Main question if you do not want to read the text wall So my question is how do you lock down Windows 10 on a bear metal system without loosing functionality?
All right I am in the process of building a new gaming pc and unfortunately to play all of the games I want to play I am going to have to move back to Windows 10. It makes me gag a bit when I think about it because I have been using Linux for the past 2 years on my main system. But their are so many games I really want to play like (ESO,Nier,Witcher 3,Rise of the Tomb raider, etc) that just don't have Linux support. Now before I go further this is not me giving up Linux, I will still have Linux on my HTPC,laptop,old gaming pc which I'm planing on turning into a Centos server and soon my router.
I have looked into options like duel booting which I absolutely hate I'd rather just have one OS that I do everything on. Considering my use case is pretty much Gaming, Web browsing,music, and a bit of virtulization switching over to Linux just for web browsing and listing to music is just to much of a hassle. I've looked into KVM and though it is interesting I honestly do not want to put in the work that I will undoubtedly have to put in when a glitch occurs to make it function and I would much rather just sit down and play my games.
So my question is how do you lock down Windows 10 on a bear metal system without loosing functionality? also for those that are curious hear is my build its already set in stone https://pcpartpicker.com/list/d9MgHN I will be reusing my gtx 970 ftw from my old gaming pc for a bit till I can afford a new gpu
I'd start with a pfSense box with a default deny firewall policy, running Snort.
I would have a separate Linux/BSD machine, upon which I would do all of my routine work, browsing, e-mail, social media, etc.
I would configure a local W10 account, without elevated privileges and use it religiously. I would add absolutely nothing to W10, which was not essential to running games; no e-mail, no browsers, no Adobe software products, no Java, no office suite, no social media, nothing. I would especially not download game mods from sketchy Russian sites! I would keep the NIC disabled, unless I needed to update W10/Windoze Defender, or download/play on-line games.
These precautions should slow down all but the most determined attacker.
I've personally had good results dual booting, but obviously YMMV.
Questions like this probably need a little more context.
What are you trying to lock it down from? The usual malware and identity thieves etc. Microsoft and other corporations who view your habits as a marketing dream, local law enforcement, or government agencies
I use this tool on the Windows 10 machines my kids use for gaming; it seems to work well
If you use a Microsoft Live account for anything you should also sign in to it and check all the options and switch off the data gathering and delete what they have already collected. Do the same for your Google accounts etc.
Now, if you want to lock you machine down further you should enable Bitlocker (this requires Win 10 Pro) and if you are really paranoid set that so a the key is stored on a USB stick not in the TPM built in to your MB (assuming it has one).
Alternatively if you only have some data you want to secure leave the main OS drive etc. unencrypted and then create a VHDX (virtual disk) encrypt that and only mount it when you need to access the data inside. You don't need to cache the passphrase and will be prompted to enter it when you mount the VHDX. Your data is now protected if your disks/machine is stolen.
You also have options to run Linux in a VM and do your browsing or work from within that. Hyper-V is inbuilt in Win 10 Pro and you can pass a disk through to a Linux VM; however it is not great for virtualising a Linux desktop, Virtual Box provides a better experience and also supports encrypting your virtual disks.
Sorry probably should have elaborated a bit more. In a sense I am trying to protect windows from itself. I watched this video yesterday showing how Microsoft was pushing down games within there updates and its got me a bit paranoid.
My plan is to buy the full version of windows 10 pro 32/64bit usb installer today at microcenter (when I pick up my board and cpu) so I will at least have that. I am planing on running at least a few Linux distros virtually in the system mostly to work towards my readhat cert which I need to finish.
I will look into bitlocker and that link later today thank you.
I am going to be running a pfsense box pretty soon got the box almost built hopefully I don't have to jump through to many hurtles with Frontier about running my own router. Not big on downloading anything from sketchy Russian sites I prefer steam and Humblebundle for my game downloads. I'm not 100% sure about this but I think I am going to need a web browser to download the game clients (orgin, steam,uplay) and to download games like eso. I would prefer to stay away form ms edge as much as humanly possible and the Microsoft store which I will probably uninstall. Steam likes to update almost every day so I don't think I can run this offline. I think my best bet is to harden my pfsense box as much as possible to block the telemetry and keep any important documents off of my OS which is where my old gaming pc turned into a Centos server will come in handy.
There's a difference between locking it down for a specific purpose and stopping "spying" from Microsoft.
The latter, you can't. You've made a choice to play games on Windows, just deal with it and stop wasting your time.
I'm being 100% honest and not trying to have any go. But just stop before you start. If your going to use Windows, your making a choice to accept what Windows offers and part of that is the data Microsoft collect for various purposes and what they do with their OS.
If you don't like their choices don't use Windows and live without those very few games until they have a port (it is after all just a game, you can live without it). If it means that much to you that you want to waste your time trying to best the company that literally controls the OS they made your going to fail in the end. Use another OS.
If playing those specific games means more to you, then just stop now and get on with playing your games.
Ya I kind of figured that going in just wanted to know if their was any way to limit the Shit ms tried to force down my throat. The main purpose of this machine is for gaming and vitalizing os for my Redhat cert. I was just getting tiered of having a gaming pc that couldn't play all of the games I wanted to play(running Linux Mint 17.2). Kind of shooting my self in the foot their. I'm a big fan of separation so the main focus of this machine is gaming and when it comes to important documents and other work I will be leaving that on my Linux boxes or VM's.
The only thing that you get daily are updates for Windows Defender; Windows updates come out on Tuesdays. You can safely leave the Ethernet port down, unless you need Internet access; perhaps enabling it on Tuesday nights at a minimum (if you had not otherwise been online for other reasons), in order to check for OS and Steam updates.
Yes, in reality you will need a browser periodically; the point is to use it sparingly and safely. Don't install Flash and consider using a Javascript blocker, only white-listing sites that you specifically approve.
Installing Windoze in UEFI mode and enabling Secure Boot will help to defend against root kits, but using a non-privileged local account and not using Office, nor Adobe software will get you most of the way to where you want to be. But, W10's telemetry is so pervasive, I am paranoid that someone will figure out how to spoof a Microsoft certificate (at last glance Let's Encrypt has issued over 15,000 PayPal certificates to criminals!!!) and get in through the back door. IMHO, it's only a matter of time!
Cool, the advice I've already given will help you with this, especially the Shutup10 utility and keeping an eye on your MS account if you use one. As @Eden says though you can't make it stop completely but it does limit what they collect and really does cut down on the annoying crap. Your pfsense instance will also block out a lot, although you might discover that if you really lock it down some MS services will not be able to function correctly.
I have accepted that MS will have some data, but certainly not the torrents they would like to get from all the default settings. I view this a little as to being a member of my local library and other services - allowing a company to know you use their services and have you basic ID details is not the same as having them monitor everything you type or know all the websites you visit. This is mostly the difference between a tweaked win10 install vs. the default.
The trick is staying on top of it, especially when the big updates hit and new services are introduced or previously disabled services reactivated.
For those that don't want to participate in providing automatic feedback to improve the operating system, Telemetry can be turned off completely. /*edit*/ not sure if this is actually viable in current windows 10 /*endedit/
To do this:
Run the Services desktop app.
Locate Diagnostics Tracking Service in the services list and open its Property Sheet.
Stop the Diagnostics Tracking Service and then change the Startup Type to Disabled.
/*edit*/ moar info: savvy administrators can create their own GPO for the following registry key:
Open the subkey corresponding to the service you wish to change, and modify the value of 'Start' to equal either "2" (for automatic), "3" (for manual) or "4" (for disabled). /*endedit*/
further notes: windows 10 home does not appear to respect group policy in any way shape or form. so installing gpedit.msc will do you no good here. ive been there ,it doesnt work. i read somewhere that $micro$oft has hard coded the ips of its telemetry servers into the telemetry services. thus altering the hosts file on the local machine will not work. also it may well bypass any firewall rules you set on said local machine, thus the recommendation to do that on a edge router/firewall not running windows.
i only have win10 in a virtual machine. and only to test things i might need to do at work. i am not the IT person at work, i dont have access to the edge router, and therefore cant enforce the above. ive had to do various things to prevent windows from doing its thing at the worst possible time. that simply prevents me from doing what i am paid to do, as out POS and credit card programs are "in the cloud" (nice right?) . our internet connection at work is 2mb/sec at best, and if say windows update strikes, then we lose access to our POS and credit card processing programs. no one at corporate seemed to care so i fixed it myself via group policy (work runs windows 10 pro), setting the ethernet connection as "metered" and so forth.
I could rant on myself. They almost ready to pull the you can not use any software we do not approve. Bad thing is that a lot of software is following in the wake pulling the same tricks. Antivirus software ect......... It is getting pretty bad. It is a pretty obvious the the corporate world is out to rule the people directly. What a crap quality of life that is going to be
