Windows Overview #287
Draft
Windows Overview #287
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: oppressor1761 <163018825+oppressor1761@users.noreply.github.com>
Signed-off-by: oppressor1761 <163018825+oppressor1761@users.noreply.github.com>
✅ Deploy Preview for privsec-dev ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
Author
|
this need to be updated to show 24H2 improvements |
wj25czxj47bu6q
added
[c] new content
This comment was marked as resolved.
This comment was marked as resolved.
wj25czxj47bu6q
suggested changes
Oct 28, 2024
Contributor
wj25czxj47bu6q
left a comment
wj25czxj47bu6q
left a comment
There was a problem hiding this comment.
Some of this is good, but some of it is questionable or insufficiently explained.
For example, why should optional diagnostic data be allowed?
Also, we are not going to accept any commands or instructions regarding activation. It is fine to recommend specific editions of Windows, but that's about it.
Signed-off-by: oppressor1761 <163018825+oppressor1761@users.noreply.github.com>
Signed-off-by: oppressor1761 <163018825+oppressor1761@users.noreply.github.com>
Signed-off-by: oppressor1761 <163018825+oppressor1761@users.noreply.github.com>
|
In-depth analysis of Windows architecture and telemetry: https://www.bsi.bund.de/EN/Service-Navi/Publikationen/Studien/SiSyPHuS_Win10/SiSyPHuS_node.html. Some worthy mentions:
They recommend making a hard link for A more hardcore version would be to change Windows Update service to use the hardlink and block all outbound completely, with the exception of Windows Update. |
|
Back in 2012, Windows used non-validating DNSSEC aware local resolver. Have things improved since then? Should I run Unbound locally or in a Linux VM (like with chrony) to do DNSSEC validation? |
Author
|
I think it's better to harden Windows using lgpo, .ppkg and answer files rather than alter group policies one by one manually. It's not easy to remember every custom policies you ever applied without a lgpo. |
|
LGPO text files support comments, e.g.: ; \Control Panel\Personalization
; Prevent enabling lock screen camera
; Enabled
Computer
Software\Policies\Microsoft\Windows\Personalization
NoLockScreenCamera
DWORD:1 |
Author
|
this lgpo can be applied without caution. |
Author
|
This lgpo must be applied with caution |
Author
|
this is the answer file for arm64 devices |
Author
|
this is the provision package |
|
<cpi:offlineImage cpi:source="wim:c:/users/gerbil1183/desktop/install.wim#Windows 11 Pro" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> |
Ganwtrs
reviewed
Dec 13, 2025
|
|
||
| ### Hardware Security | ||
|
|
||
| [Secured-Core PCs](https://www.microsoft.com/en-us/windows/business/windows-11-secured-core-computers) ensure the hardware has some essential security [features](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure-11#what-makes-a-secured-core-pc) including Secure Boot, Trusted Platform Module 2.0 (TPM), Direct Memory Access (DMA) Protection, Enhanced Sign-in Security (ESS), Virtualization-based Security (VBS) and System Guard Secure Launch with System Management Mode (SMM) isolation/Firmware Attack Surface Reduction (FASR). Microsoft Pluton and Total Memory Encryption are also good to have. |
Contributor
There was a problem hiding this comment.
Suggested change
| [Secured-Core PCs](https://www.microsoft.com/en-us/windows/business/windows-11-secured-core-computers) ensure the hardware has some essential security [features](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure-11#what-makes-a-secured-core-pc) including Secure Boot, Trusted Platform Module 2.0 (TPM), Direct Memory Access (DMA) Protection, Enhanced Sign-in Security (ESS), Virtualization-based Security (VBS) and System Guard Secure Launch with System Management Mode (SMM) isolation/Firmware Attack Surface Reduction (FASR). Microsoft Pluton and Total Memory Encryption are also good to have. | |
| [Secured-core PCs](https://www.microsoft.com/en-us/windows/business/windows-11-secured-core-computers) ensure the hardware has some essential security [features](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure-11#what-makes-a-secured-core-pc) including Secure Boot, Trusted Platform Module 2.0 (TPM), Direct Memory Access (DMA) Protection, Enhanced Sign-in Security (ESS), Virtualization-based Security (VBS) and System Guard Secure Launch with System Management Mode (SMM) isolation/Firmware Attack Surface Reduction (FASR). Microsoft Pluton and Total Memory Encryption are also good to have. |
Ganwtrs
reviewed
Dec 13, 2025
|
|
||
| [Secured-Core PCs](https://www.microsoft.com/en-us/windows/business/windows-11-secured-core-computers) ensure the hardware has some essential security [features](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure-11#what-makes-a-secured-core-pc) including Secure Boot, Trusted Platform Module 2.0 (TPM), Direct Memory Access (DMA) Protection, Enhanced Sign-in Security (ESS), Virtualization-based Security (VBS) and System Guard Secure Launch with System Management Mode (SMM) isolation/Firmware Attack Surface Reduction (FASR). Microsoft Pluton and Total Memory Encryption are also good to have. | ||
|
|
||
| [Secure Boot](https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/trusted-boot) makes a safe and trusted path from the firmware to the Windows bootloader by making the firmware to examine the bootloader's digital signature to verify that it hasn't been modified. It may also allow drivers and applications from 3rd parties to run on the PC, which increases the attack surface of systems. You can disable Microsoft 3rd Party UEFI CAs (Microsoft Corporation UEFI CA 2011, Microsoft UEFI CA 2023) and Microsoft Option ROM CA (Microsoft Option ROM UEFI CA 2023) if you are not using third party operating system. Trusted Boot, which is not a hardware feature, picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your anti-malware product's early-launch anti-malware (ELAM) driver. These mechanisms does not protect the firmware itself. |
Contributor
There was a problem hiding this comment.
Suggested change
| [Secure Boot](https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/trusted-boot) makes a safe and trusted path from the firmware to the Windows bootloader by making the firmware to examine the bootloader's digital signature to verify that it hasn't been modified. It may also allow drivers and applications from 3rd parties to run on the PC, which increases the attack surface of systems. You can disable Microsoft 3rd Party UEFI CAs (Microsoft Corporation UEFI CA 2011, Microsoft UEFI CA 2023) and Microsoft Option ROM CA (Microsoft Option ROM UEFI CA 2023) if you are not using third party operating system. Trusted Boot, which is not a hardware feature, picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your anti-malware product's early-launch anti-malware (ELAM) driver. These mechanisms does not protect the firmware itself. | |
| [Secure Boot](https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/trusted-boot) makes a safe and trusted path from the firmware to the Windows bootloader by making the firmware to examine the bootloader's digital signature to verify that it hasn't been modified. It may also allow drivers and applications from 3rd parties to run on the PC, which increases attack surface. You can disable Microsoft 3rd Party UEFI CAs (Microsoft Corporation UEFI CA 2011, Microsoft UEFI CA 2023) and Microsoft Option ROM CA (Microsoft Option ROM UEFI CA 2023) if you are not using a third party operating system. Trusted Boot, which is not a hardware feature, picks up the process started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your anti-malware product's early-launch anti-malware (ELAM) driver. These mechanisms do not protect the firmware itself. |
Ganwtrs
reviewed
Dec 13, 2025
|
|
||
| [Secure Boot](https://learn.microsoft.com/en-us/windows/security/operating-system-security/system-security/trusted-boot) makes a safe and trusted path from the firmware to the Windows bootloader by making the firmware to examine the bootloader's digital signature to verify that it hasn't been modified. It may also allow drivers and applications from 3rd parties to run on the PC, which increases the attack surface of systems. You can disable Microsoft 3rd Party UEFI CAs (Microsoft Corporation UEFI CA 2011, Microsoft UEFI CA 2023) and Microsoft Option ROM CA (Microsoft Option ROM UEFI CA 2023) if you are not using third party operating system. Trusted Boot, which is not a hardware feature, picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your anti-malware product's early-launch anti-malware (ELAM) driver. These mechanisms does not protect the firmware itself. | ||
|
|
||
| [Trusted Platform Module 2.0 (TPM)](https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview) is a secure crypto-processor that is designed to carry out cryptographic operations. Some features rely on TPM such as BitLocker, Windows Hello, and System Guard Secure Launch. |
Contributor
There was a problem hiding this comment.
Suggested change
| [Trusted Platform Module 2.0 (TPM)](https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview) is a secure crypto-processor that is designed to carry out cryptographic operations. Some features rely on TPM such as BitLocker, Windows Hello, and System Guard Secure Launch. | |
| [Trusted Platform Module 2.0 (TPM)](https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview) is a processor designed to carry out cryptographic operations. Some features rely on TPM: BitLocker, Windows Hello, and System Guard Secure Launch. |
Ganwtrs
reviewed
Dec 13, 2025
|
|
||
| [System Guard Secure Launch with SMM isolation](https://learn.microsoft.com/en-us/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows) leverage Dynamic Root of Trust for Measurement (DRTM) to protect the firmware. It depends on CPU to function. Its equivalent without CPU dependency is [FASR](https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) which leverage Static Root of Trust for Measurement (SRTM) and Standalone Management Mode (MM) with MM Supervisor. | ||
|
|
||
| [Microsoft Pluton](https://learn.microsoft.com/en-us/windows/security/hardware-security/pluton/microsoft-pluton-security-processor) is a secure crypto-processor built into the CPU to provide the functionality of the TPM and deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for other Pluton firmware and OS features to be delivered over time via Windows Update. |
Contributor
There was a problem hiding this comment.
Suggested change
| [Microsoft Pluton](https://learn.microsoft.com/en-us/windows/security/hardware-security/pluton/microsoft-pluton-security-processor) is a secure crypto-processor built into the CPU to provide the functionality of the TPM and deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for other Pluton firmware and OS features to be delivered over time via Windows Update. | |
| [Microsoft Pluton](https://learn.microsoft.com/en-us/windows/security/hardware-security/pluton/microsoft-pluton-security-processor) is a processor built into the CPU to provide the functionality of the TPM and deliver security functionality beyond what is possible with the TPM 2.0 specification. It also allows for other Pluton firmware and OS features to be delivered over time via Windows Update. |
Ganwtrs
reviewed
Dec 13, 2025
|
|
||
| ### Application Security | ||
|
|
||
| Most applications on Windows are not sandboxed. In Microsoft Store, only the apps without the permission “This app can access all your files, peripheral devices, apps, programs, and registry” are sandboxed. If you sideload apps, only those with the file extensions `.msix`, `.msixbundle`, `.appx`, `.appxbundle`, and without the permission "This app can access all your files, peripheral devices, apps, programs, and registry" are sandboxed. If you are a developer or are skilled, you may deploy sandboxing to unsandboxed applications using [Win32 app isolation](https://learn.microsoft.com/en-us/windows/win32/secauthz/app-isolation-overview). |
Contributor
There was a problem hiding this comment.
Suggested change
| Most applications on Windows are not sandboxed. In Microsoft Store, only the apps without the permission “This app can access all your files, peripheral devices, apps, programs, and registry” are sandboxed. If you sideload apps, only those with the file extensions `.msix`, `.msixbundle`, `.appx`, `.appxbundle`, and without the permission "This app can access all your files, peripheral devices, apps, programs, and registry" are sandboxed. If you are a developer or are skilled, you may deploy sandboxing to unsandboxed applications using [Win32 app isolation](https://learn.microsoft.com/en-us/windows/win32/secauthz/app-isolation-overview). | |
| Most applications on Windows are not sandboxed. In Microsoft Store, only the apps without the permission “This app can access all your files, peripheral devices, apps, programs, and registry” are sandboxed. If you sideload apps, only those with the file extensions `.msix`, `.msixbundle`, `.appx`, and `.appxbundle` without the permission "This app can access all your files, peripheral devices, apps, programs, and registry" are sandboxed. If you are a developer or are technically skilled, you can deploy sandboxing to unsandboxed applications using [Win32 app isolation](https://learn.microsoft.com/en-us/windows/win32/secauthz/app-isolation-overview). |
Ganwtrs
reviewed
Dec 13, 2025
|
|
||
| [Smart App Control](https://support.microsoft.com/en-us/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) can check the security of apps while they are running. | ||
|
|
||
| You can also use [Windows Sandbox](https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview) to run untrusted apps. It provides a lightweight virtual machine to safely run applications in isolation. You can transfer files and apps into Windows Sandbox by copying them. |
Contributor
There was a problem hiding this comment.
Suggested change
| You can also use [Windows Sandbox](https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview) to run untrusted apps. It provides a lightweight virtual machine to safely run applications in isolation. You can transfer files and apps into Windows Sandbox by copying them. | |
| You can also use [Windows Sandbox](https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview) to run untrusted apps. It provides a lightweight virtual machine to isolate applications. You can transfer files and apps into Windows Sandbox by copying them. |
Ganwtrs
reviewed
Dec 13, 2025
|
|
||
| ### Antivirus Protection and Firewall | ||
|
|
||
| Windows include [Windows Security](https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963), which provides the latest antivirus protection, system security settings, Exploit Protection and Controlled Folder Access. Some settings may not be changed in the UI if you have deployed security baselines. |
Contributor
There was a problem hiding this comment.
Suggested change
| Windows include [Windows Security](https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963), which provides the latest antivirus protection, system security settings, Exploit Protection and Controlled Folder Access. Some settings may not be changed in the UI if you have deployed security baselines. | |
| Windows includes [Windows Security](https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963), which provides the latest anti-malware protection, system security settings, Exploit Protection and Controlled Folder Access. Some settings may not be changed in the UI if you have deployed security baselines. |
Ganwtrs
reviewed
Dec 13, 2025
| reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f | ||
| reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v RetsPredictedFromRsbOnly /t REG_DWORD /d 1 /f | ||
|
|
||
| Enable additional mitigations against silicon-based microarchitectural and speculative execution side-channel vulnerabilities in AMD processors by executing the following command from an elevated command prompt. To be fully protected, you might also need to disable Hyper-Threading (also known as Simultaneous Multi Threading (SMT)). |
Contributor
There was a problem hiding this comment.
Suggested change
| Enable additional mitigations against silicon-based microarchitectural and speculative execution side-channel vulnerabilities in AMD processors by executing the following command from an elevated command prompt. To be fully protected, you might also need to disable Hyper-Threading (also known as Simultaneous Multi Threading (SMT)). | |
| Enable additional mitigations against silicon-based microarchitectural and speculative execution side-channel vulnerabilities in AMD processors by executing the following command from an elevated command prompt. To further increase mitigations, you can also disable Hyper-Threading (also known as Simultaneous Multi Threading or SMT). |
Ganwtrs
reviewed
Dec 13, 2025
| reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f | ||
| reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v RetsPredictedFromRsbOnly /t REG_DWORD /d 1 /f | ||
|
|
||
| Enable additional mitigations against silicon-based microarchitectural and speculative execution side-channel vulnerabilities in ARM processors by executing the following command from an elevated command prompt. To be fully protected, you might also need to disable Hyper-Threading (also known as Simultaneous Multi Threading (SMT)). |
Contributor
There was a problem hiding this comment.
Suggested change
| Enable additional mitigations against silicon-based microarchitectural and speculative execution side-channel vulnerabilities in ARM processors by executing the following command from an elevated command prompt. To be fully protected, you might also need to disable Hyper-Threading (also known as Simultaneous Multi Threading (SMT)). | |
| Enable additional mitigations against silicon-based microarchitectural and speculative execution side-channel vulnerabilities in ARM processors by executing the following command from an elevated command prompt. To further increase mitigations, you can also disable Hyper-Threading (also known as Simultaneous Multi Threading or SMT). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
including security and privacy overview.