They (especially Windows 11 on supported hardware) are far more secure than older versions of Windows.
That said, I don't really consider Windows "secure", when it's still filled with legacy cruft that was written before Microsoft's focus on secure coding. We are still seeing font exploits in 2022, FFS.
The track Windows 11 is headed seems like a decent approach given realities. For whatever reasons, Microsoft's efforts to eliminate legacy cruft has proved unsuccessful/untenable, so the next best compromise is to harden the OS against itself and everything else.
Most of the time, the problem lays with the users. Once (a long time ago) I RDP'ed into a Windows Server 2003 (or so) for some checking and saw it running a eDonkey or some other P2P download utility, as Administrator.
They’re fine, but with any desktop operating system (including macOS and Linux) there’s always some risks involved, depending mostly on user behaviour.
For something more foolproof and secure, consider iPadOS or a Chromebook.
If you are behind a NAT then you may consider your any OS safe. But I have no idea about state-of-the-art of NAT hacking, maybe some of them are flawed.
There are innumerable ways vulnerabilities can be exercised that do not involve having to “hack” NAT. I would not be comfortable staying so simply that NAT will protect in all situations. It’s one layer of defense, yes, but is inadequate without others like malware avoidance.
> There are innumerable ways vulnerabilities can be exercised that do not involve having to “hack” NAT.
Any examples? Suppose we have a Windows computer connected to a NAT with an access to an Internets, but the computer doesn't download anything. I am not a sysadmin but from my understanding this is almost safe.
1) You’re browsing the web from the old machine. Your HTTPS connection gets MITM’d due to a TLS vulnerability, and the attacker is able to gain control of your email account.
2) Unbeknownst to you, another machine on the network is infected with some virus. That machine uses a CIFS vulnerability to remotely infect and root your old computer.
1. I do not believe this is possible. Old device (example - any Blackberry and may be Windows XP) can not connect to any site on the Internets except of HN, maybe because websites like mail provider use to not give any content via HTTP. Any working HTTPS connection just can not be MitMed except of if you are a person of interest of somebody extremely powerful.
That is obviously not true. NAT has been pretty much the default way of accessing the Internet for the vast majority of computers for the last 15 years. The proliferation of ransomware and zero-click exploits clearly shows that NAT did not turn any boxes behind it into something secure.
There are tons and tons of attack vectors that are not deterred by NAT. And with so many routers around that are vulnerable and not updatable, or that still have their default admin passphrases, you shouldn't consider your NAT network a safe place.
My router has a default admin password but this password invite is not available from the Internets. There is a way of doing it available - press and hold some button and connect to router via wire using telnet. Here is what I know about default password vector, am I missing something?
Windows is not secure, it doesn't have any proper permission system, any process can read/write files, send network requests to anyone without the user noticing anything
It can even change system settings without you noticing
You should feel naked when you manipulate sensitive data with Windows, because you are indeed naked
Hence why most companies forbid their employees to use windows with public internet access for work
> Hence why most companies forbid their employees to use windows with public internet access for work
I've never worked anywhere that's done this, and I work in healthcare. Most commonly they will put you behind a proxy that does malware and data loss protection.
That said, I don't really consider Windows "secure", when it's still filled with legacy cruft that was written before Microsoft's focus on secure coding. We are still seeing font exploits in 2022, FFS.
The track Windows 11 is headed seems like a decent approach given realities. For whatever reasons, Microsoft's efforts to eliminate legacy cruft has proved unsuccessful/untenable, so the next best compromise is to harden the OS against itself and everything else.