DracusNarcrym's Security Config - Remastered

[DracusNarcrym]

DRACUS' GOLDEN RULE
"Make sure you always have at least one clean, full system backup image created using your preferred system backup application, so that you can restore your system to its exact state, as it was when you created that system image."

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



COMMENTS:

► I am using a custom configuration for COMODO Firewall.

► I have made modifications to various Windows 10 objects in order to disable most functionality related to Microsoft's atrocious data mining policy and blocked many hostnames related to Windows 10 data mining functions. (e.g. blocked the Vortex hostnames globally on my machine using COMODO Firewall)
It might not be possible to fully disable Telemetry in non-Enterprise versions of Windows 10, but at least I can try making it more difficult for Microsoft to collect random information about me (statistical usage data or otherwise)

► I am not running and will not be running any signature-based antivirus/anti-malware software. In my opinion, it is redundant nowadays and any average users and above who practice safe computing habits have no need for such software.

► I have considered setting UAC back to the default level of protection, and while I realize its kernel-level protection capabilities, in the end I found that I had no real need for it, and so I kept it turned off. (same applies to Windows SmartScreen)

► I consider Paragon Backup & Recovery Free Edition as one of the best backup applications - if I ever were to choose an alternative, that would be Macrium Reflect Free.

► Regarding UAC/SmartScreen: I simply find these security features redundant for my case, given my browsing/computing habits, and I am confident with this decision. (I only use this main PC for gaming, VFX, coding, and browsing known safe sites).
Through my extensive experience of these features since Windows Vista, I can safely say that I personally gain from using them, as much as I lose from not using them: Nothing considerable.

► I have a dedicated PC for software testing, downloading, and browsing sites of unknown reputation, and I perform tests in virtual machine installed on this dedicated PC.

 

[SHvFl]

Nice setup. What features of CF do you have on? Proactive mode and good things like that or you use another profile?

 

[Winter Soldier]

Thanks for sharing!

Lets say that I've heard different opinions about UAC.
Some people think that it is a useless feature because is not able to guarantee the safety as it may be bypassed and this is the typical attitude of the theorist researcher, who compares pure problems and concepts

Although a deep part of me agrees with this kind of attitude, I don' t feel to share this point of view: we're talking about technology and applied science (computer and operating systems), not of pure science. And how do you see the User Account Control who has seen evolve the security model of Windows operating systems from some years until now? It is a turning point, a fundamental innovation that seeks to change the operating system and the entire ecosystem that relies on the Windows platform towards the realization of a software model that can apply in the ideal way the concept of “least privilege” to protect users.
It is not possible to understand the value of User Account Control if you do not consider the departure point, the arrival point and the system where it is necessary to move.
This evolutionary path is clear, aim at the application of the principle of “least privilege”.
Windows has always required too many privileges to make the activity more or less administrative with the result that applications and users have preferred the easy way of operating with administrative privileges (even when not strictly necessary) so as to avoid the hardships imposed by attempting to use the “least privilege”. The key point is the impact analysis: it would have been too easy to go from X to Y by writing the operating system from scratch, the real challenge is to evolve what you have by creating less discomfort as possible to the whole of the immense library of applications that have been made over time.
UAC seeks to make so that users should not need administrative privileges, without having reason, and that anyone who writes applications can do it using credentials from the limited privileges, all of this while safeguarding, to the extent possible, all existing applications and by limiting the issues of application compatibility through virtualization of legacy applications. It is clear that in this path of migration of the architecture you already get concrete benefits of security and malware protection: in front of the security model offered by the UAC, even those who write malware has to adapt more sophisticated codes. If we add this aspect to the value introduced from the other security features introduced in Windows10 we get the effect of the effective protection offered by the principle already mentioned of the "defense in depth": if the result is to have reduced the attack surface and therefore have better protection, we can say that the UAC is a useful security feature.

My humble advice: do not disable UAC, use it in the best way with its full potential.

 

[DracusNarcrym]

Nice setup. What features of CF do you have on? Proactive mode and good things like that or you use another profile?

I'm using a custom modified Proactive Security configuration, tailored for optimal usability and a medium level of manual control over network and filesystem operations.

 

[sudo -i]

It's been argued again and again (@Umbra) and I will reiterate what some will not accept: UAC is not a security feature, it is an elevation blocker. Given the correct circumstances, UAC is not entirely necessary, however it helps a lot.

 

[SHvFl]

I'm using a custom modified Proactive Security configuration, tailored for optimal usability and a medium level of manual control over network and filesystem operations.

Interesting. Thanks for sharing.

 

[DracusNarcrym]

Thanks for sharing!

Lets say that I've heard different opinions about UAC.
Some people think that it is a useless feature because is not able to guarantee the safety as it may be bypassed and this is the typical attitude of the theorist researcher, who compares pure problems and concepts

Although a deep part of me agrees with this kind of attitude, I don' t feel to share this point of view: we're talking about technology and applied science (computer and operating systems), not of pure science. And how do you see the User Account Control who has seen evolve the security model of Windows operating systems from some years until now? It is a turning point, a fundamental innovation that seeks to change the operating system and the entire ecosystem that relies on the Windows platform towards the realization of a software model that can apply in the ideal way the concept of “least privilege” to protect users.
It is not possible to understand the value of User Account Control if you do not consider the departure point, the arrival point and the system where it is necessary to move.
This evolutionary path is clear, aim at the application of the principle of “least privilege”.
Windows has always required too many privileges to make the activity more or less administrative with the result that applications and users have preferred the easy way of operating with administrative privileges (even when not strictly necessary) so as to avoid the hardships imposed by attempting to use the “least privilege”. The key point is the impact analysis: it would have been too easy to go from X to Y by writing the operating system from scratch, the real challenge is to evolve what you have by creating less discomfort as possible to the whole of the immense library of applications that have been made over time.
UAC seeks to make so that users should not need administrative privileges, without having reason, and that anyone who writes applications can do it using credentials from the limited privileges, all of this while safeguarding, to the extent possible, all existing applications and by limiting the issues of application compatibility through virtualization of legacy applications. It is clear that in this path of migration of the architecture you already get concrete benefits of security and malware protection: in front of the security model offered by the UAC, even those who write malware has to adapt more sophisticated codes. If we add this aspect to the value introduced from the other security features introduced in Windows10 we get the effect of the effective protection offered by the principle already mentioned of the "defense in depth": if the result is to have reduced the attack surface and therefore have better protection, we can say that the UAC is a useful security feature.

My humble advice: do not disable UAC, use it in the best way with its full potential.

Excellent read. Thanks for the feedback.

In no way do I shun or condemn UAC or other built-in Windows 10 features, I just like to go with a more minimalist approach, and make sure to keep on all Windows features that are absolutely required for its most basic, barebone function.

Through years of explicitly not using any such built-in Windows features (pretty much ever since they were first introduced in Windows Vista), I can say that I gain from using them, as much as I lose from not using them: Nothing considerable.

 

[Winter Soldier]

Excellent read. Thanks for the feedback.

In no way do I shun or condemn UAC or other built-in Windows 10 features, I just like to go with a more minimalist approach, and make sure to keep on all Windows features that are absolutely required for its most basic, barebone function.

Through years of explicitly not using any such built-in Windows features (pretty much ever since they were first introduced in Windows Vista), I can say that I gain from using them, as much as I lose from not using them: Nothing considerable.

Thank you, I love your minimalist approach and I understand your point of view, I agree with that

 

[Deleted member 2913]

WOW!!!...I like your config...My kinda config...I like CFW only...I like UAC/SS disabled...

Simple, bloat free, light, effective & no nonsense config here...COOL config...

 

[Deleted member 2913]

"Do not virtualize access to the specified files/folders" - Why you left it "Checked"?

 

[DracusNarcrym]

Well, I thought I am making a move here...

@DracusNarcrym

"Do not virtualize access to the specified files/folders" - Why you left it "Checked"?

Not sure. It doesn't matter anyway, since Sandbox is set to Off.

 

[Deleted member 2913]

Why Sandbox OFF?

 

[DracusNarcrym]

Why Sandbox OFF?

When sandbox is off, is substituted by HIPS alerts, which I prefer. Most of the times it bugs me when something is auto-sandboxed, since I all I run on my system is verified 100% safe by other means (testing in my test machine or just in a VM).
I manually sandbox random things now and then though, so I guess the sandbox still has some use.

 

[Exterminator]

I have to practice what I preach so for the less experienced I have to say enable UAC.
Thanks for sharing your config

 

[DracusNarcrym]

Tiny end-of-the-month update.

DISABLED Windows Defender (performance-wise, Windows Defender obstructed many CPU-intensive tasks - mainly rendering, and some CPU-intensive RTS games such as Company of Heroes 2)

ADDED Google Chrome (uBlock Origin, "appcontainer" flag enabled)

 

[SHvFl]

Tiny end-of-the-month update.

DISABLED Windows Defender (performance-wise, Windows Defender obstructed many CPU-intensive tasks - mainly rendering, and some CPU-intensive RTS games such as Company of Heroes 2)

ADDED Google Chrome (uBlock Origin, "appcontainer" flag enabled)

If i can ask was WD scanning the game and using cpu cycles hence the obstruction or the game had issues while WD was not showing any signs that it was scanning it?

 

[DracusNarcrym]

If i can ask was WD scanning the game and using cpu cycles hence the obstruction or the game had issues while WD was not showing any signs that it was scanning it?

I had ensured I disabled any scheduled scans with WD, so it wasn't them, for sure.

As for whether WD was scanning the game while the latter was running... I cannot say for sure, other than the "WD on" - "WD off" comparisons solved some occasional micro-stuttering during heavy scenes of frantic looking-around (in Arma 3, at least).

Perhaps it was too rushed of a decision to turn it off, then again, I do not have the patience to test performance issues with my security software anymore, and apparently, disabling WD fixed the problem (for now, I guess/hope).

Proper testing would be required, I guess. Still, this is probably not a definitive decision, so I'm leaving this as a pending matter.

 

[SHvFl]

I had ensured I disabled any scheduled scans with WD, so it wasn't them, for sure.

As for whether WD was scanning the game while the latter was running... I cannot say for sure, other than the "WD on" - "WD off" comparisons solved some occasional micro-stuttering during heavy scenes of frantic looking-around (in Arma 3, at least).

Perhaps it was too rushed of a decision to turn it off, then again, I do not have the patience to test performance issues with my security software anymore, and apparently, disabling WD fixed the problem (for now, I guess/hope).

Proper testing would be required, I guess. Still, this is probably not a definitive decision, so I'm leaving this as a pending matter.

Yeah, i don't see you needing WD in general with CF on.

 

[JM Safe]

Good config, but I would enable UAC and SmartScreen and also add ZAM Free, and HTTPS Everywhere, Disconnect.
https://www.zemana.com/AntiMalware
COMODO Firewall is very powerful with the right settings.

Thanks for sharing.