Kitz Forum
Computer Software => Windows => Topic started by: Weaver on March 27, 2020, 01:55:00 AM
-
[Moderator note: This topic has been created by splitting off the following posts from renluop's "Updating Office" thread (https://forum.kitz.co.uk/index.php/topic,24499.0.html)
Make sure not to buy Windows Home as it isn’t secure (lots of security- and networking functionality is disabled so it isn’t possible to fully secure the machine correctly even if you know what you’re doing or have some help) - always by Windows Pro or whatever it’s now called.
-
Make sure not to buy Windows Home as it isn’t secure (lots of security- and networking functionality is disabled so it isn’t possible to fully secure the machine correctly even if you know what you’re doing or have some help) - always by Windows Pro or whatever it’s now called.
@Weaver - in what ways is Windows Home 'insecure' please? I've been using it for many years on a number of devices and have never encountered any issues at all. Yes, some of the more advanced features are not available, but as most would not be used by the average user I'm not sure it's fair to call the whole system 'insecure'.
:)
-
I'm in agreement with you tubaman, all except two of my home PC's are running Windows 10 Home, my two that are running Pro have had no additional hardening as I wouldn't have a clue what to do, so the average home user will be completely clueless.
I suppose the only one I do know about which Pro does have and Home doesn't, but have got around to implementing is Bit-locker, I really should one for that extra level of protection should my PC ever be stolen,.
-
It’s insecure in that it cannot be configured securely. There are not multiple user accounts in the networking system and iirc you cannot use SRP. I can’t lock down a system such that malware exes can not be placed in the file system anywhere and run. On a correctly configured system an exe installed in a non-approved location simply will never run; there will be an error on startup. SRP used correctly will achieve this. Needs to be used in conjunction with locked-down file system ACLs.
I have always ensured that windows pro systems that I have administered never have users able to run as admins and have made it impossible to download exes, dlls etc and then run them successfully, nor can users run them from removable media and they can copy exes from removable media but they will not run
Buying windows home is a disastrous mistake because it’s a huge false economy, but what is a user supposed to do if they don’t know anything about securing / hardening windows. Most so-called professionals have no clue about how to completely lock down a system so it’s safe to use.
-
Simply put, I do not want a system that locked down, I imagine it would be like putting a flame retardant suite, full race harness, and crash helmet on every time you went out for a drive.
-
I suspect that running a locked-down Windows 10 would be pretty horrific for gaming too.
The number of times just booting into Windows wants me to allow a process to run as admin in order to install an update. How would that even work if my user couldn't escalate privileges?
In Linux its recommended to NEVER use root, all admin tasks are supposed to be done using a normal user and privilege escalation as its considered MORE secure. This was what Microsoft were supposed to be trying to achieve with the popup "run as administrator" messages in the first place.
-
I ran as a non-admin my self, I didn’t just inflict it on my users and I never had any complaints. They didn’t even notice, honestly. The way I set it up was zero hassle and 100% protection. I was doing this for ten years so I had developed config schemes that were well tuned.
As for installing updates on your own machine, since I was the admin of my own box I would just either use runas to run things that required privileges such as certain updates or log out and log in as the_admin instead if my own personal everyday non-admin account.
I never found this any hassle of my own. I am asking you to just believe me on this. I can’t see a reason why your experience might be different to mine. But everyone is different. If you are writing code, you might want to make some holes in the policy for yourself relating to a development area for you to work in. (Because you will be doing build that produce new ‘illegal’ exes.
One rule that made my systems work. No exes are allowed to run unless they are in one single tree in the file system "\program files". All exes and dlls outside this official tree are disabled by being renamed to a different extension (eg .exe_disabled) by a scanning script I wrote. and all random folders and files in the root \ are deleted. No installer is allowed to create random directories below root. This keeps policies simple.
The hassle with a locked down system comes with badly behaved apps that will not run under a standard user account, and these need tweaking and hacking in order to fix them, which less experienced admins will not be able to do. The solution is to run such apps inside a virtual machine/sandbox using one of the various VM software applications. I used Microsoft’s own free VM solution, whatever it was called, escapes me now.
It all depends on how serious you are about your security. I would never do normal work from an admin account, and as I said no users were allowed to ever be admins. This is why I had zero security incidents in ten years amongst my customers’ users. This was combined with the use of email services that had scanning in them server-side so all email was scanned on the server and no exe and other potentially evil attachments of any kind were stripped, so nothing executable could even arrive in email. This plus html email in Outlook was not shown in a browser window so html itself in email could not be evil.
-
It's not running as a standard user that's the problem, Windows Home can do that, its all the other stuff your refer to locking down the PC.
I've always managed my works PC (10 Pro) until recently when some wet behind the ears lad from an outside company comes in and starts locking it down, breaking things, changing passwords, I couldn't even create a shortcut key for Excel without creating another shortcut where I had permission to as he changed the admin password for some unknown reason - he actually gave the new password after I asked, and no other machines had it changed. For the standard user who merely opens Excel, Word or any other run of the mill program it's fine, but for power users it's not it eventually causes issues.
-
All my Win 10 machines are configured with the 'normal use' accounts being Standard user type so that any new installs etc require the Administrator password to be entered. I suppose in that respect I have 'hardened them a little bit. Even if the standard user was an admin I believe it still asks before any install takes place, but forcing the password allows you to stop and think before hitting 'ok' (also stops the kids installing stuff without asking). I am absolutely content that these machines are secure enough for what I process on them.
:)
-
All my PC's have local user accounts with a separate Admin account to.
-
You need to do a lot more than that because the standard file system ACLs are too lax. And users can install exes in their own file system tree. With SRP such exes (and wherever I say exe I include dlls) cannot run, not even if they’re copied/downloaded into the user’s own directories to which she/he must have write perms. I took me some thought to design the necessary 100% bombproof config.
-
One rule that made my systems work. No exes are allowed to run unless they are in one single tree in the file system "\program files". All exes and dlls outside this official tree are disabled by being renamed to a different extension (eg .exe_disabled) by a scanning script I wrote. and all random folders and files in the root \ are deleted. No installer is allowed to create random directories below root. This keeps policies simple.
The hassle with a locked down system comes with badly behaved apps that will not run under a standard user account, and these need tweaking and hacking in order to fix them, which less experienced admins will not be able to do. The solution is to run such apps inside a virtual machine/sandbox using one of the various VM software applications. I used Microsoft’s own free VM solution, whatever it was called, escapes me now.
Those things are kinda mutually exclusive on a gaming PC I think because they will be updating exe files inside Program Files all the time and they CAN'T easily be updated from another user account as you need to be signed in on the client for the digital rights management systems to function. I also have games on my second drive in various paths, again depending on if its Steam, Epic Games, U-Play, etc. Locking them down would be a lot of work I suspect.
I can totally understand why your system makes a ton of sense in a business environment, but it sounds a huge PITA for a home user. Doubly so as I'm primarily a Linux user so not familiar with how Windows handles things these days.
Its bad enough having to update the GPU drivers every time I boot into Windows, after being used to a single command updating everything without any user input whatsoever on Linux.
-
Alex I did that with my own main machine at home. I didn’t do anything to users that I didn’t do to myself. It was no hassle. If you need to run a game and don’t know how to hack it to get it to run as a non-admin, or if that’s totally impossible just make another admin account and runas it in that. The most important thing is not to be using a web browser or email in an unsecured admin-privileged account. If all you do in that admin account is run your game and your game is not evil then where’s the harm.
I guarantee from ten years of personal use at home that if done right by someone with enough security config expertise, fully secured machines are zero hassle. They had to be because my clients[ users would be moaning otherwise but they never even knew there was anything unusual about their systems, not until they tried to do something highly suspect or made a bad mistake and got stopped.
It’s important to use a good email program and a filtered virus-scanned email service with attachment stripping so eg exes get stripped before they get to you. Although no harm will come to you on a fully secured system, as even if you receive a malicious exe and save it, you can’t run it. But a clueless user could email it to someone else which is not good at all. Don’t ever use webmail unless you have a scanned attachment-stripped email service. Use a proper email client such as outlook which blocks attachments and castrates html email.
I don’t know what firefox is like now but it used to be hopeless in security terms. Chrome showed promise but Microsoft browsers have always been light years ahead in security terms because of their sophisticated split-privilege/low privilege special architecture. Chrom may have this too. But unless you know a lot about security architectures stick to a Microsoft browser for safety given web browsing is the highest risk activity there is. With full SRP and file system ACKs hardened you will be ok even if the web browser’s security model fails though.
These are the pillars :
1. No users as admins, esp not yourself
2. File system ACLs hardened correctly
3. Draconian SRP done right
4. Delete all random directories below the root unless you absolutely need some for a badly behaved app. This simplifies SRP and filesystem rules and keeps them correct long term. Also have zero random files in root (comes under ACLs anyway). This latter rule is not 100% essential but not having it is the road to hell.
5. Patches patches patches / updates to Windows and all your apps
If you have a badly behaved app or a game say which won’t run under a standard user account and you can’t work out how to hack it even with expert help and tools, then run it within a VM and then problem over. Don’t spend days on it.
I hacked the application “SmartStamp” from the Royal Mail iirc, an app that prints out stamps, as it wouldn’t run under a standard user account - unforgivably for a business app. While doing so I found it introduced an enormous security hole into every machine it was running on. Any standard user could user SmartStamp to gain admin privilege and cause limitless havoc. I fixed this evil by modifying the cruddy thing suitably, getting a knife into it. I mention this because this annoying process of dealing with random badly behaved apps can sometimes be very revealing.
It’s not all about security. A well secured machine where you’re in charge not some horrid random apps’ quirks is one that is more reliable because apps can’t wreck it.
Aside from VMs, if you can afford it why not have two physical machines if you want one for gaming, and have another for work or a place where you keep your critical data, stuff that you don’t want to lose and on which you do ultra hi risk activities such as web browsing.
If you’re serious about security and don’t know how to do all these things get some help from a real expert professional, unfortunately these extremely rare, but if you shout, I am here for you.
You also need a fully secured wireless LAN, a proper firewall and a router that is not full of security holes/bugs. Don’t allow random or evil users on to your LAN be it wireless or wireful as their machines could attack lan infrastructure with scary results. If you need to have such users visit you, put them in another LAN or use VLANs - there are a variety of solutions. Help is available with this kind of network security design. It’s difficult to give guidance because some things depend on the capabilities of the kit that you’ve got.
Sorry it’s been such a rant, hope some of it might be useful. Did this for a living full-time for a decade until I became too ill. I did security config for many home users not just business customers as home users matter too.
-
I guarantee from ten years of personal use at home that if done right by someone with enough security config expertise, fully secured machines are zero hassle. They had to be because my clients[ users would be moaning otherwise but they never even knew there was anything unusual about their systems, not until they tried to do something highly suspect or made a bad mistake and got stopped.
The thing is though, Windows 10 is different to how it used to be. There are plenty of reports of Windows Updates reverting these sorts of changes behind peoples backs, because Microsoft want to be the god of exactly how security works (or doesn't.) By securing Windows, you're fighting the OS itself as it tries to prevent you from doing so.
Alex I did that with my own main machine at home. I didn’t do anything to users that I didn’t do to myself. It was no hassle. If you need to run a game and don’t know how to hack it to get it to run as a non-admin, or if that’s totally impossible just make another admin account and runas it in that. The most important thing is not to be using a web browser or email in an unsecured admin-privileged account. If all you do in that admin account is run your game and your game is not evil then where’s the harm.
But that's just it, games aren't self-contained any more, they are installed, updated and executed from homogenised UIs that are effectively web driven front-ends. Web components are embedded within how the games work these days.
Games do generally run as standard users I believe (clients used to manage those games generally only ask for admin when they update), but I'm not sure they would be friendly to the level of lock down you are proposing. Game clients refuse to launch without installing the latest update and those clients won't do a thing if you aren't logged into your account.
-
I of course defer to Alex since I retired ten years ago, and as he says things have changed since then. I hated Windows 8 so much that I switched to Apple 100%. I was introduced to iPads by Janet in fact as she bought one to find out what it was like and then I immediately bought one too. The iPads took over my world completely pretty soon and then the Apple invasion became complete.
-
You need to do a lot more than that because the standard file system ACLs are too lax. And users can install exes in their own file system tree. With SRP such exes (and wherever I say exe I include dlls) cannot run, not even if they’re copied/downloaded into the user’s own directories to which she/he must have write perms. I took me some thought to design the necessary 100% bombproof config.
@Weaver, I think the thing here is that we are referring to home PCs, not ones on a corporate network that could bring the whole company down if bad things happen. The level of security needs to be proportionate to the use case of the machines in question. You say (later post) that fully secured machines are zero hassle, but how can that possibly be? My work laptop is extremely well secured and causes no end of annoyance. I can't even make simple changes like choosing a desktop wallpaper that I like. A couple of days ago the team I work in needed to participate in a Webex conference - we had to do that on our personal equipment because the firms kit won't allow it to run. I understand why they block such things, but to say it is zero hassle is just not true I'm afraid. And before you say that I could have just contacted an Admin to make things right, I can assure you that the answer would have been an unmovable 'No'.
:)
-
My older brother (he's a computer programmer) partner's locked down business laptop causes him no end of problems as he tries to make her franchised business run smoother.
You really shouldn't be advising people to use any MS browsers, if IIRC the IE range of browsers was full of security hole's, Firefox and Chrome are much more secure.
Weaver after you've hacked some games trying playing them, I'm sure the anti cheat systems would not be happy that you've altered things.
I've been using Windows since the early 90's and I wouldn't have a clue how to do a lot of what you've said, and I don't want to either, it's hard enough to keep all our PC's up to date.
-
...
I've been using Windows since the early 90's and I wouldn't have a clue how to do a lot of what you've said, and I don't want to either, it's hard enough to keep all our PC's up to date.
Quite agree Ronski. I too have been using Microsoft products for a long time - since before Windows was even around in fact (MS-DOS 3.2 anyone!) I can say that I have had few issues with them. They are far from perfect (same applies to all OS) but on the whole if you wait a bit before upgrading to the 'latest and greatest' they have been generally ok. I must admit I never went near Windows ME or Vista - hence the 'wait a bit'.
I always ensure I have up-to-date AV installed and am always mindful about where I get software from.
I want a PC I can use and not one that stops me from doing things. I suppose it depends how risk averse you are, and I'm happy to balance some risk against usability.
:)
-
I totally agree with tubaman's sentiments, it's the way I've also done things.
I noticed the other day my PC at work actually has a Windows ME key sticker still attached to it, but it's only the case that's 20 years old, actually I do wonder if the power supply is (I'll have to check). I also used Vista, and actually liked it, barely used Windows 8 though, just had that on my laptop.
My older brother certainly worked a lot with DOS, and I used to write machine code on the ZX Spectrum, can't remember when I switched to Windows or what version it was, it was November 1995 I bought my first PC from Mesh Computers (£1566 ouch!) , and I certainly had Windows 95, 98, ME, XP, Vista, 7, 8, and finally 10.
Looking through my MS Money history there's certainly been a lot of money spent on the 'Computer' category over the last 24 years.
-
Ronski,
Windows 8 was rather hilarious - they first thing I had to Google was how to turn it off as it was far from obvious! Once it moved to 8.1 and was no longer a 'one size fits no one' OS (ie didn't really fit tablet or PC properly) I actually got to quite like it. My home desktop started as Windows 8 and has been upgraded to 8.1 and then every version of 10. I suspect it would benefit from a clean rebuild, but while it still works fine I'm leaving it alone.
:)
-
I believe I had Start8 installed on the laptop, which fixed a lot of problems with Windows 8.
With regard to a fresh install, if you ever go down that route just check what drivers are available for your hardware prior to committing. I have a Cannon Lide scanner and there are no Windows 10 drivers available for that model, when Windows updated it kept using the old drivers so works fine, I think there is a way around it, but it just makes things harder.
-
How can that be, you asked. Well because I just arranged it that way. I did a very good job because it was my living and I spent a long time researching and refining techniques. That doesn’t mean that other sysadmins have done the same. If you’ve used a locked down machine in a library say, it was probably horrible. That’s because they are clueless cheap staff designing and implementing the policies.
As I said before I did this to my own personal machine as well as to all my customers’ users. You can choose not to believe me and I can’t convince you. If done properly there’s zero hassle apart from the occasional switch user for maintenance. If games are a problem then you run them in a VM or you use runas and make an exception for them. And there are the other techniques I described. On my own machine I had no compromise security. If you’re unhappy with ever having to use switch user or runas for app maintenance then use a vm or get two machines or live without full security.
It isn’t just my opinion that there’s zero hassle the way I designed things; as I said all my users had to be happy otherwise I had not done my job, and as I said none of them ever noticed there was anything unusual going on. They all got a little bit of casual training in security awareness basics too.
Your brother’s partner’s laptop could be said to be typical, but that’s a different story. That’s not me and if you are securing a machine fully, have a clue and don’t make the end result a pain obviously. Her sysadmins don’t know what they’re doing If they’ve made her unhappy, on that I’m sure we agree.
I fully recommend internet explorer as the most advanced security architecture in my day, but now chrome may have risen to an equivalent level. As for browser bugs, they’re irrelevant because you are doing automatic patching aren’t you? one of the pillars. It’s an unpopular opinion but nit one arrived at lightly, but due to research and reading. Things have changed greatly and my opinions are now out of date. The question of whether Chrome has caught up with the likes of IE and Edge, I leave to others. In my day Chrome was showing very promising signs of advancement. Look into it and read up on Chrome, looking for integrity levels, low privilege, split privilege design.
These are my professional opinions, but I will warn you I am long retired.
-
Weaver,
I'm afraid that constantly having to switch users or use 'run as' isn't sounding very 'hassle free' to me. Having to use a VM or second machine is even worse. I think we're going to have to agree to differ on this one.
:)
-
I came to the same conclusion tubaman, I mean fancy trying to run a demanding game in a VM at home.
-
Quite agree Ronski. I too have been using Microsoft products for a long time - since before Windows was even around in fact (MS-DOS 3.2 anyone!)
Well I can remember using Cp/m that was around before DOS I think !
-
Well I can remember using Cp/m that was around before DOS I think !
Same here - on a DEC Rainbow I believe. Seem to remember that I had CP/M and Wordstar on one 5.25" disk and saved my files to the other. It was a proper computer!
I also used to look after PDP11 based circuit testing machines - Marconi 800X, Genrad 2271 and 2275 - they were real beasts.
:)
-
I will soon finally succumb to windows 10, its advanced enough now that it has significant security advantages over windows 8 (wasnt the case when it launched), but to me the only sane way of using it is, on windows 10 enterprise LTSC. Using an OS with a EOL of 18 months is just insanity. Forced feature updates almost every year? no thank you sir.
Then after that making sure automatic updates are disabled as well as deferred updates for the updates that are available due to their quality control going down the pan.
-
You need to do a lot more than that because the standard file system ACLs are too lax. And users can install exes in their own file system tree. With SRP such exes (and wherever I say exe I include dlls) cannot run, not even if they’re copied/downloaded into the user’s own directories to which she/he must have write perms. I took me some thought to design the necessary 100% bombproof config.
Microsoft have missed so many opportunities to improve their basic install configuration.
UAC was launched with vista, and it was supposed to be temporary, and was a means of encouraging app developers to not require admin privileges. With the end game to be that standard user accounts would become the default, with UAC escalation been used for admin tasks only.
Instead many years later, admin accounts are still the default, and UAC not even needing a password in its default configuration to elevate, plus whitelisted binaries avoiding UAC prompts altogether. Convenience over security.
SRP is no longer even supported by microsoft anymore, yet consumers who want restricted exe security have to use it because they locked down applocker to enterprise/server only, and they have failed to provide a SRP configuration in a default enabled state, which I consider in this day and age absolutely bonkers.
Likewise we now have windows defender that supports things like control flow guard, yet its disabled by default, whats the point?
They still use insecure svchost, rundll etc. which are security nightmares. So malware can pose as svchost e.g. which would be likely whitelisted in firewall and a/v software.
-
Having now migrated all my machines to windows 10, I will get to work on the wiki I was planning ages ago, the security scene is constantly in transition but hopefully i can get something out (using free software and internal windows features) that remains relevant.
-
I read this thread just in time for Windows 11.
The level of restrictions mentioned in the initial posts runs a huge risk of impairing functionality, causing users to be careless, and is well beyond anything I've had in a professional situation.
I can download and run executables on my work machine.
However it does have a more modern and scalable solution due to an endpoint agent. Executables are monitored first time they run to ensure they aren't showing interesting behaviour. Some are outright blacklisted.
Static configuration on Windows doesn't really work beyond a handful of nodes and managing policies can become an issue when they're so specific.
That's enterprise. At home very few are going to manually configure file system ACLs.
Windows Home is fine. The paranoid just shouldn't run Windows but an operating system with mandatory controls that defaults to least privilege - ideally running everything containerised, and each container hosting a type 2 hypervisor for the really paranoid :)
Our home PCs have no hardening to speak of, however the valuable data is hosted on a server.
-
Having a gaming PC you honestly have to throw caution to the wind.
When Ubisofts launcher updates, it asks THREE TIMES for Administrator privileges. God only knows what its doing, and that's just one example.
-
In my experience, if a user wants to secure their PC more than standard, they can purchase a Pro license for Windows and stick the Microsoft security baselines on it, then create a separate admin and standard users for admin and daily use respectively. This should provide more than enough security against the average threat of today. In truth, consumers and even businesses are vastly more exposed to things like phishing emails and malicious websites than they are malicious executables in this day and age.
Especially in terms of businesses, the most common thing I see working as a security professional is attackers exploiting exposed RDP instances with no 2FA. I think that is probably 50-60% of the jobs we see coming in. For some context, I work for a very large cyber security consultancy based in the UK as a security improvement and remediation consultant.
I would urge people to have a read of this article from Kevin Beaumont (https://doublepulsar.com/the-hard-truth-about-ransomware-we-arent-prepared-it-s-a-battle-with-new-rules-and-it-hasn-t-a93ad3030a54 (https://doublepulsar.com/the-hard-truth-about-ransomware-we-arent-prepared-it-s-a-battle-with-new-rules-and-it-hasn-t-a93ad3030a54)) as it by far and away explains why security still isn't improving over time.
But anyway, in terms of security on Windows 10, the base installation is still significantly more secure than a base installation of Windows 7 thanks to a number of features introduced with Windows 10. The security baselines from Microsoft sure this up significantly and make it much harder for network based attacks to be used. The final pillar is protection against malicious executables and similar attacks, which I will say that Microsoft Defender tends to do an extremely good job at these days as do most of the anti-malware products available from other vendors. I also recommend for the extremely security conscious who are worried about zero day vulnerabilities to look at a solution called 0patch, which provides micro-patches to quickly fix major vulnerabilities including the recently disclosed "Print Nightmare" vulnerability.
-
Ultimately it comes down to a few things.
Most people have the mindset that as long as you keep windows patched, and have some form of anti malware on your PC then you are golden.
But the reality is the most dangerous malware is one that spreads before a patch is published, otherwise known as 0day malware. Many anti virus solutions likewise struggle with 0day, they may be good at finding older malware, but struggle on malware that is fresh out of the door.
The better way is to have the OS in a more secure configuration out of the box, one big step to that is to stop using admin accounts by default, this was originally Microsoft's plan when UAC got introduced, but for whatever reason it never came to fruit and here we are many years later still not using LUA's by default.
The windows firewall allows applications that dont even have elevated permissions to add rules to it, as well as been by default in a fairly open configuration.
Powershell ships in a open configuration.
Windows still uses the insecure by nature svchost, rundll.
Applocker is still not activated on consumer versions of windows.
Defender protected folder feature has an internal whitelist which cannot be disabled, likewise UAC by default has a internal whitelist however it can be disabled.
Most of these flaws exist because windows is still built for end user convenience, and also market segmentation as some features are deemed enterprise only. One of the new features that will be enabled by default in Windows 11 was originally enterprise only, but Microsoft have been gradually moving it over to consumer.
Chrome has me concerned as well, what the browser is capable of is scary, if you look into its permissions system, it allows websites to hook directly into cameras, microphones, usb devices, the filesystem, a virtual filesystem, windows installer api and more. All exploits waiting to happen. Essentially google have built an OS into chrome, as a substitute for taking over the PC OS market.
-
To put my earlier posts in context; what you do with hardening your own machine is one thing, if you’re hardening a machine that will be abused by possibly witless employees of your customer is another. I worked as a sysadmin and security consultant for about eight years, and developed hardened configurations and installation tools for customers. I also used a very similar hardened configuration on myself, and I never logged into my own machines as an adminstrator unless absolutely necessary, e.g. for making system changes.
Some horrible apps had to be tweaked to make them run under a standard user account with no admin privileges. Where such horrid apps had to be used but really wouldn’t run under a standard user account despite my best app-hacking efforts, I set them up to be run inside a VM, thus making the customer happy that using the essential app was possible and no security compromise was made.
I really do recommend this tip. Any apps that you don’t trust or which won’t run under a standard user account, use them in a VM.
A lot of my earlier post should have been qualified as being from a context that is now very out of date, because I have been retired due to ill-health for ten years, and of course so much has changed since then that that might as well be the stone age, but the core best practices are still very much worth adopting while in some cases more modern techniques may have supplanted the old advice given earlier.