story

Ask HN: Are Windows 10 and 11 considerably more secure than the old versions?

10 pointsBraverHeart3y ago24 comments

Is it enough to avoid opening unverified executables and emails to stay safe? or I'm being oblivious

24 comments

They (especially Windows 11 on supported hardware) are far more secure than older versions of Windows.

That said, I don't really consider Windows "secure", when it's still filled with legacy cruft that was written before Microsoft's focus on secure coding. We are still seeing font exploits in 2022, FFS.

The track Windows 11 is headed seems like a decent approach given realities. For whatever reasons, Microsoft's efforts to eliminate legacy cruft has proved unsuccessful/untenable, so the next best compromise is to harden the OS against itself and everything else.

rbanffy3y ago

Most of the time, the problem lays with the users. Once (a long time ago) I RDP'ed into a Windows Server 2003 (or so) for some checking and saw it running a eDonkey or some other P2P download utility, as Administrator.

cpach3y ago

They’re fine, but with any desktop operating system (including macOS and Linux) there’s always some risks involved, depending mostly on user behaviour.

For something more foolproof and secure, consider iPadOS or a Chromebook.

Here’s a useful resource: https://techsolidarity.org/resources/basic_security.htm

type03y ago

It isn't secure from MS pushing updates that will revert some settings to default. I don't remember older versions doing that.

hulitu3y ago

Looking at the number of processes run with administrative priviledges, i would say, no.

eimrine3y ago

If you are behind a NAT then you may consider your any OS safe. But I have no idea about state-of-the-art of NAT hacking, maybe some of them are flawed.

anderiv3y ago

There are innumerable ways vulnerabilities can be exercised that do not involve having to “hack” NAT. I would not be comfortable staying so simply that NAT will protect in all situations. It’s one layer of defense, yes, but is inadequate without others like malware avoidance.

eimrine3y ago

> There are innumerable ways vulnerabilities can be exercised that do not involve having to “hack” NAT.

Any examples? Suppose we have a Windows computer connected to a NAT with an access to an Internets, but the computer doesn't download anything. I am not a sysadmin but from my understanding this is almost safe.

anderiv3y ago

A couple examples:

1) You’re browsing the web from the old machine. Your HTTPS connection gets MITM’d due to a TLS vulnerability, and the attacker is able to gain control of your email account.

2) Unbeknownst to you, another machine on the network is infected with some virus. That machine uses a CIFS vulnerability to remotely infect and root your old computer.

2 more replies

nicolaslem3y ago

That is obviously not true. NAT has been pretty much the default way of accessing the Internet for the vast majority of computers for the last 15 years. The proliferation of ransomware and zero-click exploits clearly shows that NAT did not turn any boxes behind it into something secure.

rbanffy3y ago

There are tons and tons of attack vectors that are not deterred by NAT. And with so many routers around that are vulnerable and not updatable, or that still have their default admin passphrases, you shouldn't consider your NAT network a safe place.

eimrine3y ago

My router has a default admin password but this password invite is not available from the Internets. There is a way of doing it available - press and hold some button and connect to router via wire using telnet. Here is what I know about default password vector, am I missing something?

Kukumber3y ago

Windows is not secure, it doesn't have any proper permission system, any process can read/write files, send network requests to anyone without the user noticing anything

It can even change system settings without you noticing

You should feel naked when you manipulate sensitive data with Windows, because you are indeed naked

Hence why most companies forbid their employees to use windows with public internet access for work

iLoveOncall3y ago

> Hence why most companies forbid their employees to use windows with public internet access for work

I have literally never heard of a single company doing that.

Kukumber3y ago

Most companies that care about security will only offer a windows device with just a VPN/Intranet access

iLoveOncall3y ago

Name one other than Kukumber LLC.

1 more reply

tapoxi3y ago

> Hence why most companies forbid their employees to use windows with public internet access for work

I've never worked anywhere that's done this, and I work in healthcare. Most commonly they will put you behind a proxy that does malware and data loss protection.

ipaddr3y ago

Healthcare lags behind most industries to the point many specialized software only runs on windows/ie

j / k navigate · click thread line to collapse

24 comments

runjake3y ago

They (especially Windows 11 on supported hardware) are far more secure than older versions of Windows.

rbanffy3y ago

cpach3y ago

They’re fine, but with any desktop operating system (including macOS and Linux) there’s always some risks involved, depending mostly on user behaviour.

For something more foolproof and secure, consider iPadOS or a Chromebook.

Here’s a useful resource: https://techsolidarity.org/resources/basic_security.htm

type03y ago

It isn't secure from MS pushing updates that will revert some settings to default. I don't remember older versions doing that.

hulitu3y ago

Looking at the number of processes run with administrative priviledges, i would say, no.

eimrine3y ago

If you are behind a NAT then you may consider your any OS safe. But I have no idea about state-of-the-art of NAT hacking, maybe some of them are flawed.

anderiv3y ago

eimrine3y ago

> There are innumerable ways vulnerabilities can be exercised that do not involve having to “hack” NAT.

anderiv3y ago

A couple examples:

1) You’re browsing the web from the old machine. Your HTTPS connection gets MITM’d due to a TLS vulnerability, and the attacker is able to gain control of your email account.

2) Unbeknownst to you, another machine on the network is infected with some virus. That machine uses a CIFS vulnerability to remotely infect and root your old computer.

2 more replies

nicolaslem3y ago

rbanffy3y ago

eimrine3y ago

Kukumber3y ago

Windows is not secure, it doesn't have any proper permission system, any process can read/write files, send network requests to anyone without the user noticing anything

It can even change system settings without you noticing

You should feel naked when you manipulate sensitive data with Windows, because you are indeed naked

Hence why most companies forbid their employees to use windows with public internet access for work

iLoveOncall3y ago

> Hence why most companies forbid their employees to use windows with public internet access for work

I have literally never heard of a single company doing that.

Kukumber3y ago

Most companies that care about security will only offer a windows device with just a VPN/Intranet access

iLoveOncall3y ago

Name one other than Kukumber LLC.

1 more reply

tapoxi3y ago

> Hence why most companies forbid their employees to use windows with public internet access for work

I've never worked anywhere that's done this, and I work in healthcare. Most commonly they will put you behind a proxy that does malware and data loss protection.

ipaddr3y ago

Healthcare lags behind most industries to the point many specialized software only runs on windows/ie

j / k navigate · click thread line to collapse