43 comments

[ 4.5 ms ] story [ 91.1 ms ] thread
This guide provides a false sense of hope, I'm afraid. Securing Windows from Microsoft's invasive policies is basically impossible. Cortana has now become un-removable: http://www.pcworld.com/article/3100358/windows/you-cant-turn...

And those of us who thought we were safe using Windows 10 Pro woke up today to discover that the forthcoming Anniversary Update will actually be removing our ability to disable many of these features via the Group Policy editor:

http://www.ghacks.net/2016/07/28/microsoft-removes-policies-...

I'm using group policy extensively to disable things I don't need. If they remove this from Windows Pro, that will be the straw that breaks the camel's back. At least for me.
They probably won't take it completely away, and in fact I think things like the option to disable Windows Store completely being taken away was expected.
The guide suggests using the enterprise edition and one can always verify if the modifications are effective or not by performing thorough network analysis.
That's a bait-and-switch if I ever saw one. I suppose it's more than a coincidence that this happens just as the free upgrade period comes to an end?
To be honest, it was called the Anniversary Edition from the beginning.
It wouldn't surprise me if this was the plan from the beginning, too.

Not saying it is, just saying big corps usually plan ahead.

The voice and typing parts can still be disabled.
The guide doesn't turn off or remove Cortana so much as uses a race condition to break it. Basically, you attempt to rename the Cortana directoy, inevitably fail, then kill the Cortana process and-then-quickly-click-retry in the error dialog that showed up. If you're fast, you can rename the directory before Cortana can boot and lock it in use again. (I assume you can then purge the directory afterward. Bonus points if there's a way to fubar the directory so that it can't be restored (violent symlinking?))
> The operating system is not backdoored and you would realize this if you listened to the response of private corporations after learning about the telemetry feature. The were willing to boycott the upgrade because they have corporate secrets that they would rather not freely hand over.

This logic mystifies me.

No need for telemetry if there is a backdoor?
I just cannot think of a single decent motive for Microsoft to have done that. This is really unacceptable.
Can't you just defer updates on enterprise edition indefinitely?
Something that appears to be missing: Disable Windows Defender either way. It's a piece of garbage that is running by default, does massive amounts of disk I/O for no reason, automatically deletes false positives like community patches for games (how infantilizing) and slows down the PC (and no, my PC is not infected, this is my experience across many independent machines).
Err, isn't this guide advocating piracy?
Presumably, it would still need an activation key, even for that image they link to, but god knows what else gets tampered with in the iso.
They link to an activation crack.

Look at the link under "At the time of this writing, KMSpico is recommended as the best and safest option." It is an activation crack.

This is full on piracy, not just a customised OS image.

Welp - and the crack is open source, right? So we know what it does to the OS?
Pretty sure Microsoft is advocating piracy by bundling a keylogger with the consumer editions.
It is not actually a keylogger in the traditional sense, and I think even that can be disabled.
Yeah, traditionally your data gets shipped off to Russia or Romania, rather than Redmond.
There is no keylogger in the RTM. Never has been.

There was invasive functionality in the alpha, but they were pretty upfront about that. Right now they only send online searches made in Cortana to Microsoft, anything done outside of Cortana is not.

That's just arguing semantics. Anything that sends keystrokes to a remote server gets labelled ‘keylogger’ by me, regardless of whether Microsoft is getting it or a random hacker in $FOREIGN_COUNTRY.

And the rather invasive ‘keyboard analytics’ wasn't just in the alpha.¹ ² ³ ⁴

At least you can turn it off easily enough. Still makes me a bit miffed that it's on by default.

--

1. http://www.pcworld.com/article/2974057/windows/how-to-turn-o...

2. https://thehackernews.com/2015/09/windows10-keylogger-securi...

3. http://www.ibtimes.co.uk/windows-10-keylogger-can-track-ever...

4. https://www.reddit.com/r/Windows10/comments/31rxsv/disable_k...

Semantics are important in this case. Otherwise any web browser is a keylogger by your definition.
> Securing Windows 10

By the end of the steps, UAC has been left turned off.

(comment deleted)
I have three suggestions to improve the OP:

(1) Make the fonts 2-3 times larger.

(2) Make the fonts solid black.

(3) Make the background solid white.

White-on-black is easier to read than black-on-white IMO.

Also, if you're using Firefox you can go to Options ‣ Content ‣ Advanced (Under Fonts & Colors) ‣ Uncheck “Allow pages to choose their own fonts, instead of my selections above” and make the internet a much nicer place.

I do let Firefox let the pages choose their own fonts.

The page as it is is completely impossible for me to read. Even if I have Firefox magnify the page, the combination of the fonts and the black background means that I can't see the characters. Magnifying via Firefox doesn't help. A magnifying glass doesn't help.

I can't read those fonts on that background. Literally, absolutely, positively, I can't read the characters. With those fonts on that black background, there just is not enough contrast for me to read the characters at all. Can't read the page. I want to be clear: Literally I can't read the page. Am I being clear enough? Still, I can't read the page.

I don't want to be obscure. The fact is, I can't read the page.

To read the text, I'd have to capture it on the clipboard and move it to my favorite editor, but in that case I'd lose the links unless I inserted them by hand.

I have a nice, bright CRT, 14", with 1024 x 768 pixels.

I'm not joking -- to me the page is impossible to read. Not joking. I couldn't read the page. I gave up on reading the page.

The three simple, little changes I suggested would make the page plenty easy for me to read.

Are you fucking dumb? It's white text on an almost black background. That's about 100% contrast. Have you never seen a dark website before? You must be new to the internet...

If you are using Firefox, they have a 'read' button in the address bar if you have difficulty reading a page. I don't see how you could possibly have problems reading it given that it literally has higher contrast than this website, but...

> I do let Firefox let the pages choose their own fonts.

Well there's the problem. I suggested you uncheck that.

> If you do not have a copy, one can be easily acquired online. However, if you do acquire it online[0], you will also need to download additional software to activate the operating system. At the time of this writing, KMSpic[1] is recommended as the best and safest option.

I've had to flag this article. They're advocating piracy and linking to an activation remover and image.

[0] Link to a Windows 10 Image

[1] Link to a Windows 10 activation remover.

Regardless of contents, this is a bad way to write a guide of actions to take. Things like:

> Under the Wi-Fi tab click 'manage Wi-Fi settings', uncheck all options.

may mean something completely different in a few months in a system that's going to evolve under a single version. What if MS adds something like "don't automatically try to connect to devices on this network" as a new option in the future. Uncheck that too?

Some of it is legit I suppose but a lot of it reads like snake oil. Also I'm not sure "Securing" Windows 10 is accurate here as we'll see shortly. It seems to really mostly be about "Optimization and Privacy" in Windows 10. I'm mostly ok with the privacy portion or at least the attempt to do so but I would be cautious of any "Optimization" since care must be taken to not be doing more harm than good[1].

> You will be prompted by a User Account Control warning. Click 'change User Account Control settings', reduce the slider to 'never notify', and click 'OK' to apply the changes.

Securing Windows 10 would involve setting it to always notify. Also it should recommend running as a standard user and having an admin account be separate. I'm not sure I can take this very seriously as a security guide.

I wouldn't recommend messing too heavily with services aside from disabling the ONE telemetry service. Most things which aren't used won't be running anyway.

> If you have a desktop computer, you will want to change the power settings to 'High performance'

Not sure about this one... Modern processors (and Windows 10 itself) are pretty good at it and I've yet to have any issues with it running at balanced. If you want to disable the HDD power off feature that's fine but you can do that just fine in the default Balanced profile. I think this "tweak" is mostly snake oil.

Please take "guides" like this with a grain of salt as messing around too heavily may wind up doing more harm than good. Remember that more often than not, no you don't know better than the people who made the operating system. I think the privacy stuff comes from the right place but the rest of it sounds like mostly snake oil and this is definitely not a security guide so tread carefully.

tl;dr It's mostly snake oil and certainly not a security guide.

[1] Disabling the page file is an often cited example which almost certainly does more harm than good.

Yep, as legit as "registry cleaners". Some of those services that are disabled will break 3rd party software in subtle and unexpected ways.

Though my favourite was turning sounds off for a modest performance gain. Clearly a meme guide "curated" by people with a very shallow understanding of Windows

The people who built the system set hiding extensions of known file types a default. So virus.pdf.exe will show up as virus.pdf. I know better than them that this is a completely moronic decision.
Indeed. Perhaps I should've been more specific in my wording of it but I was more referring to the snake oil claims with respect to performance tweaks and to a lesser extent privacy tweaks as well. A number of privacy "tweaks" will wind up breaking third party software.

You're very much correct in that the option you're talking about is important for security. At the end of the day though it is still simply a cosmetic issue albeit with security consequences. I agree with what you're saying though. It is really stupid that it still defaults to not showing extensions.

This is probably a better guide for getting started with securing Windows:

https://decentsecurity.com/securing-your-computer/

That's a nice guide, but if they are going to recommend browser addons, shouldn't they include something like AdGuard specifically for advertisements and Disconnect specifically for trackers?
Doing this guide verbatim is a terrible idea to anyone who doesn't understand what they are doing, Especially obtaining from a source like the pirate bay. You can obtain an ISO straight from Microsoft - https://www.microsoft.com/en-us/software-download/windows10I....

(Ironically it seems the ISO doesn't download over https, but I'd use it over a varying quality torrent site any day.)