Advice Request Windows is insecure and untrusted

[Ink]

Change my mind.

• Why choose third-party security software?
• Why harden the OS?
• Why use an on-demand malware and adware scanners?
• Why run limited rights?
• Why did Microsoft implement UAC?
• Reasons for the Microsoft Store and 10X?

 

[Lenny_Fox]

Why? Are you a MAC or Linux usrr?

 

[Ink]

Why? Are you a MAC or Linux usrr?

Windows, macOS and Android, but why does that matter?

 

[EndangeredPootis]

If youre tech savvy and take proper precautions windows is as secure as any other OS, its simply more people, and more novice users, use windows.

 

[amirr]

Change my mind.

• Why choose third-party security software?
• Why harden the OS?
• Why use an on-demand malware and adware scanners?
• Why run limited rights?
• Why did Microsoft implement UAC?
• Reasons for the Microsoft Store and 10X?

Your great questions remind me of the book of Information Security Illuminated (Jones and Barlett Illuminated): 9780763726775: Computer Science Books @ Amazon.com
I bought 16 years ago.

 

[Nagisa]

1- I remember Windows Defender, by security experts, being regarded as the best in the meaning of optimal protection and compatibility.
2- Windows is already secure enough OOB while some Linux distros don't even have firewall by default. Hardening the OS makes sense in all operating systems.
3- I don't actually need any.
4, 5 - Running programs under the least privilege is an important security principle. I don't think it's exclusive to Windows.

 

[Nightwalker]

Why choose third-party security software?
Why harden the OS?
Why use an on-demand malware and adware scanners?
Why run limited rights?
Why did Microsoft implement UAC?
Reasons for the Microsoft Store and 10X?

1- No need to, Microsoft Defender is more than enough protection-wise, it is free, enabled by default, doesnt break HTTPS connections, much less incompatibility problems.
2- No need to, Exploit Protection is ON by default.
3- No need to, if you dont disable Microsoft Defender you probably wont get infected if you arent a happy-clicker average joe.
4- Now that is interesting, if you run with limited rights you have a much small surface attack area, most vulnerabilities can be easily mitigated just by turning off Administrator's rights.
5- UAC IS NOT a security boundary, it was created to make software work within the boundaries of a standard user where possible, it is a convenience tool, not a security one (Standard user is).
6- To make money for Microsoft of course by taxing 30 % from all the app sales on the Store.

Reference:

94% of Microsoft vulnerabilities can be easily mitigated

Just turn off Administrator's rights on the PC and you can lock it down.

www.computerworld.com

Security Watch: The Long-Term Impact of User Account Control

docs.microsoft.com

 

[MacDefender]

My 2c here:

Change my mind.

• Why choose third-party security software?

I don't like placing all of my eggs in one basket. Though Windows Defender is widely regarded to work well these days, I prefer not trusting the same party (Microsoft) to implement every layer of security on my device. A third party like Kaspersky or ESET has its own technologies and are less likely to be biased to think in the same way as the OS designer.

• Why harden the OS?

I think it's better to answer "why not harden the OS?". Windows by default is somewhat modest in the hardening features they turn on by default. These features are great but also create compatibility issues in the form of app crashes, etc, for apps that are not compatible with the hardening technology. In general, Apple and Linux are far less caring about this. You can run many DOS and Win32 apps from 1990 on Windows 10. Good luck running even 3-4 year old Linux or macOS binaries on a modern version of the OS.

So if those use cases don't apply to you or you're willing to trade incompatibility for security, that's why the knobs exist to harden the OS more.

NOTE: By default on 64 bit Windows the bulk of the hardening features are turned on. The very few that are turned off are because they really do create a lot of compatibility issues.

• Why use an on-demand malware and adware scanners?

Honestly this is a really good question and I don't think this is very necessary anymore. The reasons for on demand scans would be:

1. Some AVs prioritize fast startup and don't block services from loading before the AV engine starts. For those AVs, malware might have a chance to preload before the AV engine reacts, and a scan gives you a better chance at catching that
2. Around sleeping/waking your machine or switching networks, you could've gone some amount of time with offline-only protection which is weaker with most AVs including Windows Defender. An on demand scan with network connection can help fill that gap a little
3. Some AVs like Kaspersky also perform UEFI root kit scans as part of their on demand scan but not their on access scans
4. Most AVs let you set different heuristics settings for on access vs on demand scans. You might not want your system to hang as your AV tries to unpack a 1GB RAR file you right clicked, but during an on demand scan you are fine with that.

• Why run limited rights?

Well pre UAC, it was obvious, because Administrator accounts allow malware to do way too many dangerous things without any prompts.

In a post UAC world, the Administrator account still has magical powers and UAC doesn't even let you control all of those. For example, the default UAC settings to minimize nagging still allows you to update/change drivers in Device Manager or change the date/time (severing SSL connections if you move the clock too much). Mapping network drives and DOS drives are allowed as an Administrator regardless of UAC settings. Both of those have been used by malware in the past to evade ransomware protected folders.

On a Linux machine, I've seen compromised servers because the sudo binary gets replaced or a fake path/alias gets injected to a sudo binary. That's one reason why you might not even want on a Linux machine to run as a user that is capable of elevating to administrator. Not to mention I think in the last 5 years we are up to 3 or so extremely serious sudo vulnerabilities.

• Why did Microsoft implement UAC?

I actually think UAC is a great idea that other OS'es should offer. UAC as a concept lets you elevate permissions for a specific operation. I'd like to call out these cool features of UAC compared to sudo or password dialogs on macOS or Linux:

• You don't have to type in your password again. Excessively typing in your password can be less secure, especially in environments where you're recorded by security cameras or are in public. After installing a 4K security camera in my living room, I was able to zoom in on the video footage and clearly see myself logging into a website on my smartphone. Shoulder surfing attacks are getting worse and worse as technology gets better.
• The OS takes many safeguards to make UAC dialogs look/sound unique and prevents software from clicking the button themselves. Note that lately, macOS has implemented some similar features in their "enter your admin password" dialog because, unsurprisingly, malware started clicking those buttons for the user by faking input events.

• Reasons for the Microsoft Store and 10X?

I mean the cynical answer is that Microsoft would like to get in on Apple's action, having a App Store ecosystem means they get to take a cut of the profit

But more seriously, as a customer, I think it's nice to have one central store experience. I can trust Microsoft to filter their store of malware and other distrustful apps. I can give my credit card to Microsoft and trust they won't steal it or do sneaky auto-renewals that are impossible to cancel.

 

[Vitali Ortzi]

Yeah windows attack surface is as large as the galaxy

 

[Faybert]

• Why choose third-party security software?

I understand that WD has improved a lot lately, but I prefer to trust companies that since the foundation (30 years or more) like GDATA, Trend Micro, F-Secure that are 100% focused on security, different from Microsoft.

 

[roger_m]

• Why choose third-party security software?

I use third party security software because it gives me more control than Windows Defender does and is lighter. For example, it prompts me before quarantining anything. However, when it comes to protection, I feel that WD is fine.

• Why use an on-demand malware and adware scanners?

While unlikely, there is a chance that there is something that may be missed by my main antivirus.

While Windows could be considered unsecure, if you take a little care, e.g. keep Windows and vulnerable apps updated and are not click happy, it is usually very hard to get infected.

 

[Lenny_Fox]

Windows, macOS and Android, but why does that matter?

Why would you use a macOS when you also have Windows 10?, I just hate the program oriented user interface of a mac, I like to work document based (click on a document not start a program first and then open a document)

Also the screen swiping does not work on Mac. I seem to have a low body temperature, on airports fingerprint recognition also never works for me, I always have to que-up and wait. On some Android phones I have that problem occasionally (touch screen not working), but on Mac touch screens never works while on Windows touch screens always works perfect (on my girlfriend's laptop).

 

[RoboMan]

Big deal. Vulnerabilities and security holes are found in MacOS and Linux and they don't even have as much market share as Windows. But since Microsoft's database is huge, it's a target. I can assure you Apple's "miraculous" sandbox application system, or Linux marvelous sudo and security permissions would last 1 week if suddenly they had the bigger portion of the marketshare.