Windows Hardening Guide

So, I am Edward. I am working on a Windows Guide for Privacy Guides.

It would be much Appreciated if you can add and provide more resources for me such as suggesting via Code review and any type of comments are welcome.

Pull Request : Add Windows Guide by EdwardLangdon · Pull Request #1380 · privacyguides/privacyguides.org · GitHub.

For the Main Issue : Re-write of Windows Page · Issue #166 · privacyguides/privacyguides.org · GitHub

I only took a cursory look at the Markdown file as of 8983dc2 and none of the existing discussion, so I apologize if I missed something important. I also haven’t used Windows in years (and haven’t touched Windows 11 at all), but here are some notes that I believe are still applicable:

  • Please emphasize that users should never sign-in to Windows with a Microsoft account. Signing-in to applications like Microsoft Office (which some users are required to do for their school or company) will trigger a dark pattern offering to sign-in to Windows, and it is critical to reject this offer.

    • Aside from the usual reasons to not sign-in, signing-in to Windows will reveal the user’s email address in the Settings app. I have seen several people doxx themselves by posting screenshots of the Settings app (usually for tech support purposes) — the name and email address are inconspicuously placed in the corner, so most people don’t notice until it’s too late.
  • BitLocker is only available on Pro or higher editions of Windows (not Home). Home edition users should use VeraCrypt instead, and arguably VeraCrypt is more secure/trustworthy than BitLocker anyway. (Granted, upgrading from Home to Pro unlocks other benefits like Group Policy.)

  • The first GPO I would always set is “Disable Cortana”. I don’t remember all the other ones I cared about, but I think there was one about disabling Bing web searches from the Start menu.

    • At one point, I looked through every single GPO available by default in Windows 10 Pro. Doing so might be warranted in the creation of this guide — it’s really not as daunting a task as it may seem.

    • It may be worth including a primer on how Group Policy works, e.g. the difference between Computer Configuration and User Configuration (noting that some GPOs will only be in one section or the other).

  • For you as the author of the guide, consider checking out Winaero Tweaker for some other Windows-hardening ideas. I’ve used it in the past and trust it, but it’s not FOSS so probably best to avoid directly mentioning it in the guide.

  • BitLocker is only available on Pro or higher editions of Windows (not Home). Home edition users should use VeraCrypt instead, and arguably VeraCrypt is more secure/trustworthy than BitLocker anyway. (Granted, upgrading from Home to Pro unlocks other benefits like Group Policy.)

Do remember that veracrypt does not play well with verified boot, although imho verified boot on windows is a joke and is practically useless if you’re not encrypted (most malware does not and does not need to target the bootloader to gain persistence anyway)

1 Like

I hope no one seriously believes secure boot is more important than full disk encryption (Home users)…

For Pro and higher editions, Bitlocker and secure boot is probably the better choice for most people honestly.

1 Like

I would actually really like a formal explanation of why Secure Boot is not as good a feature as folks may believe on first blush. I came across this thread in the Learn Linux TV forums about it and it helped a lot. However, I think folks who are newly technical or considering Linux could get spooked by the request to disable Secure Boot. If you don’t know how it works, that seems like a bad idea that can lead to exposure.

Basically the problem with Secure Boot as I understand it is as follows. So you have Secure Boot on in case malware gets on your computer and wants to run before the OS boots, thus avoiding any security measures in the OS. That kind of malware is called a rootkit. If Secure Boot detects a change to the OS or bootloader, it won’t boot. Great, your data is protected!

How do you fix it, though? You can’t get into your computer because Secure Boot is preventing you. You can get in if you disable Secure Boot, but then you’ve also let in the malware that modified your computer in the first place. Therefore, Secure Boot basically functions as a flag to the user that you have to wipe your computer and start over on a fresh install with (hopefully) backed up data. You have to count it as a loss and move on.

Even then, I realize as I type this that a clean install may not fix the problem of a rootkit attack. You’re replacing the OS, but if the rootkit would boot before the OS, wouldn’t it still be there after a clean install? At that point you’ve done a clean install from a BIOS that was already infected, meaning that you potentially can’t trust the new install either. I’ll leave that question up to the community to help with. :sweat_smile:

All that said, it’s not bad to enable Secure Boot after you’ve installed an OS. I use Fedora in part because I just feel better with it on. It’s just not the most critical security measure you need to worry about. If Jay from Learn Linux TV disables it, you’re probably going to be fine.

You can enable Bitlocker on Windows Home via the command line: Encryption Software - Privacy Guides (however, you cannot add boot auth like a PIN via this method, so you are reliant on the security of the Windows lock screen)

I’m unsure of the specifics so I’ll just share a broad understanding: Basically, Secure Boot in its current implementation is nearly useless because Microsoft has signed a number of different things which allow you to boot virtually anything. Even the Windows installer grants you access to a command-line prompt. The only way to protect your data at rest is via disk encryption.

Secure Boot can be secure if you delete all the default keys, add your own, and sign your own operating system with your own keys (which virtually nobody is doing). Even so, the attacks it prevents are generally fairly unrealistic to most people. I would keep Secure Boot enabled when possible, but if you do something like use Veracrypt or install Linux which isn’t compatible with Secure Boot I also wouldn’t sweat turning it off :slight_smile:

3 Likes

The threat against which Secure Boot is meant to protect is not the BIOS/UEFI getting infected, but rather your OS bootloader (or some other stage of the OS’s early boot process) being compromised.

If you do a full wipe and reinstall from external installation media, rootkits cannot survive. (What will survive though is OEM bloatware. Imagine if malware managed to exploit the Windows Platform Binary Table…) If you do a ‘factory reset’ from within the existing OS, a rootkit could potentially survive — the infamous xHelper rootkit for Android is one example of this behavior.

Intel ME and AMD PSP theoretically have some provisions to protect against BIOS corruption/modification, but I can’t speak to how effective they are. BIOS/UEFI modification is not a realistic threat anyway; it requires physical access, disassembly, and a hardware programmer (unless your stock firmware is so bad that it doesn’t signature-enforce firmware updates). With that said, considering how alarmingly large the attack surface is on most modern UEFI firmware and how few reasons exist to have confidence in its security, I would personally much rather run Coreboot with ameliorated ME or disabled PSP.

This is absolutely on-point. Ventoy is perhaps one of the most flagrant violators of the entire Secure Boot security model. And, lest anyone think Microsoft can be trusted to safeguard Secure Boot signing keys, know that the Secure Boot ‘golden keys’ for the Surface RT were leaked, and it’s only a matter of time before the same happens for x86 PCs.

If only we could trust OEMs to implement the UEFI spec correctly.

Secure Boot on most Linux distros is actually almost useless anyway. I will probably get the details wrong if I try to elaborate on this, so I defer to Tommy from Privacy Guides instead. If you want true Secure Boot on Linux, your best bet is to use full-disk encryption with encrypted /boot and GRUB installed as a Coreboot payload. Also see Qubes OS’s Anti Evil Maid which is very different from a traditional Secure Boot implementation.


Android Verified Boot and Chromebook Verified Boot are much, much more robust than the so-called Secure Boot used on PCs. Again I defer to Tommy from Privacy Guides for the exact details.

Even in the best case though, I personally don’t see Secure Boot or Verified Boot as a useful security measure. Malware does not need to be a rootkit to screw you over. I would nuke everything and reinstall my OS after any signs of malware, rootkit or not.

3 Likes

I am sort of watching the replies. Will reply here in my Free time.

Thank you for your Tips.

Regarding WinAero, I am not going to do that. We want to recommend people things via Official documentation as things changed, moved or replaced often later by Microsoft. So, Does these softwares too need to be up-to-date with it. If they didn’t notice and change themselves. It won’t be better.

So, It’s better to stick to the Docs.

Your suggestion is already in the guide. :+1:

Thank you to all for helping by. I had completed Overview and Hardening page.

I had opened a New Topic just for Privacy. So, Please follow there.

@anon33963123 Your advice regarding MS account is great. I will add it to the Privacy page. Thanks.

As some people know I am writing a Windows Guide.

It would be better if you give tips on enhancing Privacy of Windows. The Key requirements of the answers should be :

  • The deployment of your solution should be native such as Group Policy Editors, Regedit or any Micosoft Documentation.

  • No Third Party Software should be recommended as it cripples down the basic Image of the system.

1 Like