HackerTrans
TopNewTrendsCommentsPastAskShowJobs

cirthaya

no profile record

comments

cirthaya
·4 lata temu·discuss
Different subsystems, layers and libraries in Windows do have different interpretations of what characters to allow in a filename, what permission bits to obey, how to behave on different filesystems, etc. It's a huge mess. You can e.g. create invisible, undeleteable files by using characters the explorer doesn't like.
cirthaya
·4 lata temu·discuss
I'd suggest something like "Keep the system and applications up to date. Install all patches from Windows Update immediately and preferrably automatically. Use applications' automatic updates or package managers such as chocolatey.
cirthaya
·4 lata temu·discuss
That part says "Keep the system up-to-date (Windows update): download and install all patches.". But Windows Update doesn't update any applications for third parties and not even all Microsoft applications. So the recommendations for individuals are problematic as described. Only the section for "admins (businesses, organizations)" mentioning "e.g. Windows Server" mentions application updates.
cirthaya
·4 lata temu·discuss
Email Software like Outlook is largely responsible for a lot of phishing problems. E.g. email addresses are usually hidden and only visible after a lot of fiddling. Bad UI such as Outlook's makes most users powerless to recognize phishing. The blame should be put where it belongs: with the people responsible for deciding on the fatal Outlook/Exchange combination.
cirthaya
·4 lata temu·discuss
I'd severely doubt some key recommendations of this guide to the point where it may be useless and dangerous as a whole, because the recommendations are misleading into a false sense of security.

Applications' updates are a huge factor in the security of any endpoint, however the guide recommends application updates only for enterprise users, for normal users that recommendation is missing. But a lot of the attack surface of any system is in applications like the email client, PDF viewer, office suite, etc. While this is acknowledged by mentioning phishing, none of the recommedations mitigate that risk properly. And while the guide lauds Windows as well as MacOS (imho improperly) for their mitigations and sandboxing, it entirely skips over the extremely important field of application update management, which is properly solved by package managers and distributions in Linux. Neither Windows nor MacOS offer any builtin solution, and the guide neglects to mention any third-party solutions or services that are available.

Some recommendations like enabling "strong" password policies are, in the way Windows implements them, counter to NIST and other accepted guidelines. This leads to the usual problems of passwords on stickers on the keyboard, monthly incremented weak passwords and password reuse.

Advice on backups improperly mentions "sync to the cloud". This is not backup, because an attacker can overwrite any file that will later be synced to the cloud, making your "backup" useless. Proper backups must not be overwriteable from the machine that is to be backuped. Anything else will let your data fall prey to the usual encryption trojans without any way of recovery.

And last, not strictly an operating system problem but an environment problem: It should be mentioned that common Windows antivirus and endpoint security software is in itself a security risk. Similarly, phishing attacks are enabled by common Windows-based applications such as Outlook, MS Office and Acrobat. Avoiding those applications if possible goes a long way towards securing a Windows system.