Andreas/noid-privacy
1
0
Fork 0
mirror of https://github.com/NexusOne23/noid-privacy.git synced 2026-02-07 12:11:53 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
noid-privacy/Docs/SECURITY-ANALYSIS.md

4.5 KiB
Raw Blame History

🛡️ Security Impact Analysis for Home Users

Understanding how Enterprise Security affects your Home PC

This document explains the impact of applying the Microsoft Security Baseline (designed for Enterprise) to a standalone Windows 11 Home/Pro workstation.

Executive Summary: 98% of the settings improve security without visible impact. The remaining 2% (BitLocker, Password Policy) have been adjusted or documented to ensure usability for home users.

1. Password Policies

Setting: MinimumPasswordLength = 14, PasswordHistory = 24

🏠 Home User Impact: Low / None

  • Microsoft Accounts: These policies DO NOT affect your Microsoft Account (Outlook/Live/Hotmail) login. Microsoft manages those policies in the cloud.
  • Local Accounts: If you use a local "Offline" account, you will be forced to set a 14-character password next time you change it.
  • PIN / FaceID: Unaffected. You can still use Windows Hello PIN (4-6 digits) to sign in. The complex password is only for the underlying account.

Recommendation: Use a password manager generated password for your local account, and use PIN for daily login.

2. BitLocker USB Protection

Setting: DenyWriteAccessOnFixedDrivesIfNotProtected (Registry Policy)

🏠 Home User Impact: High (if enabled)

  • Enterprise Default: Windows blocks writing to ANY USB drive unless it is encrypted with BitLocker.
  • NoID Privacy Default: DISABLED (Home Mode).
  • Why? Home users often share USB sticks with TVs, cars, or friends (Mac/Linux). Enforcing BitLocker makes the drive unreadable on non-Windows devices.

Your Choice: The tool asks you interactively:

  • [N] No (Default): USB drives work normally. Safe for home use.
  • [Y] Yes: Maximum security. USB drives are Read-Only until you encrypt them.

3. FireWire (IEEE 1394) Blocking

Setting: DMA Protection / Device Installation Restrictions

🏠 Home User Impact: Near Zero

  • What is it? An obsolete connection standard (pre-USB 3.0) used by old camcorders.
  • Why block it? Vulnerable to Direct Memory Access (DMA) attacks where an attacker plugs a device in and steals RAM content (passwords/keys) in seconds.
  • Reality: Most modern PCs don't even have FireWire ports.

Workaround: If you absolutely need to transfer video from a 2005 camcorder:

# Run as Admin to temporarily allow
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions" -Name "DenyDeviceClasses" -Value 0

4. Attack Surface Reduction (ASR)

Setting: 19 Defender Rules (17 Block + 2 Configurable)

🏠 Home User Impact: Low

  • Blocked: running .exe files directly from an email attachment (Outlook).
  • Solution: Save the file to Downloads folder first, then run it. This simple friction stops 90% of malware.
  • Blocked: Office Macros downloading files.
  • Solution: Don't enable macros in documents from unknown sources.

PSExec / WMI Rule:

  • Enterprise admin tools used for remote management.
  • Home users don't use these. Blocking them stops malware lateral movement.
  • Safe to Block.

5. App Compatibility

Known Issues

  • Legacy Games (Pre-2010): Some old games require DirectPlay or SMBv1.
    • NoID Privacy disables SMBv1 (WannaCry ransomware vector).
  • Network Scanners: Old Canon/HP printers might use SMBv1 for "Scan to Folder".
    • Solution: Use "Scan to Email" or update printer firmware.
  • Cheater Software: Some game hacks/trainers inject code into processes. ASR rules will block this.

Troubleshooting

If an app fails to launch:

  1. Check Windows Security > Protection History.
  2. It will show if an ASR Rule or Controlled Folder Access blocked it.

6. AI & Privacy

Setting: Recall & Copilot disabled, Telemetry minimized (Security-Essential level)

🏠 Home User Impact: Positive

  • Performance: Less background activity (indexing, analyzing).
  • Privacy: Screenshots (Recall) are not taken.
  • Experience: Start Menu and Taskbar are cleaner (no Copilot ads).
  • Functionality: Paint/Notepad AI features (Cocreator) will be disabled. If you pay for Copilot Pro, you might want to skip the AntiAI module.

Conclusion: NoID Privacy transforms a "leaky" Home edition into an "Enterprise Fortress" for everyday use, without losing the ability to play games or browse normally. The few friction points (USB, macros, legacy protocols) are intentionally placed security gates.