Advanced Security Lenny's Security Config 2024

[LennyFox]

Could not resist the idea of having two execution whitelists (WDAC-ISG and Spyshelter 15), so combined it with Bitdefender free. WDAC-ISG (like SAC) is designed to run with any antivirus solution and Spyshelter website also state that "Our unique technology doesn't conflict with any antiviruse. SpyShelter sits on top of your antivirus". WHHL has teh advantage that it also enables Software Restriction Policies allowing executables, but blocking risky file extensions containing scriptsand command lines.

EDIT: Dropped Bitdefender and Spyshelter, back to all Microsoft & Andy Ful setup

 

[WhiteMouse]

Everything is good except 3 things:

• Your computer doesn't meet the requirement to use Bitdefender (I9 14900KS or R9 7950X3D)
• Use vpn for banking might get flagged for fraud.
• Password manager.

 

[LennyFox]

Everything is good except 3 things:

• Your computer doesn't meet the requirement to use Bitdefender (I9 14900KS or R9 7950X3D)
• Use vpn for banking might get flagged for fraud.
• Password manager.

1 Bitdefender does not feel heavier than Avast or Microsoft Defender, but your comment makes sense, a Free AV needs an expensive CPU to balance the spend a little
2 I use a VPN server in same town where I live (when abroad), never ran into a problem yet (but it is a valid remark, which I had not realized, thanks ).
3.I am always using pass phrases which I associate with the website or service I am using, easy to remember for me hard to guess for others
E.g. I associate your nickname white mouse with a pink elephant, so when you would have a website with security related info I would use a passphrase like "@11 the Pink Elephants are dancing" (when the cat is away from home, it is secure for a white mouse to dance). The joys of a twisted mind I guess

 

[RoboMan]

E.g. I associate your nickname white mouse with a pink elephant, so when you would have a website with security related info I would use a passphrase like "@11 the Pink Elephants are dancing" (when the cat is away from home, it is secure for a white mouse to dance). The joys of a twisted mind I guess

GG I just cracked your MalwareTips password, it was imissboramurdar, consider changing it.

Great security btw!

 

[wat0114]

@LennyFox

you are looking for Maximum feedback but I can only offer Minimum feedback because i like everything about your security config

 

[LennyFox]

I don't know whether this option remains after the PRO trial has expired, but when you set Spyshelter to paranoid, it shows a popup when (non-Microsoft signed) applications start.

When the application control popup appears, users have the option to block, allow once, trust program or trust publisher. I got 5 popups in total (I have a fairly vanilla dominantly Microsoft Software setup, so maybe not representative for other users). Now Spyshelter is running in paranoid mode.

 

[Dave Russo]

Everything is good except 3 things:

• Your computer doesn't meet the requirement to use Bitdefender (I9 14900KS or R9 7950X3D)
• Use vpn for banking might get flagged for fraud.
• Password manager.

My bank makes me verify account by text or e-mail when VPN is on

 

[Jonny Quest]

My bank makes me verify account by text or e-mail when VPN is on

Same here, I'll get the text verification prompt.

 

[LennyFox]

@WhiteMouse , @Jonny Quest and @Dave Russo

When I tried VPN at home, I had a similar experience with my bank. When doing a purchase on a website, normally I only have to scan the QR code (generated for the purchase) with my phone and the mobile phone banking app asks me to enter my pin-code and then I am finished (single authentication challenge). When using the VPN I also had to use the passkey calculator of my bank (when I activate that calculator like device with my pincode, I have to enter the unique number on the banking website and it generates a pass key which I have to enter on the website again to verify it is me). So it also seems to ask for a second authentication challenge when using VPN on a different device.

 

[Jonny Quest]

@WhiteMouse , @Jonny Quest and @Dave Russo

When I tried VPN at home, I had a similar experience with my bank. When doing a purchase on a website, normally I only have to scan the QR code with my phone and the mobile phone banking app asks me to enter my pin-code and then I am finished (single challenge). When using the VPN I also had to use the passkey calculator of my bank (when I activate that device with my pincode, I have to enter the number on the banking screen and it generates a pass key which I have to enter on the website). So it seems to ask for a second authentication challenge when using VPN

Yep, and I now no longer use a VPN while banking. I don't know if using OpenVpn in Mullvad and connecting to a closer server to my state helped? Before with Mullvad using WireGuard, I was getting emails of concern from the bank.

Now, I'm just using F-Secure online banking protection without a VPN and am able to log in without any prompts at all.

 

[Practical Response]

Yep, and I now no longer use a VPN while banking. I don't know if using OpenVpn in Mullvad and connecting to a closer server to my state helped? Before with Mullvad using WireGuard, I was getting emails of concern from the bank.

Now, I'm just using F-Secure online banking protection without a VPN and am able to log in without any prompts at all.

When it comes to banking and using a VPN, one needs to spend a little more money to get a dedicated IP from the Vender which once established with the bank will no longer be an issue.

 

[Jonny Quest]

When it comes to banking and using a VPN, one needs to spend a little more money to get a dedicated IP from the Vender which once established with the bank will no longer be an issue.

Do you think it helps though, that I do all of my online banking from my home network which even though it's behind a cheaper Linksys router (I may need to reconsider that one, link below) that is up-to-date with the firmware, is password-protected and I go over my settings every now and then? 9 times out of 10 when I bank, it's from the desktop PC that is connected directly by Ethernet to the router, and I only have 1 tab open in Chrome while banking.

My bank has mentioned using their phone banking app which has so many "wonderful features", but so far I refuse to install that on my phone, I just don't have any real peace of mind about that one.

Serious Discussion - What Routers are the most secure?

That have lowest attack surface (secure software implementation - memory safety - not many unneeded functionalities) and many years of security updates.

malwaretips.com

 

[Practical Response]

Do you think it helps though, that I do all of my online banking from my home network which even though it's behind a cheaper Linksys router (I may need to reconsider that one, link below) that is up-to-date with the firmware, is password-protected and I go over my settings every now and then? 9 times out of 10, when I bank it's from the desktop PC that is connected directly by Ethernet to the router, and I only have 1 tab open in Chrome while banking.

My bank has mentioned using their phone banking app which has so many "wonderful features", but so far I refuse to install that on my phone, I just don't have any real peace of mind about that one.

Serious Discussion - What Routers are the most secure?

That have lowest attack surface (secure software implementation - memory safety - not many unneeded functionalities) and many years of security updates.

malwaretips.com

Personally as you just mentioned, banking online is a risk anytime. I prefer to do this in person as much as possible. All banking institutions I have seen already use a secure connection as far as encryption goes, so I would not deem it necessary. I merely pointed out that if one intended upon using a VPN full time and needed access to their banking without issue a dedicated IP is the best method.

 

[LennyFox]

Decided to go back to running standard user after watching @cruelsister video on MBAM & UAC and @Andy Ful video's on antivirus challenges.

I returned to running standard user again because CS showed how trival it is to bypass UAC and Andy showed how easy it is to disable Defender protection with elevated privileges. I also reduced the SRP application level from all users to 'all except admin' and added block rules for the LoLbins mentioned in Github project. Reason for doing so is that all CS exploits in MBAM video would be blocked by SRP-SWH part of WHHL, except for one: the modified executable using NETSH to bypass MBAM. WDAC-ISG would have probably blocked this executable when it would not be signed by trusted software developer/publisher. But the 'probably' settled in my mind and started to doubt my decision to run admin again.

Running standard user enforces a hard border between standard user and admin (as opposed to UAC only providing a soft-border). Additionally I am blocking LoLBins (like Netsh) system wide when started by standard user. I kept Andy's set of SRP rules to block risky file extension to run in user folders and block executables running in archives and prevent misuse of LNK and UAC holes. Although I can execute and install programs my setup is actually whitelist based. System wide Malware Defender's only allows programs to run which are whitelisted in the cloud and the user folders are additionally protected with WDAC-ISG small (hence more aggressive) local whitelist (in case internet connection fails).

I have ran this standard user with hardened SWH-SRP and MD on MAX as long as I have this laptop without problems, so I am not expecting any problems with this enhanced setup (with WDAC-ISG added). This probably also means that I will have less to post, because there is no need to change something when it is working perfectly.

 

[Andy Ful]

WDAC-ISG would have probably blocked this executable when it would not be signed by trusted software developer/publisher. But the 'probably' settled in my mind and started to doubt my decision to run admin again.

Yes. It would be blocked. The ISG without SmartScreen backend takes into account the file prevalence. Non-prevalent files are blocked, except for files specially whitelisted by Microsoft. The attack could be blocked even when the file has got reputable certificate.
The attack would be also blocked by H_C in Recommended Settings.

 

[LennyFox]

Yes. It would be blocked. The ISG without SmartScreen backend takes into account the file prevalence. Non-prevalent files are blocked, except for files specially whitelisted by Microsoft. The attack could be blocked even when the file has got reputable certificate.
The attack would be also blocked by H_C in Recommended Settings.

Thanks. My setup is inspired by your "super strong two user account WHHL setup'

 

[Practical Response]

Decided to go back to running standard user after watching @cruelsister video on MBAM & UAC and @Andy Ful video's on antivirus challenges.

I returned to running standard user again because CS showed how trival it is to bypass UAC and Andy showed how easy it is to disable Defender protection with elevated privileges. I also reduced the SRP application level from all users to 'all except admin' and added block rules for the LoLbins mentioned in Github project. Reason for doing so is that all CS exploits in MBAM video would be blocked by SRP-SWH part of WHHL, except for one: the modified executable using NETSH to bypass MBAM. WDAC-ISG would have probably blocked this executable when it would not be signed by trusted software developer/publisher. But the 'probably' settled in my mind and started to doubt my decision to run admin again.

Running standard user enforces a hard border between standard user and admin (as opposed to UAC only providing a soft-border). Additionally I am blocking LoLBins (like Netsh) system wide when started by standard user. I kept Andy's set of SRP rules to block risky file extension to run in user folders and block executables running in archives and prevent misuse of LNK and UAC holes. Although I can execute and install programs my setup is actually whitelist based. System wide Malware Defender's only allows programs to run which are whitelisted in the cloud and the user folders are additionally protected with WDAC-ISG small (hence more aggressive) local whitelist (in case internet connection fails).

I have ran this standard user with hardened SWH-SRP and MD on MAX as long as I have this laptop without problems, so I am not expecting any problems with this enhanced setup (with WDAC-ISG added). This probably also means that I will have less to post, because there is no need to change something when it is working perfectly.

That's awesome, now you can place it on the shooting range to test its ability to sustain. lol j/k, but seriously running windows as it was designed will carry you far. The admin/standard accounts were placed in the OS for a reason. Just that act alone will help harden your system, something many are failing to understand for home uses/family.

 

[LennyFox]

That's awesome, now you can place it on the shooting range to test its ability to sustain. lol j/k, but seriously running windows as it was designed will carry you far. The admin/standard accounts were placed in the OS for a reason. Just that act alone will help harden your system, something many are failing to understand for home uses/family.

Running double whitelist (cloud of Defender, local of WDAC-ISG) as a standard user could be considered both layered protection as well as good security habits

 

[Practical Response]

Running double whitelist (cloud of Defender, local of WDAC-ISG) as a standard user could also be considered both layered protection as well as good security habits

Sure, if you have the knowledge and capabilities to do so properly and not misconfigure it.

Although keep in mind whitelisting is allowing, which certainly requires those habits to verify.

 

[LennyFox]

Sure, if you have the knowledge and capabilities to do so properly and not misconfigure it.

Although keep in mind whitelisting is allowing, which certainly requires those habits to verify.

Agree, but some habits can be automated and enforced by tools. I have two chrome profiles with wo different DNS settings (with different security measures and limitations), which are sort of similar to using my admin and standard user account, The good habit is to use the correct profile for the intended purpose (web surfing versus trusted sites). With technology the user is always part of the solution (with good habits) or part of the problem (ignorance or over confidence), but no matter how good your driving skills or habits are, you are safer in a 5 star NCAP car than a 2 star NCAP car, you are safer with safety belt and airbag than only applying (the good habit of holding) the steering wheel firmly with two hands in the ten for two position.