ----------------------------------------------------------------------
2 | ; PARSING Computer POLICY
3 | ; Source file: .\machine.pol
4 |
5 | Computer
6 | SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
7 | AllowOnlineTips
8 | DWORD:0
9 |
10 | Computer
11 | SOFTWARE\Policies\Microsoft\Dsh
12 | AllowNewsAndInterests
13 | DWORD:0
14 |
15 | Computer
16 | SOFTWARE\Policies\Microsoft\Windows\CloudContent
17 | DisableWindowsConsumerFeatures
18 | DWORD:1
19 |
20 | Computer
21 | SOFTWARE\Policies\Microsoft\Windows\CloudContent
22 | DisableCloudOptimizedContent
23 | DWORD:1
24 |
25 | Computer
26 | SOFTWARE\Policies\Microsoft\Windows\DataCollection
27 | AllowDeviceNameInTelemetry
28 | DWORD:0
29 |
30 | Computer
31 | SOFTWARE\Policies\Microsoft\Windows\DataCollection
32 | AllowTelemetry
33 | DWORD:0
34 |
35 | Computer
36 | SOFTWARE\Policies\Microsoft\Windows\Device Metadata
37 | PreventDeviceMetadataFromNetwork
38 | DWORD:1
39 |
40 | Computer
41 | SOFTWARE\Policies\Microsoft\Windows\Explorer
42 | DisableGraphRecentItems
43 | DWORD:1
44 |
45 | Computer
46 | SOFTWARE\Policies\Microsoft\Windows\OOBE
47 | DisablePrivacyExperience
48 | DWORD:1
49 |
50 | Computer
51 | SOFTWARE\Policies\Microsoft\Windows\System
52 | NoLocalPasswordResetQuestions
53 | DWORD:1
54 |
55 | Computer
56 | SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
57 | SubmitSamplesConsent
58 | DWORD:2
59 |
60 | ; PARSING COMPLETED.
61 | ; ----------------------------------------------------------------------
62 |
63 |
--------------------------------------------------------------------------------
/policies/testing/machine.txt:
--------------------------------------------------------------------------------
1 | ; ----------------------------------------------------------------------
2 | ; PARSING Computer POLICY
3 | ; Source file: .\machine.pol
4 |
5 | Computer
6 | SOFTWARE\Policies\Microsoft\Dsh
7 | AllowNewsAndInterests
8 | DWORD:0
9 |
10 | Computer
11 | SOFTWARE\Policies\Microsoft\Windows\CloudContent
12 | DisableWindowsConsumerFeatures
13 | DWORD:1
14 |
15 | Computer
16 | SOFTWARE\Policies\Microsoft\Windows\CloudContent
17 | DisableCloudOptimizedContent
18 | DWORD:1
19 |
20 | Computer
21 | SOFTWARE\Policies\Microsoft\Windows\DataCollection
22 | AllowDeviceNameInTelemetry
23 | DWORD:0
24 |
25 | Computer
26 | SOFTWARE\Policies\Microsoft\Windows\DataCollection
27 | AllowTelemetry
28 | DWORD:0
29 |
30 | Computer
31 | SOFTWARE\Policies\Microsoft\Windows\Device Metadata
32 | PreventDeviceMetadataFromNetwork
33 | DWORD:1
34 |
35 |
36 | Computer
37 | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
38 | ConfigureSystemGuardLaunch
39 | DWORD:0
40 |
41 |
42 | Computer
43 | SOFTWARE\Policies\Microsoft\Windows\Explorer
44 | HideRecommendedPersonalizedSites
45 | DWORD:1
46 |
47 | Computer
48 | SOFTWARE\Policies\Microsoft\Windows\GameDVR
49 | AllowGameDVR
50 | DWORD:0
51 |
52 | Computer
53 | SOFTWARE\Policies\Microsoft\Windows\OOBE
54 | DisablePrivacyExperience
55 | DWORD:1
56 |
57 | Computer
58 | SOFTWARE\Policies\Microsoft\Windows\System
59 | NoLocalPasswordResetQuestions
60 | DWORD:1
61 |
62 | Computer
63 | SOFTWARE\Policies\Microsoft\Windows\Windows Search
64 | DisableWebSearch
65 | DWORD:1
66 |
67 | Computer
68 | SOFTWARE\Policies\Microsoft\Windows\Windows Search
69 | ConnectedSearchUseWeb
70 | DWORD:0
71 |
72 | Computer
73 | SOFTWARE\Policies\Microsoft\Windows\Windows Search
74 | AllowCortana
75 | DWORD:0
76 |
77 | Computer
78 | SOFTWARE\Policies\Microsoft\Windows\Windows Search
79 | AllowCloudSearch
80 | DELETE
81 |
82 | Computer
83 | SOFTWARE\Policies\Microsoft\Windows\Windows Search
84 | AllowSearchToUseLocation
85 | DWORD:0
86 |
87 | Computer
88 | SOFTWARE\Policies\Microsoft\Windows Defender\Spynet
89 | SubmitSamplesConsent
90 | DWORD:2
91 |
92 |
93 |
94 | ; PARSING COMPLETED.
95 | ; ----------------------------------------------------------------------
96 |
97 |
--------------------------------------------------------------------------------
/policies/Edge/Edge.txt:
--------------------------------------------------------------------------------
1 | ; ----------------------------------------------------------------------
2 | ; PARSING Computer POLICY
3 | ; Source file: .\{0FCFDC10-36ED-4089-87D9-E7E13038DA18}\DomainSysvol\GPO\Machine\registry.pol
4 |
5 | Computer
6 | SOFTWARE\Policies\Microsoft\Edge
7 | BrowserSignin
8 | DWORD:0
9 |
10 | Computer
11 | SOFTWARE\Policies\Microsoft\Edge
12 | EdgeEDropEnabled
13 | DWORD:0
14 |
15 | Computer
16 | SOFTWARE\Policies\Microsoft\Edge
17 | EdgeEnhanceImagesEnabled
18 | DWORD:0
19 |
20 | Computer
21 | SOFTWARE\Policies\Microsoft\Edge
22 | EdgeFollowEnabled
23 | DWORD:0
24 |
25 | Computer
26 | SOFTWARE\Policies\Microsoft\Edge
27 | EdgeShoppingAssistantEnabled
28 | DWORD:0
29 |
30 | Computer
31 | SOFTWARE\Policies\Microsoft\Edge
32 | HubsSidebarEnabled
33 | DWORD:0
34 |
35 | Computer
36 | SOFTWARE\Policies\Microsoft\Edge
37 | RendererAppContainerEnabled
38 | DWORD:1
39 |
40 | Computer
41 | SOFTWARE\Policies\Microsoft\Edge
42 | RendererCodeIntegrityEnabled
43 | DWORD:1
44 |
45 | Computer
46 | SOFTWARE\Policies\Microsoft\Edge
47 | ShowMicrosoftRewards
48 | DWORD:0
49 |
50 | Computer
51 | SOFTWARE\Policies\Microsoft\Edge
52 | ShowRecommendationsEnabled
53 | DWORD:0
54 |
55 | Computer
56 | SOFTWARE\Policies\Microsoft\Edge
57 | AudioSandboxEnabled
58 | DWORD:1
59 |
60 | Computer
61 | SOFTWARE\Policies\Microsoft\Edge
62 | ForceSync
63 | DWORD:0
64 |
65 | Computer
66 | SOFTWARE\Policies\Microsoft\Edge
67 | AddressBarMicrosoftSearchInBingProviderEnabled
68 | DWORD:0
69 |
70 | Computer
71 | SOFTWARE\Policies\Microsoft\Edge
72 | CryptoWalletEnabled
73 | DWORD:0
74 |
75 | Computer
76 | SOFTWARE\Policies\Microsoft\Edge
77 | NewPDFReaderEnabled
78 | DWORD:1
79 |
80 | Computer
81 | SOFTWARE\Policies\Microsoft\Edge
82 | PersonalizationReportingEnabled
83 | DWORD:0
84 |
85 | Computer
86 | SOFTWARE\Policies\Microsoft\Edge
87 | TabServicesEnabled
88 | DWORD:0
89 |
90 | Computer
91 | SOFTWARE\Policies\Microsoft\Edge
92 | TranslateEnabled
93 | DWORD:0
94 |
95 | Computer
96 | SOFTWARE\Policies\Microsoft\Edge
97 | NewTabPageQuickLinksEnabled
98 | DWORD:0
99 |
100 | Computer
101 | SOFTWARE\Policies\Microsoft\Edge
102 | ShowAcrobatSubscriptionButton
103 | DWORD:0
104 |
105 | Computer
106 | SOFTWARE\Policies\Microsoft\Edge
107 | NewTabPageAllowedBackgroundTypes
108 | DWORD:3
109 |
110 | Computer
111 | SOFTWARE\Policies\Microsoft\Edge
112 | NewTabPageContentEnabled
113 | DWORD:0
114 |
115 | Computer
116 | SOFTWARE\Policies\Microsoft\Edge
117 | AccessibilityImageLabelsEnabled
118 | DWORD:0
119 |
120 | Computer
121 | SOFTWARE\Policies\Microsoft\Edge
122 | AlternateErrorPagesEnabled
123 | DWORD:0
124 |
125 | Computer
126 | SOFTWARE\Policies\Microsoft\Edge
127 | AutofillMembershipsEnabled
128 | DWORD:0
129 |
130 | Computer
131 | SOFTWARE\Policies\Microsoft\Edge
132 | DefaultBrowserSettingsCampaignEnabled
133 | DWORD:0
134 |
135 | Computer
136 | SOFTWARE\Policies\Microsoft\Edge
137 | EdgeWalletCheckoutEnabled
138 | DWORD:0
139 |
140 | Computer
141 | SOFTWARE\Policies\Microsoft\Edge
142 | HideFirstRunExperience
143 | DWORD:1
144 |
145 | Computer
146 | SOFTWARE\Policies\Microsoft\Edge
147 | PaymentMethodQueryEnabled
148 | DWORD:0
149 |
150 | Computer
151 | SOFTWARE\Policies\Microsoft\Edge
152 | VisualSearchEnabled
153 | DWORD:0
154 |
155 | Computer
156 | SOFTWARE\Policies\Microsoft\Edge
157 | SpotlightExperiencesAndRecommendationsEnabled
158 | DWORD:0
159 |
160 | Computer
161 | SOFTWARE\Policies\Microsoft\Edge
162 | ShowPDFDefaultRecommendationsEnabled
163 | DWORD:0
164 |
165 | Computer
166 | SOFTWARE\Policies\Microsoft\Edge
167 | DefaultShareAdditionalOSRegionSetting
168 | DWORD:2
169 |
170 | Computer
171 | SOFTWARE\Policies\Microsoft\Edge
172 | ComposeInlineEnabled
173 | DWORD:0
174 |
175 | Computer
176 | SOFTWARE\Policies\Microsoft\Edge
177 | PromotionalTabsEnabled
178 | DWORD:0
179 |
180 | Computer
181 | SOFTWARE\Policies\Microsoft\Edge
182 | RelatedMatchesCloudServiceEnabled
183 | DWORD:0
184 |
185 | Computer
186 | SOFTWARE\Policies\Microsoft\Edge
187 | WalletDonationEnabled
188 | DWORD:0
189 |
190 | Computer
191 | SOFTWARE\Policies\Microsoft\Edge
192 | NewTabPageSearchBox
193 | SZ:redirect
194 |
195 | Computer
196 | SOFTWARE\Policies\Microsoft\Edge
197 | NewTabPageHideDefaultTopSites
198 | DWORD:1
199 |
200 | Computer
201 | SOFTWARE\Policies\Microsoft\Edge
202 | NewTabPageManagedQuickLinks
203 | DELETE
204 |
205 | Computer
206 | SOFTWARE\Policies\Microsoft\Edge
207 | DefaultJavaScriptJitSetting
208 | DWORD:2
209 |
210 | Computer
211 | SOFTWARE\Policies\Microsoft\Edge
212 | TrackingPrevention
213 | DWORD:3
214 |
215 | Computer
216 | SOFTWARE\Policies\Microsoft\Edge
217 | BlockThirdPartyCookies
218 | DWORD:1
219 |
220 | Computer
221 | SOFTWARE\Policies\Microsoft\Edge
222 | NewTabPageAppLauncherEnabled
223 | DWORD:0
224 |
225 | Computer
226 | SOFTWARE\Policies\Microsoft\Edge
227 | AutomaticHttpsDefault
228 | DWORD:2
229 |
230 | Computer
231 | SOFTWARE\Policies\Microsoft\Edge
232 | EdgeWalletEtreeEnabled
233 | DWORD:0
234 |
235 | Computer
236 | SOFTWARE\Policies\Microsoft\Edge
237 | MicrosoftEditorProofingEnabled
238 | DWORD:0
239 |
240 | Computer
241 | SOFTWARE\Policies\Microsoft\Edge
242 | EdgeCollectionsEnabled
243 | DWORD:0
244 |
245 | Computer
246 | SOFTWARE\Policies\Microsoft\Edge
247 | TextPredictionEnabled
248 | DWORD:0
249 |
250 | Computer
251 | SOFTWARE\Policies\Microsoft\Edge\Recommended
252 | TyposquattingCheckerEnabled
253 | DWORD:0
254 |
255 | Computer
256 | SOFTWARE\Policies\Microsoft\Edge\Recommended
257 | NewTabPageManagedQuickLinks
258 | DELETE
259 |
260 | Computer
261 | SOFTWARE\Policies\Microsoft\Edge\Recommended
262 | BlockThirdPartyCookies
263 | DWORD:1
264 |
265 | Computer
266 | SOFTWARE\Policies\Microsoft\Edge\Recommended
267 | SiteSafetyServicesEnabled
268 | DWORD:0
269 |
270 | Computer
271 | SOFTWARE\Policies\Microsoft\Edge\Recommended
272 | QuickSearchShowMiniMenu
273 | DWORD:0
274 |
275 |
276 |
277 | ; PARSING COMPLETED.
278 | ; ----------------------------------------------------------------------
279 |
280 |
--------------------------------------------------------------------------------
/WDAC/readme.md:
--------------------------------------------------------------------------------
1 | # (Draft) Creating a relatively simple WDAC Policy
2 |
3 | These are just my notes after overhauling the WDAC Policy I currently use. Very much a WIP and might well have mistakes in it.
4 |
5 | My scenario is similar to that outlined in https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/create-wdac-policy-for-fully-managed-devices
6 |
7 | The Wizard offers three base templates, with varying levels of trust:
8 |
9 | 1. Default Windows Mode
10 | - Windows OS Components
11 | - Microsoft Store Applications
12 | - Office 365, OneDrive, Teams
13 | - WHQL Signed Kernel Drivers
14 | 2. Allow Microsoft Mode
15 | - Windows OS Components
16 | - Microsoft Store Applications
17 | - Office 365, OneDrive, Teams
18 | - WHQL Signed Kernel Drivers
19 | - All Microsoft signed applications (that is, apps such as PowerToys or sysinternals that are not included with Windows but are still from Microsoft)
20 | 3. Signed And Reputable Mode
21 | - Windows OS Components
22 | - Microsoft Store Applications
23 | - Office 365, OneDrive, Teams
24 | - WHQL Signed Kernel Drivers
25 | - All Microsoft signed applications
26 | - Files with good reputation using ISG (Intelligent Security Graph, basically what is used in SAC to determine if an app is trustworthy without having it explicitly deny/allowlisted)
27 |
28 | There is a tradeoff between trust and usability. I would reccommend using the 3rd base template, as it offers the most usability (and the benefits of SAC) while allowing you to allowlist falsely blocked files.
29 |
30 | I personally selected the Default Windows Mode base template.
31 |
32 | This isn't perfect (Microsoft signed binaries can and have been abused to circumvent WDAC policies, as well as vulnerable drivers), but it's a good start. From testing on my own system (HP Pavilion Aero 13, Intel) nothing major seems to break with this template, but issues have been reported on AMD systems due to their wonky driver signing (note: add source!). I am also not sure how well this works with custom built PCs. Have your Bitlocker recovery key handy just in case.
33 |
34 | Install the WDAC Wizard from Microsoft: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-wizard#downloading-the-application
35 |
36 | It's probably a good idea to tick on these two options in the application settings:
37 |
38 | - [ ] Create policies With Microsoft's Recommended Block Rules
39 | - [ ] Create policies With Microsoft's Recommended Driver Block Rules
40 |
41 | These should somewhat limit abusable Microsoft executables / vulnerable drivers, although there have been major issues with this in the past (Note: link article about Microsoft not updating the HVCI list for two years for some reason). A purely allowlist driver policy would be even better than playing whack a mole with denylisting, but I haven't done this myself yet.
42 |
43 | Note: WSL is unfortunately blocked by WDAC as it is a possible bypass method.
44 |
45 | Create a base policy in the multiple template format and select the directory to which it should be saved.
46 |
47 | After clicking next, toggle the following options:
48 |
49 | - Enforce Store Applications
50 | - Hypervisor Protected Code Integrity
51 | - Require WHQL
52 | - Disable Flight Signing
53 | - Require EV Signers
54 | - Audit mode off
55 |
56 | If you are on a system you are unsure will function properly with WDAC, enable the Boot Audit on Failure option.
57 |
58 | On the next screen, you can add custom rules yourself. I recommend blocking cmd.exe (can be found in `C:\Windows\System32` as well as `C:\Windows\SysWow64` by hash as .bat/.cmd scripts are not restricted like powershell scripts. (executables a .bat/.cmd script attempts to call will still be restricted however). The next button will then generate the policy as well as the binary (which should be a `.cip` file). In my experience if converting a policy outputs a `SiPolicy.p7b` file, something has gone wrong.
59 |
60 | Don't apply it just yet, as you also need to generate policies for your third party applications. In my case, these were the programs that weren't already trusted by the base policy:
61 |
62 | - Firefox
63 | - Powertoys
64 | - Tor Browser
65 | - Powershell 7
66 |
67 | While it is possible to use the wizard and manually add rules from the event log, this is a pain in my experience. It is also relatively easy to create filepath rules, but this is a potential risk should an attacker be able to drop a malicious executable into an allowlisted directory. I have had good results finding the directory where the program is installed - right click and check the properties of the start menu shortcut to see where the executable is - opening it up in an elevated Powershell, and running
68 |
69 | ```
70 | New-CIPolicy -Level FilePublisher -Fallback Hash -UserPEs -ScanPath .\ -FilePath C:\Users\Username\Documents\app.xml
71 | ```
72 | This will generate a new supplemental policy that you can merge with your base policy. If you get the error `An item with the same key has already been added.
73 | `, simply run the command again.
74 |
75 | https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create
76 | https://learn.microsoft.com/en-us/powershell/module/configci/new-cipolicy?view=windowsserver2022-ps
77 |
78 | - FilePublisher trusts specific files from the specified publisher, with a version at or above the specified version number.
79 | - Since companies are not the best about consistently signing files, fallback to hash rules (these will be invalidated after an update, regenerate your rules afterwards). Depending on the app, you may not need to do this. Firefox for example doesn't appear to need a lot of hash rules and upgrading in place does not require a new policy in my experience. Tor Browser on the other hand has a lot of unsigned files, and is heavily dependent on hash rules.
80 | - ScanPath is the directory to be scanned.
81 | - UserPEs means that the generated policy is for userspace executables, not drivers.
82 | - Filepath determines where the generated policy will be placed.
83 |
84 | Open up the generated xml in notepad and remove the audit mode rule.
85 |
86 | Once you have done this for all the programs you wish to allowlist, you can then merge them all in the WDAC wizard. In my case I had to manually edit the merged policy and reenable the HVCI and Disable Flight Signing options for some reason.
87 |
88 | You can apply the policy by opening an elevated powershell, navigating to the directory where it's stored, and running `CiTool.exe --update-policy ".\{GUID}.cip"` (tab autocomplete is very helpful for this).
89 |
90 | To deactivate a policy (such as when running `winget upgrade --all`) run `CiTool.exe --remove-policy "{GUID}"` in an elevated Powershell. You can then reboot to enforce changes.
91 |
92 | If you want to temporarily turn a policy off without rebooting, use the Wizard to place it in audit mode and run `CiTool.exe --update-policy ".\{GUID}.cip"` again.
93 |
94 |
95 |
--------------------------------------------------------------------------------
/guide.md:
--------------------------------------------------------------------------------
1 | # Configuring Windows 11 Pro/Enterprise
2 |
3 | (Read the whole guide before going through with it please!)
4 | Disclaimer: I am not a security researcher, I simply read documentation, played around a bit with VMs, and talked to people in various privsec matrix channels. This is by no means comprehensive and/or a guarantee of privacy and security on Windows, as it is very much still a Work in Progress.
5 |
6 | ## Things to note before installing
7 |
8 | - [ ] Does your hardware officially support Windows 11? Even if supported, certain features in the firmware settings on some older devices, such as TPM, secure boot, or virtualization support, may be disabled by default and must be toggled on. [Look for a "PTT" setting for Intel devices and "fTPM" for AMD ones.](https://nitter.woodland.cafe/dwizzzleMSFT/status/1408144290954366976#m) While it is technically possible to [bypass the requirements and install on unsupported hardware](https://support.microsoft.com/en-us/windows/installing-windows-11-on-devices-that-don-t-meet-minimum-system-requirements-0b2dc4a2-5933-4ad4-9c09-ef0a331518f1), you may want to consider a Linux distro.
9 | - [ ] If you're not planning on dualbooting, and your device gives you the option to, disable the Microsoft UEFI CA in the secure boot settings. This will slightly improve boot security because instead of trusting the many bootloaders signed by it you will only be trusting Windows and your OEM certificates.
10 | - [ ] Does your OEM/Motherboard manufacturer provide you with bloatware delivered through the WPBT? (Example: Asus Armory Crate). There may be an option in the firmware to disable it.
11 |
12 | ## On Install
13 |
14 | It is best not to login to a Microsoft Account on Windows. This is because of all the sync stuff that is toggled on by default. While not impossible to control, it's an annoyance that's best avoided. In addition, certain group policies for Edge do not apply to logged in users. Finally, according to [this study](https://web.archive.org/web/20230717045727/https://www.autoriteitpersoonsgegevens.nl/uploads/imported/public_version_dutch_dpa_informal_translation_summary_of_investigation_report.pdf), more device identifiers are sent with telemetry when logged into a Microsoft Account (see pages 5 through 7).
15 |
16 | To skip the login, select **Set up for work or school > Sign-in Options > Domain Join**.
17 |
18 | Go through the OOBE and opt out of everything:
19 |
20 | - [ ] **Let Microsoft and apps use your location > No**
21 | - [ ] **Find my device > No**
22 | - [ ] **Send diagnostic data to Microsoft > Required only**
23 | - [ ] **Improve inking & typing > No**
24 | - [ ] **Get tailored experiences with diagnostic data > No**
25 | - [ ] **Let apps use advertising ID > No**
26 |
27 | If you are on Enterprise, you can stop Windows from pestering you to login to a Microsoft account by opening the group policy editor and enabling **Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off Microsoft consumer experiences.**
28 |
29 | If on Pro go to **System > Settings > Notifications > Additional Settings** and untick all the checkboxes there. This goes for new user accounts as well.
30 |
31 | - [ ] **Show the Windows welcome experience after updates and when signed in to show what's new and suggested**
32 | - [ ] **Suggest ways to get the most out of Windows and finish setting up this device**
33 | - [ ] **Get tips and suggestions when using Windows**
34 |
35 | ## Things that phone home to Microsoft
36 |
37 | This section is based off of limited testing in a VM, along with documentation from Microsoft:
38 |
39 | https://learn.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services
40 |
41 | https://learn.microsoft.com/en-us/windows/privacy/manage-windows-11-endpoints
42 |
43 | Also, you can just auto apply most of the below group policies that turn off phone homey stuff with [LGPO](https://github.com/starchturrets/windows-shenanigans/tree/main/policies).
44 |
45 | Based off what I've seen, these are the more relevant items:
46 |
47 | 1. OS Diagnostics
48 | 2. Windows Spotlight
49 | 3. Bing Start Menu / Copilot
50 | 4. Edge
51 | 5. Certain aspects of Windows Defender (Automatic Sample Submission, Reputation Based Checks)
52 | 6. (Optional) Widgets and Live Tiles, Windows Media Player
53 |
54 | ## OS Diagnostics (Sends back hardware data, among other things)
55 |
56 | If you are on Pro, you cannot fully disable OS diagnostics. Select required diagnostics only in the OOBE and do not attempt to download third party tools that claim to disable telemetry.
57 |
58 |
59 |
60 | If you are on Enterprise
61 |
62 | If on Enterprise, open the group policy editor and go to **Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds.**
63 |
64 | Double-click **Allow Telemetry (or Allow diagnostic data on Windows 11 and Windows Server 2022).**
65 |
66 | Select the "Send no Diagnostic Data" Option, then click OK to apply changes.
67 |
68 |
69 |
70 | ## Windows Spotlight
71 |
72 | Windows Spotlight sends back similar hardware data to required diagnostics. To turn it off:
73 |
74 | - [ ] Enable the following Group Policy **User Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off all Windows spotlight features.**
75 |
76 | - [ ] Enable the following Group Policy **Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off cloud optimized content.**
77 |
78 | According to Microsoft docs, this must be done within **15 minutes of first install.** The first policy is also restricted to Enterprise/Education installs only.
79 |
80 | If you are on Pro, you can't fully turn off spotlight. You can still turn off the daily lockscreen images in settings (has to be done for every new user account):
81 |
82 | - [ ] **Personalization > Lock Screen > Personalize your lock screen > Picture**
83 | - [ ] Untick **Get fun facts, tips, tricks, and more on your lock screen**
84 |
85 | You can also disable the daily wallpaper images entirely in group policy, and disallow diagnostic data from being used for tailored experiences (applies machine wide):
86 |
87 | - [ ] Enable **User Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off Spotlight collection on Desktop.**
88 | - [ ] Enable **User Configuration > Administrative Templates > Windows Components > Cloud Content > Do not use diagnostic data for tailored experiences.**
89 |
90 | ## Bing Start Menu / Copilot
91 |
92 | By default, the start menu search searches the web, which leaks your local file queries to Microsoft. Copilot is also annoying.
93 |
94 | - [ ] Enable **User Configuration > Administrative Templates > Windows Components > File Explorer > Turn off display of recent search entries in the File Explorer search box**
95 | - [ ] Enable **User Configuration > Administrative Templates > Windows Components > Windows Copilot > Turn off Windows Copilot** to **Enabled**.
96 |
97 |
98 | ## Defender
99 |
100 | ### Virus and Threat Protection settings:
101 |
102 | https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide#how-cloud-protection-and-sample-submission-work-together
103 |
104 | Defender's cloud protection relies on collecting metadata about suspicious files (both executable and non executable), which ostensibly assists it in determining if said file is malicious or not (See the link for examples of what metadata is collected). Should this not be enough, it will upload, or request to upload the file for further analysis. The default appears to be to automatically upload the file if it is executable, and therefore unlikely to contain PII (as opposed to say, PDFs or DOCX files). Otherwise, it will prompt the user for consent.
105 |
106 | There are two options for handling this:
107 |
108 | 1. Limit what data is sent to Microsoft, and accept the reduced security due to defender being less effective
109 | 2. Allow Microsoft to collect some metadata and the occassional executable sample in exchange for security
110 |
111 | Which option you go with is dependent on your threat model. For example, the latter option might be preferable if you use the windows install purely for gaming.
112 |
113 | To go with the former option, disable both cloud protection and automatic sample submission.
114 |
115 | Go to **Windows Security > Virus and Threat Protection > Manage Settings > Automatic Sample Submission.**
116 | Click to disable it.
117 |
118 | ## Smart App Control / Reputation Based Protection
119 |
120 | Smart App Control (and Smartscreen in general) is a tradeoff between privacy and security. On the one hand, it improves security by using reputation checks to make sure legitimate files are not blocked while blocking malware, on the other hand it needs to send file metadata to Microsoft in order to function. As the Microsoft Privacy Policy puts it:
121 |
122 | > Where supported, Smart App Control helps check software that is installed and runs on your device to determine if it is malicious, potentially unwanted, or poses other threats to you and your device. **On a supported device, Smart App Control starts in evaluation mode and the data we collect for Microsoft Defender SmartScreen such as file name, a hash of the file’s contents, the download location, and the file’s digital certificates, is used to help determine whether your device is a good candidate to use Smart App Control for additional security protection.**
123 |
124 | > ...
125 |
126 | > When either Microsoft Defender SmartScreen or Smart App Control checks a file, data about that file is sent to Microsoft, including the file name, a hash of the file’s contents, the download location, and the file’s digital certificates.
127 |
128 | It is ultimately up to you whether or not to use it (more on that below).
129 |
130 | If you have chosen to not use Smart App Control go to **Windows Security > App and Browser Control > Reputation Based Protection** and disable everything there.
131 |
132 | Even if you have chosen to use SAC/Smartscreen, it is probably the best to also disable **Smartscreen for Microsoft Edge**, as it has been shown to leak full URLs and browsing history to Microsoft.
133 |
134 | ## Edge
135 |
136 | Using Edge is a trade off between privacy and security. By default, Edge has many features that can and have leaked private data and browsing history to Microsoft. On the other hand, it does have legitimate security features such as MDAG and Enhanced Security Mode. It is up to you whether to use it or to just use another Browser such as Brave/Chrome/Firefox.
137 |
138 | In `edge://settings/privacy` disable the following:
139 | - [ ] Search and service improvement > Help improve Microsoft products by sending the results from searches on the web
140 | - [ ] Personalization & advertising > Allow Microsoft to save your browsing activity including history, usage, favorites, web content, and other browsing data to personalize Microsoft Edge and Microsoft services like ads, search, shopping and news.
141 | - [ ] Security > Microsoft Defender SmartScreen
142 | - [ ] Security > Website typo protection
143 | - [ ] Security > Turn on site safety services to get more info about the sites you visit
144 |
145 | Note: it may seem counterproductive to disable security features, however Microsoft states in their Edge privacy whitepaper that:
146 |
147 | > SmartScreen performs a synchronous reputation check of the URL. SmartScreen checks on all URLs that aren't categorized as top traffic. **Microsoft Edge passes the URL, relevant information about the site, an identifier unique to your device, and general location information to the SmartScreen service to determine the safety of the site.**
148 |
149 | https://learn.microsoft.com/en-us/microsoft-edge/privacy-whitepaper/#smartscreen
150 |
151 | This is an extremely silly way to do it imo when Google safe browsing has shown it's possible to implement it in a safe way without blasting all the URLs you visit away to Microsoft. Testing with `mitmproxy` also indicates that with Edge smartscreen on, URLs are presently leaked to them.
152 |
153 | Turn off **everything** under the Services section, and check it every update. They have been found to leak data multiple times. The only thing that might be ok is Services > Use a web service to help resolve navigation errors, which only seems to be used for captive portals.
154 |
155 |
156 | Using the Bing sidebar is not very privacy friendly (especially since it can be granted privileged access to your web browsing activity), so it is best to disable it.
157 |
158 | Under `edge://settings/sidebar`, disable the following:
159 | - [ ] App and notification settings > Discover > Show Discover
160 | - [ ] App and notification settings > Discover > Automatically open Bing Chat in the sidebar
161 | - [ ] Page Context
162 | - [ ] Automatically show shopping suggestions and prompts
163 |
164 |
165 |
166 | In `edge://settings/languages` disable the following:
167 | - [ ] Offer to translate pages that aren't in a language I read
168 | - [ ] Use text prediction
169 | - [ ] Enable grammar and spellcheck assistance
170 |
171 |
172 | ## Widgets, Windows Media Player
173 |
174 | These make potentially unneeded connections back to Microsoft, but from what I've seen they do not appear to send sensitive user data back. However, if you wish to disable them:
175 |
176 | **Computer Configuration > Windows Components > Widgets > AllowWidgets** should be set to **Disabled**.
177 |
178 | Alternatively, Widgets can be uninstalled by doing `winget uninstall "Windows Web Experience Pack"` in an elevated PowerShell window.
179 |
180 | The Windows Media Player uses Bing by default to auto fetch Music metadata. This can be disabled by opening the app, going to settings, and toggling off "Search for missing Album and Artist art online".
181 |
182 | ## Debloating
183 |
184 | There are several things to put up with on Windows:
185 |
186 | - Manufacturer bloatware, such as preinstalled third party ~~malware~~ antiviruses
187 | - Start Menu shortcuts which are pinned by default
188 | - Microsoft apps that you don't like
189 |
190 | Manufacturer bloatware usually isn't too much of a problem if you're doing a clean install, though OEMs can and have abused WPBT as well as driver updates to get around this.
191 |
192 | Windows Plug and Play auto installers (which on top of being potential bloat have led to privilege escalation bugs in the past) can be disabled by setting:
193 |
194 | **Computer Configuration > Administrative Templates > System > Device Installation > Prevent device metadata retrieval from the Internet** to **Enabled**.
195 |
196 | Note: the proper way to disable it is documented at https://www.bleepingcomputer.com/news/microsoft/how-to-block-windows-plug-and-play-auto-installing-insecure-apps/, this gpo [doesn't actually fully disable co installers executed as part of the driver.](https://mastodon.social/@faebudo@ioc.exchange/111499421425476615)
197 |
198 | Start menu shortcuts and preinstalled third party apps can be easily removed by right clicking and unpinning / uninstalling them.
199 |
200 | Microsoft Apps such as Cortana can be removed using the `winget` package manager.
201 |
202 | 1. Open an elevated powershell window and type in `winget list`
203 | 2. Copy the name of the package you wish to uninstall and type in `winget uninstall PACKAGE_NAME`
204 |
205 | Note that uninstalling Cortana does not remove the need to apply the above group policies regarding Cortana and Search. You also cannot uninstall Microsoft Edge. Do not go overboard uninstalling system apps in case you break something, and *please*, do not download third party debloater tools.
206 |
207 | ## Improving Security
208 |
209 | - [ ] Make Sure everything is up to date!
210 | - [ ] Keep Camera / Mic / Location off when not in use with global killswitches
211 | - [ ] Set UAC to "Always Notify", and consider daily driving a standard user account
212 | - [ ] Use `winget` to manage apps where possible
213 | - [ ] Enable supported hardware security features
214 | - [ ] Enable Controlled Folder Access
215 | - [ ] Turn on Smart App Control, or use a WDAC policy to somewhat mimic Smart App Control's functionality while adding a bit more flexibility
216 | - [ ] Use VMs to run untrusted executables (Hyper V / MDAG / Windows Sandbox)
217 | - [ ] Improve Office security with ASR rules and Security Baselines
218 | - [ ] Configure Bitlocker
219 | - [ ] Apply the BlackLotus secure boot revocations
220 | - [ ] Use admx group policies to improve Edge security
221 |
222 | ## Keep Everything Updated
223 |
224 | Check your Windows Update settings page regularly, especially on the second Tuesday of each month, as Microsoft usually releases security updates then ("Patch Tuesday").
225 |
226 | Windows can also automatically update certain Microsoft products such as Office through windows update, though in my experience this isn't perfect.
227 |
228 | Also check "Optional Updates" for driver and firmware updates. However, in some cases the drivers provided by Windows Update are old, and it is better to use the OEM tool to update drivers.
229 |
230 | Winget can update some apps, but not those from the Microsoft Store, so you'll have to check things there separately.
231 |
232 | ## Camera / Mic / Location
233 |
234 | Due to currently terrible permission control, not all apps can be denied the camera or mic permission. So keep the global toggle disabled when not in use, which should turn it off for legacy desktop apps as well. Note that apps with admin access can override this setting.
235 |
236 | ## User Account Control
237 |
238 | Set UAC to the highest level: type "UAC" into the start menu, click the settings result that shows up, and move the slider up to the "Always notify" level. This will mitigate *some* [bypasses](https://www.bleepingcomputer.com/news/security/old-windows-mock-folders-uac-bypass-used-to-drop-malware/). However, UAC is **not** considered a [security boundary](https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria) by Microsoft. The best option is to daily drive a standard user account, and switch into the admin account only when absolutely needed.
239 |
240 | While having to authenticate to elevate is an inconvenience, you can mitigate this somewhat by using a relatively short Windows Hello PIN or biometrics. While it may seem less secure to have a short pin, this is backed by the TPM, which should enforce ratelimiting. (See: these [two](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password#pin-is-backed-by-hardware) documentation [articles](https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/how-windows-uses-the-tpm) from Microsoft Learn about it.)
241 |
242 | By default, Windows forces you to set security questions for a new local account, as well as go through the OOBE again. This isn't strictly a problem, but can be pretty annoying. To disable:
243 |
244 | - [ ] Enable the following group policy: **Computer Configuration > Administrative Templates > Windows Components > Credential User Interface > Prevent the use of security questions for local accounts**
245 | - [ ] Enable the following group policy **Computer Configuration > Administrative Templates > Windows Components > OOBE > Don't launch privacy settings experience on user logon**
246 |
247 | ## App Management
248 |
249 | Rather than using a search engine to look for and download app - which is prone to being gamed by [malicious sites](https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-to-spread-malware-in-legit-software/), it is preferable to use the `winget` package manager which comes preinstalled on Windows 11 by default. To look for a package, open up a terminal window and type in `winget search "Package Name"`. You can then verify the publisher (which is handy for Microsoft Store apps) by copying the application ID and running `winget show "application ID"`.
250 |
251 | According to [this](https://github.com/microsoft/winget-cli/discussions/2534) winget packages (community packages, the Store is larger and lets shady stuff slip through) do go through some amount of manual review before being added in:
252 |
253 | > I don't see where security risks would be an issue here because every installer goes through Dynamic Analysis (Virus Scan) in the Pipelines' VMs, and if there's a PUA or malware in the installer, it's immediately flagged by the pipelines. The PR is also manually validated by Moderators, in either VMs, or Bare Metal - so installers are always double checked to make sure that it isn't a malicious package intended to steal people's passwords or monitor what they're typing on their keyboard.
254 | Even if the pipelines cannot catch the malware issue, depending on the antivirus software someone has, all installers from WinGet are downloaded to %TEMP%\WinGet, except for .appx(bundle) and .msix(bundle), where your antivirus software will probably scan it before it's executed to install it onto your PC.
255 |
256 | While this is by no means a guarantee, this should reduce the chances of getting served outright malware.
257 |
258 | Occasionally an app will show up as being downloadable from either the Store or the publisher website. Currently there does not seem to be any major security difference between the two (aside from making WDAC Configuration somewhat harder), so it is up to the user to decide which to install.
259 |
260 | Microsoft Store apps can be sandboxed, however **just because an app is on the Store does not mean it is sandboxed**. Check the permissions page and make sure that an app does not have the "Use All System Resources" permission if you wish for it to be sandboxed.
261 |
262 | When possible, avoid running unsigned apps.
263 |
264 | # Virtualization Based Security and related settings
265 |
266 | https://support.microsoft.com/en-us/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2
267 |
268 | Check the device security section, scroll to the bottom.
269 |
270 | If it says: "Standard hardware security not supported":
271 |
272 | - [ ] Your device does not support Windows 11 at all
273 | - [ ] There is a feature (such as secure boot or the TPM) that must be toggled in the firmware settings
274 | - [ ] It is a Windows Security bug - in which case you can manually validate by checking `msinfo32.exe`
275 |
276 | Once you see "Your device meets the requirements for standard hardware security", you can then go to **Core Isolation** and toggle on Memory Integrity, as well as the Microsoft Vulnerable Driver Blocklist. In some cases, Windows 11 auto enables it on clean install, but this is not guaranteed. After a reboot, the bottom of the device security section should then say "Your device meets the requirements for enhanced hardware security".
277 |
278 | The group policies can be found under **Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security**.
279 |
280 | - [ ] Select Platform Security Level: Secure Boot (this will enable as much protection as is supported, [unlike the Secure Boot with DMA option](https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity#use-registry-keys-to-enable-memory-integrity))
281 | - [ ] Select Virtualization Based Protection of Code Integrity and set it to Enabled Without UEFI Lock
282 | - [ ] Tick "Require UEFI Memory Attributes Table"
283 | - [ ] Credential Guard seems to be oriented towards mitigating an attacker from moving laterally within an enterprise network, so prolly best to leave it at not configured as it doesn't seem that relevant to a home user (also, it's a windows enterprise only thing anyways)
284 | - [ ] [Secure Launch](https://learn.microsoft.com/en-us/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection) is a secured core thing, if you did not see "Firmware Protection" in the core isolation settings page, leave the policy at not configured as it's unsupported anyways.
285 | - [ ] Kernel-mode hardware-enforced stack protection is also hardware dependent, do not configure it if you didn't see it in the core isolation settings page
286 |
287 | After configuring policies, reboot and check the core isolation settings page. If memory integrity has turned off, then that means that [UEFI MAT](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs) is not supported by the firmware. Untick the policy for it. Then, you can set Virtualization Based Protection of Code Integrity to enabled with UEFI Lock, and reboot. This will mitigate a remote attacker with admin access from simply forcing it off. You can test this for yourself by setting the policy to disabled and rebooting - memory integrity will still be reported as on. The only way to disable it appears to be by having physical access and disabling secure boot, or by having a [secure boot exploit](https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/).
288 |
289 | ## Controlled Folder Access
290 |
291 | Go to **Virus and Threat Protection > Ransomware Protection** and toggle Controlled Folder Access. This will restrict the write permission of applications to certain folders unless explicitly allowlisted.
292 |
293 | ## Smart App Control
294 |
295 | Windows offers several methods to stop untrusted executables from running, such as AppLocker or Smart App Control / WDAC. Each of them have their own advantages and disadvantages, but they do help mitigate attacks such as those from clicking on disguised executables.
296 |
297 | WDAC (Windows Defender Application Control) is what runs under the hood of Smart App Control, however SAC exposes far less configuration. SAC can be enabled on new installs by opening the Windows Security App and going to **App and Browser Control > Settings for Smart App Control** and selecting the Activated option.
298 |
299 | While this means it is dead simple, it is also a blunt all or nothing - if a dll critical to signal desktop or another similar app is blocked, there is no option to allowlist it, only turn it off entirely, and it cannot be (officially) reenabled without reinstalling the OS. (This is [deliberate](https://nitter.woodland.cafe/dwizzzleMSFT/status/1723004632815837220#m)).
300 |
301 | So, SAC is probably a good idea under the following conditions:
302 |
303 | - You do not use WSL (sorry, that gets blocked!)
304 | - You are not a programmer (generating lots of unsigned code doesn't play very well with it)
305 | - You primarily use apps from Microsoft Store/winget that are unlikely to be blocked
306 | - You are OK with Microsoft getting file metadata (see above)
307 |
308 | If you only use a few basic apps, I recommend using SAC unless it's incompatible with your workflow. If you want to use it without reinstalling (for example, you only now use a limited set of apps but don't wanna go through the hassle of setup again), Microsoft does offer a way to [turn it back on](https://learn.microsoft.com/en-us/windows/apps/develop/smart-app-control/test-your-app-with-smart-app-control#configure-smart-app-control-using-the-registry) from the windows recovery environment.
309 |
310 | ## Attack Surface Reduction Rules
311 |
312 | https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide
313 |
314 | ASR rules can be found under: **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack Surface Reduction Rules.**
315 |
316 | | ASR Rule | GUID |
317 | |---------------------------------------------------------------------------------------------------|----------------------------------------|
318 | | Block abuse of exploited vulnerable signed drivers | `56a863a9-875e-4185-98a7-b882c64b5ce5` |
319 | | Block Adobe Reader from creating child processes | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` |
320 | | Block all Office applications from creating child processes | `d4f940ab-401b-4efc-aadc-ad5f3c50688a` |
321 | | Block credential stealing from the Windows local security authority subsystem (lsass.exe) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` |
322 | | Block executable content from email client and webmail | `be9ba2d9-53ea-4cdc-84e5-9b1eeee46550` |
323 | | Block executable files from running unless they meet a prevalence, age, or trusted list criterion | `01443614-cd74-433a-b99e-2ecdc07bfc25` |
324 | | Block execution of potentially obfuscated scripts | `5beb7efe-fd9a-4556-801d-275e5ffc04cc` |
325 | | Block JavaScript or VBScript from launching downloaded executable content | `d3e037e1-3eb8-44c8-a917-57927947596d` |
326 | | Block Office applications from creating executable content | `3b576869-a4ec-4529-8536-b80a7769e899` |
327 | | Block Office applications from injecting code into other processes | `75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84` |
328 | | Block Office communication application from creating child processes | `26190899-1602-49e8-8b27-eb1d0a1ce869` |
329 | | Block persistence through WMI event subscription | `e6db77e5-3df2-4cf1-b95a-636979351e5b` |
330 | | Block process creations originating from PSExec and WMI commands | `d1e49aac-8f56-4280-b9ba-993a6d77406c` |
331 | | Block rebooting machine in Safe Mode (preview) | `33ddedf1-c6e0-47cb-833e-de6133960387` |
332 | | Block untrusted and unsigned processes that run from USB | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` |
333 | | Block use of copied or impersonated system tools (preview) | `c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb` |
334 | | Block Webshell creation for Servers | `a8f5898e-1dc8-49a9-9878-85004b8a61e6` |
335 | | Block Win32 API calls from Office macros | `92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b` |
336 | | Use advanced protection against ransomware | `c1db55ab-c21a-4637-bb3f-a12568109d35` |
337 |
338 | Activate it, and click the display status button. Then paste in the GUIDs of the ASR rules you wish to activate in the left column and 1 in the right column to activate them. You can get the GUIDs from [here](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference), or from the above table. However, some of the ASR rules do not appear relevant to a home user. For example: "Block Webshell creation for Servers". The rules I would currently recommend using are:
339 |
340 | | ASR Rule | GUID |
341 | |---------------------------------------------------------------------------------------------------|----------------------------------------|
342 | | Block Adobe Reader from creating child processes | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` |
343 | | Block all Office applications from creating child processes | `d4f940ab-401b-4efc-aadc-ad5f3c50688a` |
344 | | Block credential stealing from the Windows local security authority subsystem (lsass.exe) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` |
345 | | Block executable content from email client and webmail | `be9ba2d9-53ea-4cdc-84e5-9b1eeee46550` |
346 | | Block execution of potentially obfuscated scripts | `5beb7efe-fd9a-4556-801d-275e5ffc04cc` |
347 | | Block JavaScript or VBScript from launching downloaded executable content | `d3e037e1-3eb8-44c8-a917-57927947596d` |
348 | | Block Office applications from creating executable content | `3b576869-a4ec-4529-8536-b80a7769e899` |
349 | | Block Office applications from injecting code into other processes | `75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84` |
350 | | Block Office communication application from creating child processes | `26190899-1602-49e8-8b27-eb1d0a1ce869` |
351 | | Block persistence through WMI event subscription | `e6db77e5-3df2-4cf1-b95a-636979351e5b` |
352 | | Block process creations originating from PSExec and WMI commands | `d1e49aac-8f56-4280-b9ba-993a6d77406c` |
353 | | Block rebooting machine in Safe Mode (preview) | `33ddedf1-c6e0-47cb-833e-de6133960387` |
354 | | Block untrusted and unsigned processes that run from USB | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` |
355 | | Block use of copied or impersonated system tools (preview) | `c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb` |
356 | | Block Win32 API calls from Office macros | `92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b` |
357 |
358 | (Driver blocking has had issues with the blocklist updates, and the reputation based rules such as advanced ransomware protection appear redundant to SAC and depend on one's threat model).
359 |
360 | In addition, you can apply the [Microsoft 365 Security baselines for Enterprise.](https://learn.microsoft.com/en-us/deployoffice/security/security-baseline) It will disable the opening/saving of older file formats as well as unsigned script macros. This is not as strong of a security boundary as a full on virtual machine, but it should still be helpful for reducing attack surface. While tailored for Enterprise Office installs, many policies appear to also be applicable to others such as LTSC 2021.
361 |
362 | The baseline can be downloaded from here: https://www.microsoft.com/en-us/download/details.aspx?id=55319. Make sure to select `LGPO.zip` as well. After unzipping both files, move `LGPO.exe` to the `\Scripts\Tools` subdirectory. You can then open an admin Powershell in the `\Scripts` subdirectory and run:
363 |
364 | ```
365 | powershell.exe -ExecutionPolicy unrestricted .\Baseline-LocalInstall.ps1
366 | ```
367 |
368 | (or `pwsh.exe`, depending on what you have installed).
369 |
370 | After running, reboot.
371 |
372 | Administrative templates (should you wish to override a setting from the group policy editor or have them show up in your GPReport) can be downloaded from here: https://www.microsoft.com/en-us/download/details.aspx?id=49030.
373 |
374 |
375 | ## Windows Sandbox for untrusted files
376 |
377 | - Make sure you meet the prerequisites for installation: https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview#prerequisites
378 | - If so, you can enable it by going to Turn Windows Features on or off > Windows Sandbox. Select it, click ok, then restart the computer if prompted.
379 |
380 | You can then use it to open PDFs and other document files you're not sure about.
381 |
382 | Windows Sandbox is more oriented towards being a temporary throwaway VM, and it does come with some caveats:
383 |
384 | - Malware can detect it's running in a VM, and not do anything suspicious until it's on the host.
385 | - Malware can detect it's running in a VM, [and overwrite the clipboard with a malicious executable to get it onto the host.](https://github.com/fractureiser-investigation/fractureiser/blob/main/docs/tech.md#anti-sandbox-tricks)
386 |
387 | So, be careful when copy/pasting files out of it, and don't treat it as a guarantee that an executable isn't malware.
388 |
389 | This is a bit more experimental, but it's possible to configure Windows Sandbox to auto install LibreOffice while passing through the Downloads folder:
390 |
391 |
392 | ```
393 |
394 |
395 |
396 | C:\Users\Admin\Sandboxing\Office Apps\LibreOffice\
397 | C:\Users\WDAGUtilityAccount\LibreOffice\
398 | True
399 |
400 |
401 | C:\Users\Admin\Downloads\
402 | C:\Users\WDAGUtilityAccount\Downloads\
403 | False
404 |
405 |
406 |
407 | msiexec.exe /I C:\Users\WDAGUtilityAccount\LibreOffice\LibreOffice_7.5.5_Win_x86-64.msi /quiet
408 |
409 |
410 | True
411 |
412 | ```
413 |
414 | While being a relatively simple `.wsb` file, it has the disadvantage of taking about a minute to install each time the sandbox instance is started.
415 |
416 | ## Bitlocker
417 |
418 | https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures
419 |
420 | By default, bitlocker is only setup to protect against "casual" physical access, this is likely enough for most people's threat model (tampering is most likely irrelevant if a thief steals your device to wipe it and resell it, your data would still be protected).
421 |
422 | So, turning on bitlocker from the settings menu should be enough.
423 |
424 | As bitlocker uses AES-128 by default, you can strengthen it by going to **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Choose drive encryption method and cipher strength** and setting it to XTS-AES 256 before encrypting.
425 |
426 | **Backup your recovery key.**
427 |
428 | This is *extremely* important. Sometimes after firmware updates, you might be prompted to enter it in (more on that later).
429 |
430 | However, there have been [attacks against bitlocker's TPM authentication, and it is by no means perfect](https://github.com/Wack0/bitlocker-attacks). Also, there are [issues with how Windows Hello biometrics is currently implemented by OEMs](https://blackwinghq.com/blog/posts/a-touch-of-pwn-part-i/). Should you wish to go the extra mile and deter against more than the "casual" physical attacker, you will have to take the following measures:
431 |
432 | - Use an enhanced PIN in addition to the TPM for pre boot authentication
433 | - Disable standby power management and shut down/hibernate before leaving the device unattended
434 | - Use legacy integrity validation, and pin Bitlocker to PCRs 0, 2, 4, 7, and 11.
435 |
436 |
437 | ## BlackLotus Revocations
438 |
439 | Microsoft has rolled out another set of secure boot revocations with the April Patch Tuesday updates, placing the Windows Production CA 2011 certificate into the Secure Boot UEFI Forbidden List (DBX), and ostensibly revoking the bootloaders it has signed over the past ~10 years. It is replaced in the Secure Boot Signature database (DB) by the Windows UEFI CA 2023. However they are not automatically applying them yet, and it currently requires manual configuration to take effect.
440 |
441 | https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
442 |
443 | According to Microsoft, there are issues with the Secure Boot updates for certain HP devices, ARM64 based devices, Mac Computers, VMWare Virtual Machines, as well as systems running Symantec Endpoint Encryption (see the above link for details).
444 |
445 | To apply the mitigations, follow the steps at https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#bkmk_mitigation_guidelines.
446 |
447 | **Save your bitlocker recovery key first.** If you have additional PCRs pinned suspend Bitlocker before the steps that require you to restart twice.
448 |
449 | ```
450 | manage-bde -protectors c: -disable -rebootcount 2
451 | ```
452 | Replace C: with whatever your system drive is.
453 |
--------------------------------------------------------------------------------