SECURITY: Basic Amahl Farouk's PC Security Config 2021

Last updated
Jan 1, 2021
About
My primary device
Additional PC users
Not shared with other users
Operating system
Windows 10
OS license
Pro
Login security
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Local account
Primary account rights
Limited permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Real-time protection
Microsoft Defender Antivirus
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
RTP settings:
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria
  • Microsoft Defender Antivirus runs in a sandbox (AppContainer)
System settings:
  • Data Execution Prevention (DEP) configured to "AlwaysOn"
  • Everything is encrypted with BitLocker (via TPM) + XTS-AES 128 bit for everything
  • Windows Explorer:
    • Hidden files and folders - Show hidden files: activated
    • Hide extensions for known file types: deactivated
  • Windows features (removed):
    • Internet Explorer 11
    • Internet Printing Service (under Print and Document Services)
    • Math recognition
    • Microsoft Remote Help
    • Windows Fax and Scan
    • Windows Hello Face Recognition
    • Windows PowerShell Integrated Scripting Environment
    • Working folder client
  • Disable NetBIOS over TCP/IP
Group Policy settings:
  • Measured Boot enabled and UEFI locked with password
  • Attack Surface Reduction rules - all enabled
  • Virtualization Based Security
    • Secure Boot (cannot figure out how to enable Kernel DMA protection)
    • Enabled with UEFI lock
  • Do not display network selection UI
  • Do not display the password reveal button
  • Enumerate administrator accounts on elevation (disabled)
  • Require trusted path for credential entry
  • Prevent the use of security questions for local accounts
  • Disable or enable software Secure Attention Sequence
  • Sign-in last interactive user automatically after a system-initiated restart
  • Interactive logon: Do not require CTRL+ALT+DEL
  • Boot-Start Driver Initialization Policy: Good and unknown
  • User Account Control: Admin Approval Mode for the Built-in Administrator account
  • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Prompt for credentials on the secure desktop
  • User Account Control: Behavior of the elevation prompt for standard users: Prompt for credentials on the secure desktop
  • User Account Control: Detect application installations and prompt for elevation
  • User Account Control: Only elevate UIAccess applications that are installed in secure locations
  • User Account Control: Run all administrators in Admin Approval Mode
  • User Account Control: Switch to the secure desktop when prompting for elevation
  • User Account Control: Virtualize file and registry write failures to per-user locations
  • User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop (disabled)
  • Turn off Data Execution Prevention for Explorer (disabled)
  • Enabled Structured Exception Handling Overwrite Protection (SEHOP)
  • Accounts: Administrator account status (disabled)
  • Apply UAC restrictions to local accounts on network logons
  • Network access: Allow anonymous SID/Name translation (disabled)
  • Network access: Do not allow anonymous enumeration of SAM accounts
  • Network access: Do not allow anonymous enumeration of SAM accounts and shares
  • Network security: Allow Local System to use computer identity for NTLM
  • Join Microsoft MAPS: Advanced MAPS
  • Send file samples when further analysis is required: Send safe samples
  • Specify the extended cloud check time in seconds: 50
  • Select cloud blocking level: Zero-tolerance
  • Scan all downloaded files and attachments
  • Turn on behavior monitoring
  • Turn on process scanning whenever real-time protection is enabled
  • Check for the latest virus and spyware definitions before running a scheduled scan
  • Scan archive files
  • Scan packed executables
  • Scan removable drives
  • Turn on e-mail scanning
  • Turn on heuristics
  • Disallow Autoplay for non-volume devices
  • Turn off Autoplay
  • Default AutoRun Behavior: Do not execute any autorun commands
  • Prevent installation of devices that match any of these Device IDs: PCI\CC_0C0010, PCI\CC_0C0A
  • Prevent installation of devices using drivers for these device setup classes: {d48179be-ec20-11d1-b6b8-00c04fa372a7}
  • Windows Defender SmartScreen: Warn
  • Allow user control over installs (disabled)
  • Always install with elevated privileges (disabled)
  • Block all consumer Microsoft account user authentication
  • Prevent the usage of OneDrive for file storage
  • Accounts: Block Microsoft accounts (Users can’t add or log on with Microsoft accounts)
  • Turn off hybrid sleep (on battery)
  • Turn off hybrid sleep (plugged in)
  • Prevent access to registry editing tools
  • Configure Offer Remote Assistance (disabled)
  • Configure Solicited Remote Assistance (disabled)
  • Allow users to connect remotely by using Remote Desktop Services (disabled)
  • Allow log on through Remote Desktop Services (blank)
  • Turn off Inventory Collector
  • Turn off Steps Recorder
  • Allow Telemetry: 1. Required
  • System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
  • Turn off location scripting

+ quite a few other system tweaks and for Edge (via downloaded GPOs).
Malware research
No - malware samples are not downloaded
Periodic scanners
Microsoft Defender Antivirus
Malwarebytes Antivirus
DNS
AdGuard Home running on FreeBSD jail server with upstream ISP DNS (outside of 14 eyes country) and default list + "EU US most prevalent ads & trackers", "DandelionSprout/adfilt", "Unified hosts + fakenews + gambling + porn", "Peter Lowe's List", "The Big List of Hacked Malware Web Sites"
VPN
None.
Password manager
Bitwarden
Browsers, Search and Addons
Microsoft Edge
PC maintenance
Autoruns
Process Explorer
Windows Disk Clean-up / Storage Sense
Personal Files & Photos backup
Nextcloud client sync to LAN NAS server + ZFS snapshots for quick rollbacks with offsite encrypted overnight replication.
Personal backup routine
Automatic (scheduled)
Device recovery & backup
Disabled. I don't mind a clean refresh once in a while.
Device backup routine
None
PC activity
  1. Browsing the Web
  2. Checking emails
  3. Shopping
  4. Financial
  5. Working from home
  6. Photo and video
  7. Streaming content
  8. Programming
Computer specs
Dell XPS 15 9570
Intel i7-8750H
NVIDIA GTX 1050Ti
DDR4 16 GB
Toshiba 512GB NVMe
Personal changelog
1.0
  • Initial version
1.1
  • Added Malwarebytes Antivirus as second opinion scanner
Feedback Response

Most critical feedback

Amahl Farouk

Level 1
Jan 11, 2021
34
Hi, all - thanks for the help so far. Your configurations have been very useful in tweaking my system as well. :emoji_beer:

I am curious on the hardware virtualization part if you have any particular tips. For example, I cannot figure out how to make Kernel DMA work. The System Config says DMA is enabled but Kernel DMA not. Wondering if other users have a similar setup/laptop--might be a hardware compatibility issue? :unsure:

Anyways, looking forward to any ideas and feedback.
 

Amahl Farouk

Level 1
Jan 11, 2021
34
Your setup is like mine. Looks also you copy my post style too ;)

Kernel DMA can't be activated if Thunderbold is missing.
Virtualization Based Security can't be used on Window Pro even if it's configurable. See e.g. clarify enterprise sku · Issue #8935 · MicrosoftDocs/windows-itpro-docs (github.com)

I also have a question because your avatar:
Are you CHEF-KOCH ?

Yeah, I took a lot of inspiration from your post and tweaks; hope you don't mind. :emoji_beer:
I disabled Thunderbolt in BIOS, so that should cover that attack vector.

No, I'm not Chef-Koch. Just enjoyed Legion :geek:
 

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,280
Yeah, I took a lot of inspiration from your post and tweaks; hope you don't mind. :emoji_beer:
Sure! I like it if someone like my stuff (y)

I disabled Thunderbolt in BIOS, so that should cover that attack vector.
You can activate the protection anyway if you want so if someone reset your BIOS, you still enjoy the protection :)
A BIOS password should be configured too.

No, I'm not Chef-Koch. Just enjoyed Legion :geek:
All right! Sorry for asking :D
 

Amahl Farouk

Level 1
Jan 11, 2021
34
Sure! I like it if someone like my stuff (y)


You can activate the protection anyway if you want so if someone reset your BIOS, you still enjoy the protection :)
A BIOS password should be configured too.


All right! Sorry for asking :D
Yeah, I added a strong UEFI admin password and also enabled the group policy to force UEFI lock + DMA protection. It works with no issues, despite DMA not being enabled.

Also, I'm sure it's common knowledge around these parts, but here's a baseline I've used as a guide for most of the manual config done on this PC.

I did check out the tools that @Andy Ful provided (y), but I like to keep my tweaks manual so I remember/understand what each one does before I change it. :giggle:
 
Last edited:

Amahl Farouk

Level 1
Jan 11, 2021
34
Even having BackUps to cloud and/or external device, I would add a full Image System BackUp... recovering a system with for example, Macrium Reflect it's easy and fast...

And in Periodic scanning, I would add something different than own WD on demand scans...
Was thinking of adding Malwarebytes as a 2nd-opinion scanner for scheduled scans but I don't know how well it plays with a hardened WD setup. I've used it back in the Windows 7 days, but have been a Linux user for the past 4 years and haven't used Windows 10 until I switched to it a few weeks ago. :alien:


EDIT: Added Malwarebytes Antivirus Free as a second opinion scanner. Got a minor complaint by WD about Memory access by the Malwarebytes process, but all seems to be running smoothly. (y)
 
Last edited:
Top