BTW for those who want to learn... All of these (and more) are also applicable to Linux.
I'm running very hardened Linux "workstations" and things, once setup, just work. I created a shell script verifying lots and lots of things and warning me if I forgot to harden something. I then simply re-run my script every time I install a new Linux (which is not that often). The script even modifies config file for me:
Setting xyz-fribulator is set to 0, although it should be set 2, do you want me to modify xxx.cfg for you? [Y/N]
Makes hardening a new system a breeze.
For example I really don't see why a user should see processes belonging to other users. I've got about 30 settings like that, plus a beefy firewall, plus, as in TFA, a "no sudo / no doas" from the regular user rule.
I'm running very hardened Linux "workstations" and things, once setup, just work. I created a shell script verifying lots and lots of things and warning me if I forgot to harden something. I then simply re-run my script every time I install a new Linux (which is not that often). The script even modifies config file for me:
Makes hardening a new system a breeze.For example I really don't see why a user should see processes belonging to other users. I've got about 30 settings like that, plus a beefy firewall, plus, as in TFA, a "no sudo / no doas" from the regular user rule.
Haters gotta hate, of course.