Andreas/noid-privacy
1
0
Fork 0
mirror of https://github.com/NexusOne23/noid-privacy.git synced 2026-02-19 09:48:14 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
noid-privacy/Docs/SECURITY-ANALYSIS.md

105 lines
4.5 KiB
Markdown
Raw Blame History

# 🛡️ Security Impact Analysis for Home Users
**Understanding how Enterprise Security affects your Home PC**
This document explains the impact of applying the **Microsoft Security Baseline** (designed for Enterprise) to a standalone **Windows 11 Home/Pro** workstation.
> **Executive Summary:**
> 98% of the settings improve security without visible impact. The remaining 2% (BitLocker, Password Policy) have been adjusted or documented to ensure usability for home users.
---
## 1. Password Policies
**Setting:** `MinimumPasswordLength = 14`, `PasswordHistory = 24`
### 🏠 Home User Impact: **Low / None**
- **Microsoft Accounts:** These policies DO NOT affect your Microsoft Account (Outlook/Live/Hotmail) login. Microsoft manages those policies in the cloud.
- **Local Accounts:** If you use a local "Offline" account, you will be forced to set a 14-character password next time you change it.
- **PIN / FaceID:** Unaffected. You can still use Windows Hello PIN (4-6 digits) to sign in. The complex password is only for the underlying account.
**Recommendation:** Use a password manager generated password for your local account, and use PIN for daily login.
---
## 2. BitLocker USB Protection
**Setting:** `DenyWriteAccessOnFixedDrivesIfNotProtected` (Registry Policy)
### 🏠 Home User Impact: **High (if enabled)**
- **Enterprise Default:** Windows blocks writing to ANY USB drive unless it is encrypted with BitLocker.
- **NoID Privacy Default:** **DISABLED (Home Mode)**.
- **Why?** Home users often share USB sticks with TVs, cars, or friends (Mac/Linux). Enforcing BitLocker makes the drive unreadable on non-Windows devices.
**Your Choice:**
The tool asks you interactively:
- **[N] No (Default):** USB drives work normally. Safe for home use.
- **[Y] Yes:** Maximum security. USB drives are Read-Only until you encrypt them.
---
## 3. FireWire (IEEE 1394) Blocking
**Setting:** DMA Protection / Device Installation Restrictions
### 🏠 Home User Impact: **Near Zero**
- **What is it?** An obsolete connection standard (pre-USB 3.0) used by old camcorders.
- **Why block it?** Vulnerable to Direct Memory Access (DMA) attacks where an attacker plugs a device in and steals RAM content (passwords/keys) in seconds.
- **Reality:** Most modern PCs don't even have FireWire ports.
**Workaround:**
If you absolutely need to transfer video from a 2005 camcorder:
```powershell
# Run as Admin to temporarily allow
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" -Name "DenyDeviceClasses" -Value 0
```
---
## 4. Attack Surface Reduction (ASR)
**Setting:** 19 Defender Rules (17 Block + 2 Configurable)
### 🏠 Home User Impact: **Low**
- **Blocked:** running `.exe` files directly from an email attachment (Outlook).
- **Solution:** Save the file to Downloads folder first, then run it. This simple friction stops 90% of malware.
- **Blocked:** Office Macros downloading files.
- **Solution:** Don't enable macros in documents from unknown sources.
**PSExec / WMI Rule:**
- Enterprise admin tools used for remote management.
- Home users don't use these. Blocking them stops malware lateral movement.
- **Safe to Block.**
---
## 5. App Compatibility
### Known Issues
- **Legacy Games (Pre-2010):** Some old games require **DirectPlay** or **SMBv1**.
- *NoID Privacy* disables SMBv1 (WannaCry ransomware vector).
- **Network Scanners:** Old Canon/HP printers might use SMBv1 for "Scan to Folder".
- *Solution:* Use "Scan to Email" or update printer firmware.
- **Cheater Software:** Some game hacks/trainers inject code into processes. ASR rules will block this.
### Troubleshooting
If an app fails to launch:
1. Check `Windows Security` > `Protection History`.
2. It will show if an **ASR Rule** or **Controlled Folder Access** blocked it.
---
## 6. AI & Privacy
**Setting:** Recall & Copilot disabled, Telemetry minimized (Security-Essential level)
### 🏠 Home User Impact: **Positive**
- **Performance:** Less background activity (indexing, analyzing).
- **Privacy:** Screenshots (Recall) are not taken.
- **Experience:** Start Menu and Taskbar are cleaner (no Copilot ads).
- **Functionality:** Paint/Notepad AI features (Cocreator) will be disabled. If you pay for Copilot Pro, you might want to skip the **AntiAI** module.
---
**Conclusion:**
NoID Privacy transforms a "leaky" Home edition into an "Enterprise Fortress" for everyday use, without losing the ability to play games or browse normally. The few friction points (USB, macros, legacy protocols) are intentionally placed security gates.
Reference in a new issue View git blame Copy permalink