Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What kind of obscure insecure defaults are there?


Check out the Microsoft baseline security guidelines for Windows 11. It's about 400 entries. 400 settings that Microsoft themselves recommend changing from the defaults to achieve a baseline security.

Why does windows 11 show stock values in the task bar by default? Why does it show ads, games and yellow press headlines when you click on it? On the enterprise edition! Xbox services are installed and running by default. Why?


Changing the default would cost sales and increase support costs.


Direct Send was my favorite. Direct Send allows devices to send unauthenticated email to internal recipients using your organization’s domain, which can expose you to internal emails for phishing etc. It bypasses user authentication, making sender identity difficult to verify or audit. For all orgs made before mid 2025 it was enabled by default.

I saw a great Blackhat talk this year about Entra misconfiguration that got Microsoft's own sensitive internal services owned by a researcher, one of them owned by their security team. After the report they reconfigure their services, didn't pay a bounty and considered the problems solved. What about their customers making the same config errors as the Microsoft team... no changes planned.

There's much much more...


Everything on by default in general has plagued them, because they don't want users to complain it doesn't work.


One not-so-obscure problem is how hard it is to only elevate yourself to admin when you need it (and run as a regular user the other time).

Essentially you need to pay double license for admin users so they can have two logins; and it's a pain to quickly elevate privilege to do day to day admin tasks.

So if your friendly domain admin clicks the wrong link, your entire network is owned.


Obscure from a typical user's POV: the fact that file extensions are not being shown by default. This makes it possible for the user to click on a file that has the extension and the icon of a picture (imbedded inside), but turns out to be an executable file.


They've apparently had a corporate philosophy of obfuscating the underlying system from the end user and deliberately inhibiting their ability to learn how it fits together since at least the early 2000's.

I feel like the current ignorance of the average computer user was a deliberate outcome they've been working towards for more than 20 years. As someone who has been using computers since the late 80's, I find their current offerings harder to use than ever.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: