Improve Windows security
I propose that all remote and sharing programs be installable, but not installed until the user requests the functionality. They should be uninstallable down to the last registry entry and file. This is for single users who who are the superuser.
User should have settings stored, but not files.
Any files that 3rd parties want to install, should be installed into the 'Program files' area. No files or settings should go into the Windows area.
No future Windows version should allow 3rd party apps to access the internet directly.
All application that want to access the internet should go through an artificial intelligence program that monitors for adverse changes to the user environment. A super phishing filter program but more powerful and versatile.
All Windows utilities should be replaced in functionality, by a super utility, that is monitored by an artificial intelligence, for its impact on the user's environment. No more access to dangerous programs such is dism.exe, which can manipulate windows images, that registry is just a viewport for.
Windows images should be made obsolete, and just settings and data stored.
When Windows installs a third party program, it should do so in the 'program files' directory. No files (including dynamic linked libraries dll files) of 3rd parties, would go in the Windows directory.
All necessary files and settings for the user's session would be stored in the 'program files' directory. At the end of the user's session, only their settings and harmless data, would be stored.
The idea of impersonation (SeImpersonatePrivilege) by one user of another, should be abolished. It is dangerous. Impsonation is handy for Microsoft and companies, to remotely set up a person's environment, but should be done in a special session, and not in a working Windows environment.
A clearly defined set of limitations would go with any new user, that can not be accessed or changed, by them. This would eliminate the issue of token keys, which can be copied and used.
Any program that exhibits the ability to directly access the hard disk, through machine code embedded commands, should not be allowed to install in the first place.
All programs should NOT have the ability to directly access the Windows program area of the disk, other than a session that is strictly maintenance mode, which the superuser controls, and is responsible for.
The current firewall has so many holes through it, that I think of it as a sieve. Using procexp64 utility, shows how many processes are up and running not called by the user or the system.
Even with all the group policy settings disabling remote desktop access and the firewall settings to the maximum through gpedit.msc and wf.msc, remote desktop processes are still being called up. Even with the remote desktop executable files removed, the dll files are being remotely called up.
Piggybacking one internet protocol on another, java functionality fully enabled, programs calling other programs using acquired token privileges .... there has to be a better way.
Lately, I have been getting a lot of Taiwanese language functionality; keyboards, textservice conversion etc, being inexplicably installed on the system, for no reason...
I am sure most people are oblivious to the data (and commands)that trickle through their firewall.