Windows 10 Security

Discussion in 'other software & services' started by NonGeek, Jan 2, 2016.

  1. NonGeek

    NonGeek Registered Member

    Joined:
    Dec 28, 2015
    Posts:
    40
    Edit: Folks, please focus SPECIFICALLY on Windows 10 security issues as per thread title.

    So, YOU are on Windows 10, and I have the following questions for you:

    Any experiences with bare bones Windows 10 security?
    What is your security setup with Windows 10?

    Thanks!
     
    Last edited: Jan 3, 2016
  2. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,977
    Location:
    Brasil
    I see a lot of friends talking about how Windows 10 updates can break things, so if stability is important to you I'd recommend waiting a little bit more. But if you had no problems so far, why not? :)

    Windows 10 isn't too different from 8, I think Microsoft learned the lesson and will probably never create a new OS from scratch again, at least for a long time. 7 is pretty much Vista with little improvements. 8 is pretty much 7 with different UI and little improvements. And 10 is pretty much 8 with different UI and little improvements. What they did wrong with 8 was the Metro interface by default, because the system itself isn't too bad for Microsoft standards.
     
  3. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    I don't hesitate to say that Win 10 is the best Microsoft's OS I have ever used. Stable, fast, no updates issues. As far as security is concerned I'm using Norton Security and Adguard. Both work flawlessly. I don't see a reason why to stay on 8.1, imho.
     
  4. Marcelo

    Marcelo Registered Member

    Joined:
    Oct 11, 2005
    Posts:
    74
    Location:
    Rio de Janeiro, Brazil.
    Check your hardware for incompatibility, not Microsft self-check, but hardware forums. On my notebook, for instance, I have to keep an old driver installed to use my AMD 265M graphics driver. If I update to the latest version all games will stutter and I get crashes.
     
  5. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    I've been using Comodo FW v8, Sandboxie, and Mbae without any issues whatsover.
     
  6. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    The security improvements in windows 10 are long overdue by Microsoft, but imho the privacy holes they punched in for data collection and the security challenges that come with this push for a web services design erode any major advantages you might have hoped for. I think windows 8 was their alpha and windows 10 is the beta. To be fair, a lot of proprietary software that we use has just recently become compatible following the November updates. Still other software, such as sandboxie still do not function properly on Windows 10 despite the compatibility claim on the web site and this includes running a recent beta version. The event viewer should also be investigated for any software you install. Panda Cloud AV installed fine on windows 10 back around July and appeared functional, but the event viewer told a different story then. I think overtime more and more software will become compatible, but if all you need your computer for at this time is word processing, checking e-mail, browsing, etc. then Windows 10 works. But I'd urge caution if you go beyond standard use given the uncertain compatibility of some software despite claims by vendors.

    What is working on my 64-Bit Laptop:
    Comodo FW v8
    Shadow Defender + Chrome Browser
    MBAE
     
  7. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    My basic security setup for Windows 10 is not that different from any other versions. I use a LUA and set ACLS and Applocker so scripts and executible files can only execute in the Windows and Program Files directories. I have Windows defender enabled and Emet installed. I have Smartscreen enabled as well. I disable a lot of services both for performance and security. Any remote access and remote desktop services are disabled as well as remote registry. I edit group policy to disable autoruns on all devices and to not allow execution of programs on removable drives. There are other group policy tweaks as well but these are the most important ones. In earlier versions of Windows I used SRP instead of Applocker but Applocker is the stronger of the two and overides SRP.

    I've found the 1511 upgrade to be somewhat problematic and more intrusive than the original July 29th release. It uninstalled software in my system without informing me and completely broke Virtualbox. I only have a test install of it on a spare drive at this point and have no intention of using it. In systems that originally ran Windows 7, I found no advantage to upgrading to Windows 10 at all. No noticeable speed increases, boot times about the same, uglier GUI. Less stable overall with lots of software incompatibilities that start showing up with use. I currently have two test systems that mulitiboot Windows 7, Windows 10 and Linux and I can compare them quite easily and run the same software on both versions of Windows for speed and compatibility testing.
     
    Last edited: Jan 3, 2016
  8. NonGeek

    NonGeek Registered Member

    Joined:
    Dec 28, 2015
    Posts:
    40
    Last edited: Jan 3, 2016
  9. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    At the moment, most of the security improvement are under-the-hood and brought over from changes made in windows 8. For those of us making the jump from 7 to 10, these immediate improvements such as the expansion of the smartscreen filter beyond the browser are good news. I've been following the discussion about newer features including: credential guard, device guard, guarded fabric and vTPM. But for me, the real change comes from obvious enhancements such as built-in virtual desktops and Viridian Hypervisor Kernel. Obvious who will benefit from these future features will depend on what version of windows you decide to run and it still won't mean much if they compromise security for the sake of convenience (i.e., biometric login and sans password authentication) and other gimmicks like universal apps which don't had anything except a common/shared attack surface that will affect multiple devices. We could argue apples and oranges about what is considered an improvement, but I think Microsoft at the very least deserves some credit. The Windows 10 update isn't simply Windows 7 with a fancy new Window's 8 GUI overhaul. Having said that, I've decided to limit my usage of windows 10 personally for business and school usage. Once I'm free of these obligations, I fully intend to dump windows entirely.
     
  10. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    My list of tweaks through Group Policy (on my Desktop with Windows 10 Pro) and through regedit (on my Asus Book with Windows 10 Home).

    Turn Windows Features OFF
    • Disable IE11 (use Chrome instead)
    • Disable WMP (use Windows 10 Apps which are running in AppContainer)

    Use Edge as PDF-reader
    • Disable Edge rules in Windows Firewall
    • Disable Flash in Edge
      settings>view advanced settings>Use Adobe Flash (OFF)
    • Disable Javascript in Edge
      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings\Zones\3]
      "1400"=dword:00000001

    Disable access to shell and scripts

    • Disable 16-bits (32 bits)
      [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat]
      "VDMDisallowed"=dword:00000000
    • Disable command prompt and scipts
      [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
      "DisableCMD"=dword:00000001
    • Disable windows script host
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
      "Enabled"=dword:00000000
    • Disable powershell script execution
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
      "ExecutionPolicy"="Restricted"
      [HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows\PowerShell]
      "EnableScripts"=dword:00000000

    Disable remote

    • Block remote access to plug and play
      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Settings]
      "AllowRemoteRPC"=dword:00000000
    • Block remote assistance
      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
      "fAllowUnsolicited"=dword:00000000
      "fAllowToGetHelp"=dword:00000000
      "fDenyTSConnections"=dword:00000001

    Disable USB (auto) run

    • Disable autoplay for non volume devices
      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer]
      "NoAutoplayfornonVolume"=dword:00000001
    • Deny USB Execute Access
      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
      "Deny_Execute"=dword:00000001

    Risk Mitigation

    • Protect system DLL's
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
      "ProtectionMode"=dword:00000001
      "SafeProcessSearchMode"=dword:00000001
    • Block untrusted fonts
      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions]
      "MitigationOptions_FontBocking"="1000000000000"
    • Disable file encryption
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS]
      "EfsConfiguration"=dword:000001
    • Block unsigned process elevation
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
      "ValidateAdminCodeSignatures"=dword:00000001


     
    Last edited: Jan 4, 2016
  11. PaleDark

    PaleDark Registered Member

    Joined:
    Nov 30, 2015
    Posts:
    55
    Window Defender + Windows Firewall + UAC Mac = good for generally light usage. Install EMET from Microsoft and u got urself a complete Microsoft Security package. As long as you're not happy clickers + use ur brain when opening/ downloading things, barebones security should provide a basic yet essential protection. :)
     
  12. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    +LUA

    WD with activated adware scan is really powerful. and it do not need admin rights at any time to work.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Okay I have a basic question.

    If I do a clean Win 7 x64 pro install, and add no security software, just leave win 7 as installed, and then run a piece of current ransomware, I know what will happen. Data lost.

    So now I do the same thing on the "more secure OS" Win 10 x64 Pro, nothing above standard 10 install, and run the same Ransomware. Will I be protected?
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,061
    If I had to guess I would say it all depends on Windows Defender and SmartScreen. If any of those won't stop it nothing else in default setup won't help you.
     
  15. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    You know the answer, to that question ;) NO

    But when you use some of the features of the PRO version (see my security setup): YES
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    That was my guess also. So to the average users, Win 10 isn't really that much more secure.
     
  17. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    Disagree Peter, being right (factual correct) on some points does not mean your conclusion is correct.

    The moon is yellow, the moon is round and has craters resembling holes, so it must be made of cheese.

    Windows 10 is definitely a lot more secure than than Windows 7 even for Home versions:

    1. Windows Defender on Windows 7 was just an improved XP derative of Giant Anti Spy-ware, while Windows Defender on Windows 8 and above is an Anti-Virus (or Anti-Malware) application (comparable with MSE)

    2. MSE on older Windows OS-ses scored poorly in comparative tests (often just over 60% coverage), while Windows Defender on Windows 10, reaches 95% protection levels, because of the new (Windows 10) OS-aware feature.

    3. Windows 10 media Apps all run in AppContainer, while Windows Media Player ran as Medium Level Integrity Process, definitely an improvement

    4. Windows 10 has some anti-exploit enhancements over Windows 7 (stronger Sandbox and better memory protection Control Flow Integrity Guard)

    5. EUFI and early and early anti-malware check at boot (only allowing safe and signed drivers to boot) provide better protection against rootkits
     
  18. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,061
    And don't forget about system-wide SmartScreen protection.
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,872
    Location:
    Australia
    If you don't install an AV then Windows Firewall and Windows Defender ( a full AV) will be actively protecting that system which is not the case with Win7 (where WD is a crap anti-spyware program only).
     
  20. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    True, forgot about that :thumb:
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Okay, guys I hear you. So let me rephrase the question. If I install win 10 clean and leave all it's security turned on how well am I protected from the current stuff circulating.

    Lets assume I do some bad clicking.
     
  22. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    @Peter2150

    While ignoring Smartscreen warnings, my guess is 95% (based on latest tests published)

    When refraining from executing programs with poor reputation, my guess would be on par with top tier AV's (so at least 99%)

    Regards Kees
     
  23. NonGeek

    NonGeek Registered Member

    Joined:
    Dec 28, 2015
    Posts:
    40
    Compared to Windows 8.1, how much more secure is Windows 10?

    Edit: I meant bare bones Windows 8.1 vs bare bones Windows 10
     
    Last edited: Jan 5, 2016
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Thanks Kees. Clears up some misconceptions.
     
  25. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    665
    I still think stuff like Ransomware, like the new ones would slip by pretty easily.
     
Loading...