Arderley's Security Configuration 2017

[Arderley]

Very minimal security configuration that takes up 1% of CPU while idle and less than 50MB of RAM. Layered defense using software and built-in Windows security hardening.

Network Protection Layers
----
Windows Firewall set to block all incoming connections regardless of whitelisting.
Webroot Firewall set to block all unknown connections.
DNSCrypt with OpenDNS

Web Protection Layers
----
Webroot Web Filtering (Blocks 96% of all phishing attempts, very powerful, but lackluster malware detection.)
uBlock Origin Filters (Blocks all malvertising attempts, some malware links.)
Google Safe Browsing (Blocks some malware and phishing attacks, last resort, not very effective.)
OpenDNS phishing and malware protection.

File Protection Layers
----
Webroot SecureAnywhere AntiVirus (Good malware detection, rollback features, usually not intrusive.)
SBGuard AntiRansomware (Blocks all non-administrative executables everywhere except on Desktop and external drivers, very powerful and prevents malware from running that Webroot doesn't catch.)
chml.exe (Permissions tool used to set integrity levels. Configured properly, it stops most applications from modifying or reading any files in Documents, Music, Videos, or Pictures. Stops spyware and some Ransomware.)

Endpoint Protection Layers
----
Password-protected local account (locks out after every 5 attempts for 5 minutes.)
Bitlocker w/ 256-bit XTS AES encryption.
Prey Anti-Theft
A fake local account named "Admin" that when logged in makes a lot of hilarious alarms. Effective, but also hilarious.

Recovery Protection Layers
----
Windows 10 built-in File History
System Restore
Backups to Sync.com encrypted with Cryptomator

And a variety of windows tweaks that disables WHS, ipv6, UPnP, DCOM, and other attack surfaces. Unnecessary drivers are disabled, and Bitlocker is enabled with 256-bit XTS AES encryption for Endpoint protection. Using this configuration I have thrown a ton of malware links at it and it has effectively blocked all of them, and about 99% of phishing links pulled from PhishTank. It has also blocked all ransomware according to RanSim. Although these are synthetic tests, I am quite confident that it holds up very well in a real-world scenario. Most attacks through the browser simply will not work, and any executable that does get through either will not run or not have enough permissions to modify the system. It is in effect a lightweight fort KNOX.

 

[Exterminator]

I would consider one or two on demand scanners and some type of data and system backup solution.
Good Config! Thanks for sharing it with us

 

[_CyberGhosT_]

I agree with Exterminator.
Thanks for sharing, and Welcome

 

[sudo -i]

Looks like you know what you're doing. Carry on with your setup, do what's comfortable for you.

 

[Cohen]

Thanks for sharing your security config! The only thing I would suggest is, as @Exterminator said, ~two on-demand scanners. A backup solution would also be a good choice if you don't already back your important files up to the cloud, an external drive or perhaps even both.

 

[BugCode]

Nice piece of somekind of good artwork of lightweight security things. Keep it up!

 

[Ink]

I have found Google Safe Browsing more effective than most other Browsers' security. It's used across Google a wide-range of services including Android, Gmail and AdWords, protecting a vast number of systems.

Find out more: Safe Browsing – Google Safe Browsing

I don't agree that it should be used as a last resort, it's actually your first line of defense.

 

[Arderley]

To be honest I have tried Acronis True Image, but it breaks your system more often than not and the recovery features on it are pretty subpar, kind of like System Restore. I don't believe in system recovery much, as if malware infects your system you shouldn't expect it to be the same ever again, kind of like getting a scar. The only reason to have a good backup solution is to save your documents and important files; the OS itself and the applications don't really matter.

On-demand scanners like EEK, Zemana, Malwarebytes, and HitMan.Pro are really good, but they're meant to clean up your infected system, not protect. If I get a malware infection and get suspicious activity, then I much rather use a Linux OS booted off a thumb drive. In addition, on-demand scanners usually catch things like PUPs and Adware that traditional antivirus didn't find, but adware is blocked at the web level, and PUPs are covered by Webroot already. I'm not saying on-demand scanners are pointless, but they don't do anything unless I'm already infected, and at that point I might as well reinstall my now-broken OS.

I have found Google Safe Browsing more effective than most other Browsers' security. It's used across Google a wide-range of services including Android, Gmail and AdWords, protecting a vast number of systems.

Find out more: Safe Browsing – Google Safe Browsing

I don't agree that it should be used as a last resort, it's actually your first line of defense.

It's not so much as a last resort as much as even though it's enabled, it's the least effective line of defense. Google Safe Browsing doesn't catch much compared to an AntiVirus's web protection, and an Adblocker such as uBlock Origin can catch the remainder. OpenDNS and Google Safe Browsing give diminishing returns but it's there as a last line of defense because even though they're not very effective it's better than not using it at all.

 

[JM Safe]

Please add ZAM Free, add a good backup software, for example Macrium Reflect Free or AOMEI Backupper.

Thanks for sharing.

 

[sudo -i]

Please add ZAM Free, add a good backup software, for example Macrium Reflect Free or AOMEI Backupper.

Thanks for sharing.

In case you missed the post literally above yours addressing these suggestions already lol.

To be honest I have tried Acronis True Image, but it breaks your system more often than not and the recovery features on it are pretty subpar, kind of like System Restore. I don't believe in system recovery much, as if malware infects your system you shouldn't expect it to be the same ever again, kind of like getting a scar. The only reason to have a good backup solution is to save your documents and important files; the OS itself and the applications don't really matter.

On-demand scanners like EEK, Zemana, Malwarebytes, and HitMan.Pro are really good, but they're meant to clean up your infected system, not protect. If I get a malware infection and get suspicious activity, then I much rather use a Linux OS booted off a thumb drive. In addition, on-demand scanners usually catch things like PUPs and Adware that traditional antivirus didn't find, but adware is blocked at the web level, and PUPs are covered by Webroot already. I'm not saying on-demand scanners are pointless, but they don't do anything unless I'm already infected, and at that point I might as well reinstall my now-broken OS.

Edit: Seriously though, do you have these responses copy and pasted into a .txt file that you pick at random? He wrote 2 paragraphs that apparently wasn't worth the effort for you to read.

 

[JM Safe]

In case you missed the post literally above yours addressing these suggestions already lol.



Edit: Seriously though, do you have these responses copy and pasted into a .txt file that you pick at random? He wrote 2 paragraphs that apparently wasn't worth the effort for you to read.

Actually I read his comment, but I wanted to give him my suggestions...

 

[Handsome Recluse]

Actually I read his comment, but I wanted to give him my suggestions...

Who's to say that you're not actually a robot faking emotions with emoticons?

 

[ForgottenSeer 55474]

Thanks for sharing your Configuration

 

[Handsome Recluse]

@Arderley Using chml (and maybe also with SBGuard) seems to be harder than just using Secure Folders.
Also, do you have problems with updates?

 

[Winizsol]

Very minimal security configuration that takes up 1% of CPU while idle and less than 50MB of RAM. Layered defense using software and built-in Windows security hardening.

Network Protection Layers
----
Windows Firewall set to block all incoming connections regardless of whitelisting.
Webroot Firewall set to block all unknown connections.
DNSCrypt with OpenDNS

Web Protection Layers
----
Webroot Web Filtering (Blocks 96% of all phishing attempts, very powerful, but lackluster malware detection.)
uBlock Origin Filters (Blocks all malvertising attempts, some malware links.)
Google Safe Browsing (Blocks some malware and phishing attacks, last resort, not very effective.)
OpenDNS phishing and malware protection.

File Protection Layers
----
Webroot SecureAnywhere AntiVirus (Good malware detection, rollback features, usually not intrusive.)
SBGuard AntiRansomware (Blocks all non-administrative executables everywhere except on Desktop and external drivers, very powerful and prevents malware from running that Webroot doesn't catch.)
chml.exe (Permissions tool used to set integrity levels. Configured properly, it stops most applications from modifying or reading any files in Documents, Music, Videos, or Pictures. Stops spyware and some Ransomware.)

Endpoint Protection Layers
----
Password-protected local account (locks out after every 5 attempts for 5 minutes.)
Bitlocker w/ 256-bit XTS AES encryption.
Prey Anti-Theft
A fake local account named "Admin" that when logged in makes a lot of hilarious alarms. Effective, but also hilarious.

Recovery Protection Layers
----
Windows 10 built-in File History
System Restore
Backups to Sync.com encrypted with Cryptomator

And a variety of windows tweaks that disables WHS, ipv6, UPnP, DCOM, and other attack surfaces. Unnecessary drivers are disabled, and Bitlocker is enabled with 256-bit XTS AES encryption for Endpoint protection. Using this configuration I have thrown a ton of malware links at it and it has effectively blocked all of them, and about 99% of phishing links pulled from PhishTank. It has also blocked all ransomware according to RanSim. Although these are synthetic tests, I am quite confident that it holds up very well in a real-world scenario. Most attacks through the browser simply will not work, and any executable that does get through either will not run or not have enough permissions to modify the system. It is in effect a lightweight fort KNOX.

Hey @Arderley!
Good config, but I would recommend HTTPS Everywhere and at least one on-demand scanner, like Malwarebytes or Emsisoft Emergency Kit. Thanks for sharing your config!