Close drafts/add-pagebreaks

.artifactignore

@@ -0,0 +1,2 @@
+**/*
+!WindowsHardening*.pdf

.gitignore

@@ -0,0 +1 @@
+*.pdf

README.asciidoc

@@ -1,43 +1,73 @@
 = Windows and Chrome Hardening
+Max Vilimpoc (@vilimpoc)
+{build-number} {doctime}
 
-image::https://dev.azure.com/TheUpdateCompany/WindowsHardening/_apis/build/status/nuket.WindowsHardening%20Build%20PDF?branchName=master["Build Status"]
+:build-badge: image:https://dev.azure.com/TheUpdateCompany/WindowsHardening/_apis/build/status/nuket.WindowsHardening%20Build%20PDF?branchName=master["Build Status"]
 
 :imagesdir: images
 
-A collection of tips and scripts to harden your Windows computer and Chrome browser against attackers.
+{build-badge}
 
-Unfortunately, both of these things need to be treated adversarially with a hardened security posture.
+== Introduction
+
+This document contains a collection of tips and scripts to harden your Windows computer and Chrome browser against attackers.
+
+Unfortunately, both of these pieces of software need to be treated adversarially with a hardened security posture.
 
 Any tips and well-composed content that people would like to add to this document via issues + pull requests would be greatly appreciated!
 
-Or you can Direct Message suggestions to https://twitter.com/vilimpoc[@vilimpoc] or drop me an e-mail https://vilimpoc.org/contact.php[here].
+Or you can send suggestions via DM to https://twitter.com/vilimpoc[@vilimpoc] or drop me an e-mail https://vilimpoc.org/contact.php[here].
 
 == Audience
 
+This guide is intended for anyone who wants to tighten up their security posture and take up a position of security by default.
+
 This guide is written specifically with Windows 10 Version 1809 (October 2018 Update) in mind and will be updated as newer versions are released.
 
 If you're not running the latest version of Windows 10 on your system, then you aren't applying the latest security patches and kernel mitigations designed to keep you out of trouble, particularly against https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)[Spectre] and https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)[Meltdown].
 
 Also, newer versions of Windows 10 tend to have better performance and lower UX latency, so why not update?
 
+<<<
+
 == Hardening Windows
 
-There are too many security-relevant settings to count in Windows, but here are a few that are easily configured.
+There are too many security-relevant settings to count in Windows, but the following pages describe a few easy changes that offer increased security to the average user.
+
+The topics in this document are ordered from least to most difficult to understand, such that the final items might be more in-depth than most readers would care to delve into.
+
+So, without further ado, let's get started.
+
+<<<
 
 === Create and Use a Standard User Account
 
-Windows uses "two" types of primary accounts, Administrator and Standard User.
+First and foremost, the biggest and simplest change the average user can make to the way they use their computers is to create and use a _Standard User Account_.
+
+Windows generally separates users into "two" types of accounts: Administrator and Standard User.footnote:[There are actually more types of accounts, but the primary types that are assigned to human users that actually interact with a computer, are these two types. macOS and Linux also follow the same general distinction.]
 
-_Administrator_ accounts are the ones that can do anything to your computer. They can install software, change firewall settings, delete any and all files, and make permanent changes to the system configuration that affect every user.
+==== Administrators
 
-It makes no sense to use an Administrator account for everything you do, and it's a shame that Microsoft _still_ defaults to creating Administrator accounts first when installing Windows. _This is like running with scissors._ (And, to be fair, Apple still does this too.)
+_Administrator_ accounts can do anything to your computer.
 
-If your computer has only one account on it, then by default, Microsoft made this an Administrator account.
+They can install software, change firewall settings, delete any and all files, and make permanent changes to the system configuration that affect every user on the system.
 
-_Standard User_ accounts cannot make permanent or fundamental changes to the operating system that threaten a computer's ability to boot and run. They can't delete system files or access files from other users.
+If you run malware while logged in as an Administrator, then that malware will have complete control over your computer and _all of its files_ and _all of its network connectivity_.
+
+It may be able to infest your system so thoroughly that only a clean install on a fully wiped system using a Secure Boot medium will allow you to use the system again.footnote:[And even then, against nation state-level bad actors, you might have to worry about threats persisting in system firmware.]
+
+// It makes no sense to use an Administrator account for everything you do, and it's a shame that Microsoft _still_ defaults to creating Administrator accounts first when installing Windows. _This is like running with scissors._ (And, to be fair, Apple still does this too.)
+
+// If your computer has only one account on it, then by default, Microsoft made this an Administrator account.
+
+==== Standard Users
+
+_Standard User_ accounts cannot make permanent or fundamental changes to the operating system that threaten a computer's ability to boot and run. Because they have limited rights, they can't delete system files or access files from other users.
 
 This type of account should be used for day to day work and add an extra layer of security against malware getting a deep hold in your system.
 
+==== Add A Standard User Account
+
 Obnoxiously, Microsoft makes it as hard as they possibly can to create a non-online, standard user account.
 
 It's more like opt-out than opt-in, which is annoying and you have to jump through multiple dialog boxes to skip this.
@@ -50,7 +80,7 @@ The account creation process is worded in such a way that it sounds like you're
 
 image::add-user-2.png[Add User 2]
 
-No, I don't want to log in with a Microsoft account or create a new one that Microsoft gets to know about.
+No, I don't want to log in with a Microsoft account or create a new one that Microsoft has to know about.
 
 image::add-user-3.png[Add User 3]
 
@@ -66,6 +96,8 @@ Note that only the accounts created after the first account on a computer are ma
 
 image::add-user-5.png[Add User 5]
 
+<<<
+
 === Pump Up User Account Control
 
 User Account Control is what shows the full-screen pop-up window when you install new software or make changes in the Windows Control Panel or Settings app. It's gotten much less intrusive since Windows Vista.
@@ -78,6 +110,8 @@ Make sure this is set to "Always notify".
 
 image::user-account-control.png[User Account Control Panel]
 
+<<<
+
 === Remove Internet Explorer 11 (and other Optional Windows Features)
 
 If you're not using a computer with corporate websites (the crappy internal websites that companies never pay to upgrade, thereby dragging down the whole web, and inflicting uncounted suffering on the worker bees), then it makes sense to completely remove Internet Explorer from Windows.
@@ -114,6 +148,8 @@ ____
 Does that sound like a home computer setup?
 * _Work Folders Client_ would be useful if I had a laptop that connected to a corporate network. But I don't, so it can go. Also, there are tons of alternative file syncing systems (Dropbox, Box, Google Drive, etc.) that have assumed this role in the modern workplace.
 
+<<<
+
 === Do Not Install Third-Party Antivirus
 
 Installing antivirus software like McAfee, Kaspersky, or Avira will cause your computer to slow down without necessarily providing better coverage than Windows Defender. (As it turns out, Windows Defender already chews up a significant amount of time scanning your system.)
@@ -122,6 +158,8 @@ Also, these 3rd-party antivirus providers may increase your attack surface area
 
 There have definitely been cases where antivirus vendors hooking into undocumented Windows kernel interfaces actually made a system less secure (which led to Microsoft introducing https://en.wikipedia.org/wiki/Kernel_Patch_Protection[PatchGuard]).
 
+<<<
+
 === Enable Secure Boot
 
 Secure Boot ensures that your computer is running only trusted, signed firmware from the moment it turns on to the moment that it hands control of the hardware over to the Windows operating system.
@@ -151,6 +189,8 @@ It would be good for everyone to require manufacturers to produce higher quality
 +
 image::security-processor-details.png[Security Processor Details]
 
+<<<
+
 === Hypervisor-Protected Code Integrity (HVCI)
 
 The Windows System Information program shows a few key settings that are security-relevant.
@@ -161,6 +201,8 @@ image::hvci-settings.png[System Information]
 
 * _Virtualization-based security_ is controlled by the Core Isolation Memory Integrity settings.
 
+<<<
+
 === Enable BitLocker
 
 BitLocker is used to provide full-disk encryption (FDE) on Windows with hardware-backed key management.
@@ -178,6 +220,8 @@ It is a good idea to encrypt everything including empty space, unless you have a
 
 Make sure to save a copy of the BitLocker Recovery Key, or print a physical copy of it and put it in a safe place. (Yes, this means that someone ransacking your office could find it, but that requires physical access anyways.)
 
+<<<
+
 === Update UEFI Firmware / BIOS Firmware
 
 UEFI (https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface[Unified Extensible Firmware Interface]) / BIOS (https://en.wikipedia.org/wiki/BIOS[Basic Input/Output System]) firmware is the earliest code that runs on a computer to start it up, before the Windows operating system takes over.
@@ -304,6 +348,8 @@ As you can see from the Dell and Lenovo Release Notes, there are a ton of change
 
 Although some of these patches may be more important than others, it is recommended to apply them regularly.
 
+<<<
+
 === Check Spectre and Meltdown Fixes
 
 https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)[Spectre] and https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)[Meltdown] are a category of hardware design flaws on Intel, AMD, and Arm processors that can lead to remotely-triggered exploits, information stealing, and so on.
@@ -329,10 +375,20 @@ Because they are hardware vulnerabilities and haven't yet been completely fixed
 
 Kudos to https://support.dell.com[Dell] and https://pcsupport.lenovo.com/[Lenovo], whose engineers updated the firmware microcode for my 5+ year-old laptop and desktop machines to address these issues. Talk about _good support_!
 
+<<<
+
 == Hardening Chrome
 
+As it turns out, having a browser built by the world's largest advertising company may not provide the most end-user privacy.
+
+The following tips are meant to provide a safer alternative to the default settings and reduce the online footprint each person leaves behind.
+
+<<<
+
 === Blocking Third-Party Cookies
 
+:imagesdir: videos
+
 Third-party cookies follow you around the internet. These are the tiny pieces of data that expose you as a targetable, profiled individual online.
 
 They are sent to servers _other_ than the website you're currently browsing, i.e. _nobody who really needs to know_.
@@ -342,17 +398,21 @@ These are how Amazon, Google, Facebook, and other advertisers know when to show
 Let's say you visit Buzzfeed, at least a dozen ad agencies will find out exactly what you did there:
 
 [link=https://youtu.be/37w5Iu6MLgM]
-image::https://img.youtube.com/vi/37w5Iu6MLgM/0.jpg[]
+image::blocked-cookies.png[]
 
 This happens on every single website you visit, so multiply the number of cookies you're generating by a hundred.
 
 Here's how to disable these web tracking cookies:
 
 [link=https://youtu.be/EhsUcpivM_I]
-image::https://img.youtube.com/vi/EhsUcpivM_I/0.jpg[]
+image::block-third-party-cookies.png[]
 
 Once the third-party cookies are blocked, the list of cookies per website will drop substantially.
 
+:imagesdir: images
+
+<<<
+
 == Contributors
 
 Max Vilimpoc (https://twitter.com/vilimpoc[@vilimpoc])

azure-pipelines.yml

@@ -19,8 +19,20 @@ steps:
 - script: gem install asciidoctor-pdf --pre && asciidoctor-pdf -v
   displayName: 'gem install asciidoctor-pdf'
 
-- script: asciidoctor-pdf --out-file WindowsHardening-${BUILD_BUILDNUMBER}.pdf README.asciidoc && ls -lR && printenv
-  displayName: 'Generate PDF file from README.asciidoc'
+- script: asciidoctor-pdf --out-file WindowsHardening-${BUILD_BUILDNUMBER}.pdf -a allow-uri-read -a build-badge= -a build-number=${BUILD_BUILDNUMBER} README.asciidoc
+  displayName: 'Generate PDF file'
+
+- script: pwd && ls -lR && printenv
+  displayName: 'Print build environment'
+
+# - task: PublishBuildArtifacts@1
+#   inputs:
+#     pathToPublish: 'WindowsHardening*.pdf'
+#     artifactName: 'WindowsHardening-${Build.BuildNumber}'
+
+- task: PublishPipelineArtifact@0
+  inputs:
+    artifactName: 'WindowsHardening-$(Build.BuildNumber)'
 
 # Useful info, that.
 
@@ -40,8 +52,8 @@ steps:
 #   inputs:
 #     pathToPublish: WindowsHardening.pdf
 #     artifactName: WindowsHardening.pdf
-#     #pathtoPublish: '$(Build.ArtifactStagingDirectory)' 
-#     #artifactName: 'drop' 
+#     #pathtoPublish: '$(Build.ArtifactStagingDirectory)'
+#     #artifactName: 'drop'
 #     #publishLocation: 'Container' # Options: container, filePath
 #     #targetPath: # Required when publishLocation == FilePath
 #     #parallel: false # Optional
@@ -54,7 +66,7 @@ steps:
 # Publish a local directory or file as a named artifact for the current pipeline.
 # - task: PublishPipelineArtifact@0
 #   inputs:
-#     #artifactName: 'drop' 
+#     #artifactName: 'drop'
 #     targetPath: WindowsHardening.pdf
 
 # GitHub Release

build.bat

@@ -0,0 +1 @@
+asciidoctor-pdf --out-file WindowsHardening.pdf -a allow-uri-read -a build-badge= -a build-number=SMOKEBUILD README.asciidoc