Serious Discussion Build the MOST secure setup with ONLY 3 tools

[RoboMan]

Hello friends! Imagine money isn't an issue (if applicable).

Let’s make this interesting:

You can only use 3 security tools total to protect a Windows system.

Rules:

• No overlapping functions (e.g., 2 AVs, 2 firewalls, etc.)
• Must cover real-world threats (malware, phishing, exploits, etc.)
• Usability matters (this is for daily use, not a lab setup)
• An extension counts as a tool in this scenario

What’s your 3-tool setup, and why?

----------------------------------

Bonus: now downgrade your setup for a non-technical user (family member). What changes?

 

[Parkinsond]

1- uBOL
2- ControlD DNS (hagezi tif)
3- Avast One

 

[RoboMan]

My take for protecting a technical/medium knowledge user:

• BitDefender Free/Total Security
• uBlock Origin Lite
• CyberLock

As for a novice user:

• Kaspersky Standard (Application Control set as UNTRUSTED for all UNKNOWN FILES, and to NOT TRUST only by existing signature)
• uBlock Origin Lite
• SysHardener

Do you think it's overkill?

 

[LinuxFan58]

HardConfigurator running as SWH with additional sponsor blocks for standard user.
ConfigureDefender in MAX mode
AdGuard extension

Simply using build-in security completely free.

_______________

Downgrade for noob: run as standard user

 

[Parkinsond]

Do you think it's overkill?

It is a complete one; blacklisting + whitelisting + web protection

 

[Parkinsond]

Simply using build-in security completely free.

My favorite strategy; only using Avast One temporarily to evaluate after the facelift.

 

[Divergent]

My take for protecting a technical/medium knowledge user:

• BitDefender Free/Total Security
• uBlock Origin Lite
• CyberLock

As for a novice user:

• Kaspersky Standard (Application Control set as UNTRUSTED for all UNKNOWN FILES, and to NOT TRUST only by existing signature)
• uBlock Origin Lite
• SysHardener

Do you think it's overkill?

Applying a strict Default-Deny policy (setting all unknown files to UNTRUSTED) is fundamentally incompatible with a non-technical user's daily operations.

When a user runs a legitimate software installer, it rarely executes as a single, static binary. Installers frequently extract secondary executables, scripts, and DLLs into %AppData%\Local\Temp or C:\Windows\Temp and attempt to run them. Even if the primary installer is digitally signed, the sub-components it drops might not be. If Kaspersky's Application Control doesn't immediately recognize these ephemeral files via its cloud network (KSN) or a trusted signature, it will terminate the thread. This leaves the software half-installed, registry keys orphaned, and the system potentially corrupted.

A non-technical user (like a family member) does not understand heuristics, signatures, or temporary execution paths. When faced with a blocked installation, they typically resort to one of three behaviors "Click Fatigue, Nuke It, Call IT Support", requiring the ongoing maintenance of a Systems Administrator.

In enterprise environments, Application Control works because IT departments thoroughly test and whitelist software before pushing it to endpoints. In a home environment, expecting a novice to manually manage trust groups, verify digital signatures, or whitelist temporary directories is a fundamental misunderstanding of the user's capabilities.

 

[Acadia]

Sandboxie, any of the top rated anti-virus, Macrium Reflect or Terabyte Image for Windows (to take you back in time in case something slips through).
Acadia

 

[oldschool]

For the average non-technical user.

• Malwarebytes Anti-exploit Beta
• MS Defender: High Cloud Block Level
• µBOL

Chrome Enhanced Safe Browsing enabled.
DOH provider: NextDNS

Update: I originally forgot ad blocker.

 

[Digmor Crusher]

imo the best tools for protection are Cyberlock, Appguard and Hard Configurator. Use a top rated AV such as Bitdefender, Kaspersky or Eset with one of these tools and an adblocker and your good to go.

For simplicity just use Configure Defender, SWH and Firewall Hardening with UBO.

 

[LinuxFan58]

Applying a strict Default-Deny policy (setting all unknown files to UNTRUSTED) is fundamentally incompatible with a non-technical user's daily operations.

When a user runs a legitimate software installer, it rarely executes as a single, static binary. Installers frequently extract secondary executables, scripts, and DLLs into %AppData%\Local\Temp or C:\Windows\Temp and attempt to run them. Even if the primary installer is digitally signed, the sub-components it drops might not be. If Kaspersky's Application Control doesn't immediately recognize these ephemeral files via its cloud network (KSN) or a trusted signature, it will terminate the thread. This leaves the software half-installed, registry keys orphaned, and the system potentially corrupted.

A non-technical user (like a family member) does not understand heuristics, signatures, or temporary execution paths. When faced with a blocked installation, they typically resort to one of three behaviors "Click Fatigue, Nuke It, Call IT Support",.n8 requiring the ongoing maintenance of a Systems Administrator.

In enterprise environments, Application Control works because IT departments thoroughly test and whitelist software before pushing it to endpoints. In a home environment, expecting a novice to manually manage trust groups, verify digital signatures, or whitelist temporary directories is a fundamental misunderstanding of the user's capabilities.

What about the people who are used to default deny or running standard user with cloud whitelist at work?

Most of the people I know simply use their PC at home with a steady mix of software.

Only people who play with their PC like gamers, teens and PC hobbyist install a lot and won't like classic default deny.

Modern (AI assisted) cloud based whitelisting does not has the useability restrictions you explained (typical for old school default deny setups).

Although your arguments are valid, they are not as black and white anymore with modern cloud based white listing and AI based risk assessments.
(my wife used to restrictions at work and only using her PC as a tool not instrument, has nebver complained running Windows 11 as standard user with SAC and Defender on Zero Tolerance and HardCondigurator blocking scripts and sponsors for standard users in user folders).

 

[RoboMan]

Expecting a novice to manually manage trust groups, verify digital signatures, or whitelist temporary directories is a fundamental misunderstanding of the user's capabilities.

Didn't expect them to. That's why I chose Kaspersky. If something gets blocked it's because it poses a potential risk. I'm praying they have no idea how to unblock it

 

[Sampei.Nihira]

Hello friends! Imagine money isn't an issue (if applicable).

Let’s make this interesting:

You can only use 3 security tools total to protect a Windows system.

Rules:

• No overlapping functions (e.g., 2 AVs, 2 firewalls, etc.)
• Must cover real-world threats (malware, phishing, exploits, etc.)
• Usability matters (this is for daily use, not a lab setup)
• An extension counts as a tool in this scenario

What’s your 3-tool setup, and why?

----------------------------------

Bonus: now downgrade your setup for a non-technical user (family member). What changes?

Of course, I think we need to choose three tools that aren't already included by default in the OS, right?

P.S.

So I wouldn't choose Hard_Configurator because you can (with some effort) do everything it does manually by editing registry keys and firewall rules, but I would choose:

• Router
• Brave (Edge doesn't work well without extensions)
• NextDNS

That's all I need to secure a Windows OS.

 

[Kongo]

I mean...

1. NextDNS -->Phishing and malicious site protection + SecureDNS
2. Deep Instinct --> Pre-execution
3. CyberLock --> On-execution
4. Deep Instinct --> Post-execution

 

[Divergent]

It appears the plot on what an actual, real-world non-technical user looks like has become lost. Spending all day in tech forums, it is easy to forget that the average person views a computer as an appliance, like a toaster. If the toaster suddenly demands a cryptographic verification to make bread, they aren't going to learn cryptography; they are going to throw the toaster out.

At work, there is an IT Helpdesk. If a cloud whitelist blocks a required application in an office, the user submits a ticket, and a sysadmin pushes a policy update. At home, if a whitelist blocks Grandma's new knitting machine software, she is entirely paralyzed. Corporate environments are homogenous and strictly controlled. Home environments are chaotic, with random hardware, obscure local government tax software, and cheap peripherals. Cloud-based AI risk assessment relies heavily on prevalence. If a million people download Google Chrome, the AI trusts it. But what happens when that novice user buys a $30 generic webcam off Amazon and tries to install the driver? The cloud engine will see a file with zero reputation, no established telemetry, and an unknown signature. A strict default-deny setup will nuke it instantly. The "AI" doesn't magically know the file is safe; it just knows it hasn't seen it before.

I'm praying they have no idea how to unblock

This is practicing hostile IT. This is exactly how you create "Shadow IT" in a home environment. If you lock down a family member's PC so hard that they can't even use it, they won't thank you for keeping them secure. They will just go buy a cheap, unmanaged tablet or laptop and do everything on a completely unprotected device just to escape your restrictions.

 

[LinuxFan58]

imo the best tools for protection are Cyberlock, Appguard and Hard Configurator. Use a top rated AV such as Bitdefender, Kaspersky or Eset with one of these tools and an adblocker and your good to go.

For simplicity just use Configure Defender, SWH and Firewall Hardening with UBO.

That is 4 (extensions also count)

I would have added FirewallHardening also, but extensions also counted as one, therefore I opted for HardConfigurator configured like SWH plus sponsor blocking for standard user (to compensate for missing on FirewallHardening blocking sponsors going outbound).

 

[LinuxFan58]

At work, there is an IT Helpdesk. If a cloud whitelist blocks a required application in an office, the user submits a ticket, and a sysadmin pushes a policy update. At home, if a whitelist blocks Grandma's new knitting machine software, she is entirely paralyzed.

Above story is a good read, but my grandma is not that tech savvy that she installs knitting software or installs webcams. To put it simply there are many people just using their PC for common tasks, not installing any new software.

 

[Digmor Crusher]

That is 4 (extensions also count)

I know but I just had to...

 

[n8chavez]

Is it cheating to say DefenderUI, which implies MS Security also?

1. Cyberlock
2. Sandboxie
3. DefenderUI

Also, it's not a security program, but a good and trusted imaging program is absolutely necessary for practicing safe hex.

 

[rashmi]

Hard_Configurator (H_C, CD, and FH): The usability design and recommended setup are also suitable for average users, especially family members with an administrator. For example, installed programs and updates work flawlessly, and "Install By SmartScreen" allows program installations with no issues. For most users (or family members), the H_C suite provides strong security and usability. Set "SmartScreen" (CD) to "Block" and "Hide Run As Administrator" (H_C) to "ON" for family members or kids. No security can protect users who want to install anything and everything!
uBlock Origin Lite
Cloudflare Secure DNS (malware/phishing)