Basic Security Amahl Farouk's PC Security Config 2021

Last updated
Jan 1, 2021
How it's used?
For home and private use
Operating system
Windows 10
On-device encryption
Log-in security
Security updates
Allow security updates and latest features
User Access Control
Always notify
Smart App Control
Real-time security
Microsoft Defender Antivirus
Firewall security
Microsoft Defender Firewall
About custom security
RTP settings:
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria
  • Microsoft Defender Antivirus runs in a sandbox (AppContainer)
System settings:
  • Data Execution Prevention (DEP) configured to "AlwaysOn"
  • Everything is encrypted with BitLocker (via TPM) + XTS-AES 128 bit for everything
  • Windows Explorer:
    • Hidden files and folders - Show hidden files: activated
    • Hide extensions for known file types: deactivated
  • Windows features (removed):
    • Internet Explorer 11
    • Internet Printing Service (under Print and Document Services)
    • Math recognition
    • Microsoft Remote Help
    • Windows Fax and Scan
    • Windows Hello Face Recognition
    • Windows PowerShell Integrated Scripting Environment
    • Working folder client
  • Disable NetBIOS over TCP/IP
Group Policy settings:
  • Measured Boot enabled and UEFI locked with password
  • Attack Surface Reduction rules - all enabled
  • Virtualization Based Security
    • Secure Boot (cannot figure out how to enable Kernel DMA protection)
    • Enabled with UEFI lock
  • Do not display network selection UI
  • Do not display the password reveal button
  • Enumerate administrator accounts on elevation (disabled)
  • Require trusted path for credential entry
  • Prevent the use of security questions for local accounts
  • Disable or enable software Secure Attention Sequence
  • Sign-in last interactive user automatically after a system-initiated restart
  • Interactive logon: Do not require CTRL+ALT+DEL
  • Boot-Start Driver Initialization Policy: Good and unknown
  • User Account Control: Admin Approval Mode for the Built-in Administrator account
  • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode: Prompt for credentials on the secure desktop
  • User Account Control: Behavior of the elevation prompt for standard users: Prompt for credentials on the secure desktop
  • User Account Control: Detect application installations and prompt for elevation
  • User Account Control: Only elevate UIAccess applications that are installed in secure locations
  • User Account Control: Run all administrators in Admin Approval Mode
  • User Account Control: Switch to the secure desktop when prompting for elevation
  • User Account Control: Virtualize file and registry write failures to per-user locations
  • User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop (disabled)
  • Turn off Data Execution Prevention for Explorer (disabled)
  • Enabled Structured Exception Handling Overwrite Protection (SEHOP)
  • Accounts: Administrator account status (disabled)
  • Apply UAC restrictions to local accounts on network logons
  • Network access: Allow anonymous SID/Name translation (disabled)
  • Network access: Do not allow anonymous enumeration of SAM accounts
  • Network access: Do not allow anonymous enumeration of SAM accounts and shares
  • Network security: Allow Local System to use computer identity for NTLM
  • Join Microsoft MAPS: Advanced MAPS
  • Send file samples when further analysis is required: Send safe samples
  • Specify the extended cloud check time in seconds: 50
  • Select cloud blocking level: Zero-tolerance
  • Scan all downloaded files and attachments
  • Turn on behavior monitoring
  • Turn on process scanning whenever real-time protection is enabled
  • Check for the latest virus and spyware definitions before running a scheduled scan
  • Scan archive files
  • Scan packed executables
  • Scan removable drives
  • Turn on e-mail scanning
  • Turn on heuristics
  • Disallow Autoplay for non-volume devices
  • Turn off Autoplay
  • Default AutoRun Behavior: Do not execute any autorun commands
  • Prevent installation of devices that match any of these Device IDs: PCI\CC_0C0010, PCI\CC_0C0A
  • Prevent installation of devices using drivers for these device setup classes: {d48179be-ec20-11d1-b6b8-00c04fa372a7}
  • Windows Defender SmartScreen: Warn
  • Allow user control over installs (disabled)
  • Always install with elevated privileges (disabled)
  • Block all consumer Microsoft account user authentication
  • Prevent the usage of OneDrive for file storage
  • Accounts: Block Microsoft accounts (Users can’t add or log on with Microsoft accounts)
  • Turn off hybrid sleep (on battery)
  • Turn off hybrid sleep (plugged in)
  • Prevent access to registry editing tools
  • Configure Offer Remote Assistance (disabled)
  • Configure Solicited Remote Assistance (disabled)
  • Allow users to connect remotely by using Remote Desktop Services (disabled)
  • Allow log on through Remote Desktop Services (blank)
  • Turn off Inventory Collector
  • Turn off Steps Recorder
  • Allow Telemetry: 1. Required
  • System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
  • Turn off location scripting

+ quite a few other system tweaks and for Edge (via downloaded GPOs).
Periodic malware scanners
Microsoft Defender Antivirus
Malwarebytes Antivirus
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Microsoft Edge
Secure DNS
AdGuard Home running on FreeBSD jail server with upstream ISP DNS (outside of 14 eyes country) and default list + "EU US most prevalent ads & trackers", "DandelionSprout/adfilt", "Unified hosts + fakenews + gambling + porn", "Peter Lowe's List", "The Big List of Hacked Malware Web Sites"
Desktop VPN
None.
Password manager
Bitwarden
Maintenance tools
Autoruns
Process Explorer
Windows Disk Clean-up / Storage Sense
File and Photo backup
Nextcloud client sync to LAN NAS server + ZFS snapshots for quick rollbacks with offsite encrypted overnight replication.
System recovery
Disabled. I don't mind a clean refresh once in a while.
Risk factors
    • Browsing to popular websites
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Working from home
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Streaming audio/video content from shady sites
    • Coding and development
Computer specs
Dell XPS 15 9570
Intel i7-8750H
NVIDIA GTX 1050Ti
DDR4 16 GB
Toshiba 512GB NVMe
Notable changes
1.0
  • Initial version
1.1
  • Added Malwarebytes Antivirus as second opinion scanner
What I'm looking for?

Looking for maximum feedback.

Amahl Farouk

Level 1
Thread author
Jan 11, 2021
34
Hi, all - thanks for the help so far. Your configurations have been very useful in tweaking my system as well. :emoji_beer:

I am curious on the hardware virtualization part if you have any particular tips. For example, I cannot figure out how to make Kernel DMA work. The System Config says DMA is enabled but Kernel DMA not. Wondering if other users have a similar setup/laptop--might be a hardware compatibility issue? :unsure:

Anyways, looking forward to any ideas and feedback.
 

Amahl Farouk

Level 1
Thread author
Jan 11, 2021
34
Your setup is like mine. Looks also you copy my post style too ;)

Kernel DMA can't be activated if Thunderbold is missing.
Virtualization Based Security can't be used on Window Pro even if it's configurable. See e.g. clarify enterprise sku · Issue #8935 · MicrosoftDocs/windows-itpro-docs (github.com)

I also have a question because your avatar:
Are you CHEF-KOCH ?

Yeah, I took a lot of inspiration from your post and tweaks; hope you don't mind. :emoji_beer:
I disabled Thunderbolt in BIOS, so that should cover that attack vector.

No, I'm not Chef-Koch. Just enjoyed Legion :geek:
 
F

ForgottenSeer 85179

Yeah, I took a lot of inspiration from your post and tweaks; hope you don't mind. :emoji_beer:
Sure! I like it if someone like my stuff (y)

I disabled Thunderbolt in BIOS, so that should cover that attack vector.
You can activate the protection anyway if you want so if someone reset your BIOS, you still enjoy the protection :)
A BIOS password should be configured too.

No, I'm not Chef-Koch. Just enjoyed Legion :geek:
All right! Sorry for asking :D
 

Amahl Farouk

Level 1
Thread author
Jan 11, 2021
34
Sure! I like it if someone like my stuff (y)


You can activate the protection anyway if you want so if someone reset your BIOS, you still enjoy the protection :)
A BIOS password should be configured too.


All right! Sorry for asking :D
Yeah, I added a strong UEFI admin password and also enabled the group policy to force UEFI lock + DMA protection. It works with no issues, despite DMA not being enabled.

Also, I'm sure it's common knowledge around these parts, but here's a baseline I've used as a guide for most of the manual config done on this PC.

I did check out the tools that @Andy Ful provided (y), but I like to keep my tweaks manual so I remember/understand what each one does before I change it. :giggle:
 
Last edited:

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,922
Even having BackUps to cloud and/or external device, I would add a full Image System BackUp... recovering a system with for example, Macrium Reflect it's easy and fast...

And in Periodic scanning, I would add something different than own WD on demand scans...
 

Amahl Farouk

Level 1
Thread author
Jan 11, 2021
34
Even having BackUps to cloud and/or external device, I would add a full Image System BackUp... recovering a system with for example, Macrium Reflect it's easy and fast...

And in Periodic scanning, I would add something different than own WD on demand scans...
Was thinking of adding Malwarebytes as a 2nd-opinion scanner for scheduled scans but I don't know how well it plays with a hardened WD setup. I've used it back in the Windows 7 days, but have been a Linux user for the past 4 years and haven't used Windows 10 until I switched to it a few weeks ago. :alien:


EDIT: Added Malwarebytes Antivirus Free as a second opinion scanner. Got a minor complaint by WD about Memory access by the Malwarebytes process, but all seems to be running smoothly. (y)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top