Search Results
6/14/2025, 4:42:19 PM
>>105582566
>Disable user authentication via Microsoft Accounts
I personally have no problem with MS accounts. I don't use them myself, but I can understand the hoi polloi wanting/needing/using them for SSO, settings/program sync, and BitLocker key backup. Especially on the last point, I've been laughing at idiots circumventing BitLocker recovery key backup for decades, who start crying when something goes wrong and the TPM won't release the SRK. Further, the security for MS accounts is actually considerably better than local accounts using the SAM, as it's essentially a cut-down version of the Active Directory protocol. I think where you stand on MS accounts is based on how much you trust Microsoft not to leak your BitLocker keys, LSA secrets, clipboard contents, etc., not any real or imagined technical merits or deficiencies.
>Log the command line with process creation events
This seems excessive outside of hisec or debug environments. Nice .REG to have in your back pocket, but certainly not an everyday-use one. Not to mention it provides little extra security in the case of (for example) malware, with process hollowing techniques and creation of remote threads meaning such logging would be useless.
>Disable execution of .hta files
>Disable Windows Script Host
I use VBScript extensively, both at work and at home (I'm baby ducked on VB, and hate PowerShell), so would never do this. But again, for the hoi polloi, it should be all right.
(cont'd)
>Disable user authentication via Microsoft Accounts
I personally have no problem with MS accounts. I don't use them myself, but I can understand the hoi polloi wanting/needing/using them for SSO, settings/program sync, and BitLocker key backup. Especially on the last point, I've been laughing at idiots circumventing BitLocker recovery key backup for decades, who start crying when something goes wrong and the TPM won't release the SRK. Further, the security for MS accounts is actually considerably better than local accounts using the SAM, as it's essentially a cut-down version of the Active Directory protocol. I think where you stand on MS accounts is based on how much you trust Microsoft not to leak your BitLocker keys, LSA secrets, clipboard contents, etc., not any real or imagined technical merits or deficiencies.
>Log the command line with process creation events
This seems excessive outside of hisec or debug environments. Nice .REG to have in your back pocket, but certainly not an everyday-use one. Not to mention it provides little extra security in the case of (for example) malware, with process hollowing techniques and creation of remote threads meaning such logging would be useless.
>Disable execution of .hta files
>Disable Windows Script Host
I use VBScript extensively, both at work and at home (I'm baby ducked on VB, and hate PowerShell), so would never do this. But again, for the hoi polloi, it should be all right.
(cont'd)
Page 1