Windows 2004 Setup

Windows 2004 Setup

     As Microsoft continues to push Windows toward an Android type Desktop-as-a-Service model, their data mining and online accounts cause issues for anyone not on a consistent high speed internet connection. There are ways to setup Windows that will help protect your privacy and secure the OS to provide a consistent experience.

     First, don't use an online account. When installing Windows, always choose the offline-account option, even though the interface will push you toward using an online account. Yes, choose 'offline account' and 'limited experience' in the small print in the lower setup window. If Windows came on your laptop or PC, go to settings and create on offline user. You'll have to copy your data from the online account to the offline account, but it will help limit Microsoft's mining of your account data and will help secure your data. 

     Second, though Microsoft provides upgrades, it always works better to do a fresh install from the new iso when a new version comes out. I've had problems with every upgrade they've performed since v.1803 and have had to do fresh installs to fix the issues. It's like going back to XP when a fresh install was required every year just to keep things running smoothly. To help with this, keep your personal folders (Documents, Downloads, Pictures, etc) on a different drive than the root partition. This way, every fresh install just needs you to set the location of these folders and all your data is there. If you don't have multiple drives in your system, back up those folders on an external SSD (USB3, SATA or eSATA, depending on your device) before doing a fresh install so you have all your  data to copy back to the new system. You should be keeping a backup of all  your data anyway. Macrium Reflect is one great program to backup your entire system or even just partitions. 

     Third, if your system doesn't do well with the upgrades and you don't like the thought of having to do a fresh install every year, turn off updates. Now this does also turn off security updates, which is not something you should do if your device isn't behind a Firewalled Gateway. Anything on the "outside" (internet facing) needs constant security updates. But if you're behind a residential modem that includes a Firewall, then you can disable the updates. This is a process, but definitely worth it if every Windows update kills your system. See our Administration Section for how to do this. Windows also runs its own Firewall which can be set to reject all unsolicited incoming transmissions--another way to protect your device.

    Fourth, DON'T USE 3RD PARTY ANTI-VIRUS! People have been paying for antivirus for so long that it feels wrong to stop. Windows 10 focus on security is strong and their anti-virus integration is superior to anything you can buy. Microsoft has finally built a world-class antivirus system and have integrated it into Windows so completely that even if you add on inferior programs, you can't turn off Windows' own protection completely. The security focus of Windows is so integrated that third party apps have to perform man-in-the-middle attacks in order to check incoming internet data. Don't waste your money buying generic antivirus for Windows 10. It will slow down your system, perform less effectively than what comes in Windows, and systematically leave you more vulnerable. Windows 7 still needs a good anti-virus program, but Windows 10 makes more security improvements every release. 

     One of the few reasons you'd want to disable any of the Windows 10 OEM security features is if you're a security researcher like me and need to analyze dangerous files. Windows 10 makes this near impossible and settings exemptions in Defender doesn't always work.  So unless you're a software researcher or a  low level developer, leave the Windows antivirus alone. Another reason would be if you're connected to shared drives on your local LAN.

     Windows will also scan other devices on its network. It doesn't just protect itself. If there are shared drives, Defender will scan those for viruses and malware. Windows runs its own NIDS software so if programs or software on the LAN winds up missing, Defender might be the grinning culprit.

     Fifth, in Windows settings under Ethernet, set your "Metered connections" to "on". This will reduce the amount of telemetry that Windows sends home to Microsoft. I have verified, using Wireshark and Microsoft Network Monitor, that Windows 10 does send 2 gig of data to Microsoft every month. This can also be blocked using the Firewall. We have done testing on removing the telemetry dlls, but this also impacts local usage of control panel operations. Using a DNS filter service (or running your own Pi-hole) will also block some of this. Microsoft Office also sends grand amounts of data back to Microsoft for analysis, including any documents causing software issues or security flags. 

     Summary

     Windows 10 continues to be a highly stable and secure operating system, beyond any previous versions. The push toward online operating systems means more personal data is sent back to Microsoft in forms of telemetry and system analysis. While some basic desktop management functions aren't as reliable as they use to be,  the trade is that you get a highly secure operating system that is almost as stable as Linux but still can FUBAR your system with every update. With a few tweaks and informed setups, it can be what most people need it to be.