Advanced Plus Security ErzCrz Security Config 2022

Last updated
Sep 12, 2022
Use case
For personal use
Shared with
No one
Desktop OS
Windows 10
Windows OS SKU
Home
Login Unlock
    • Passwordless PIN or Biometrics
Sign-in with
Microsoft account
Primary user
Administrator rights - Full permissions that can perform harmful changes
Additional users
Set with Standard user rights
OS updates
Automatic updates
Windows UAC
Always notify
Network firewall
ISP-issued router [Mod: depreciated - please choose another option]
Always-on protection
Microsoft Defender
Firewall
Microsoft Defender Firewall (Windows 11 & 10)
Custom RT/Firewall security
Hard_Configurator set to Recommended Settings
FirewallHardening with Recommended rules
ConfigureDefender set to High
Malware testing
No malware samples
Periodic scanning
Emisoft Emergency Kit
Secure DNS
Provided by ISP Sky Shield though occasionally Cloudflare over http.
VPN
Sophos VPN for working from home connection only
Password manager
Keepass
Browsers and Extensions
Edge with uBlock Origin with tweaked Hard Mode.
Search varies but usually Bing or DuckDuckGo or if I'm really struggling Google if I can't pintpoint what I'm looking for.
Utilities for Maintenance
Windows built-in Disk Clean-up and Storage Sense.
Files & Photos backup
OneDrive for documents, 2nd partition for large deposit of photos to save OneDrive space.
Files & Photos backup routine
Automatic
Emergency recovery plan
Macrium Refect Free with fortnightly differential schedule and every 3 month full backup. Also created rescue media with a spare USB.
Integrity of recovery plan
Recommendations based on others, but have not tested it.
Tasks performed
    • Browsing the web
    • Browsing to unknown sites
    • Working from home
    • Receiving, sending and opening email attachments
    • Buying goods from online stores, entering card details and addresses
    • Downloading software from reputable sites
    • PC games, mods and cloud-based gaming
    • Watching movies and TV series via subscriptions
    • Streaming audio and videos from sites
Computer specs
Notable changes
22.01.2022 - Reverted to Comodo Internet Security setup with Firefox as default browser and Thunberbird email client.
15.05.2022 - Reverted to Hard_Configurator setup following errors after uninstall and PC reset with Edge as default browser for MD integration while also sticking to Thunderbird for email & Updated backup routine.
13.08.2022 Swapped to built-in backup solution.
12.09.2022 General update in line with new guidelines.
Feedback response

I am mostly satisfied. Minimal feedback is appreciated, for minor changes to patch any missed security / privacy issues.

ErzCrz

Level 12
Thread author
Verified
Top poster
Well-known
Aug 19, 2019
594
My planned security setup to continue through 2022. I did a lot of back and forth between this and Comodo Internet Security the past year but determined to stick with this option. If Comodo comes out with a product update I may revisit it .

Controlled Folder Access is still something I'm not solidly using but I think I just need to understand it a bit better or whitelist what I need to. I also stopped running WD in it's own sandbox since Tamper Protection became a MD feature and it slowed things randomly on my machine.

Edge Exploit settings:

Exploit Protection settings for browsers (thanks to @Umbra @oldschool ). These have broken anything yet, e.g. extensions crashing.
- for Brave, Edge and Firefox:

Block low integrity images - ON
Block remote images - ON
Block untrusted fonts - ON
Control flow guard (CFG) - ON
Data execution prevention (DEP) - ON + Enable thunk emulation - CHECKED
Disable extension points - ON
Force randomization for images (Mandatory ASLR) - ON + Do not allow stripped images - CHECKED
Randomize memory allocations (Bottom-up ASLR) - ON
Validate exception chains (SEHOP) - ON
Validate handle usage - ON
Validate heap integrity - ON
Validate image dependency integrity - ON

ADD for Edge Chromium only: Code integrity guard - ON (with or without Also allow images signed by M$ Store CHECKED)

uBlock Origin Dynamic and Static rules:
Advanced user ticked for hard mode/medium mode

Dynamic rules:

no-csp-reports: * true
no-large-media: behind-the-scene false
no-popups: * true
no-strict-blocking: 192.168.0.1 true
* * 3p block
* * 3p-frame block
* * 3p-script block
* com * noop
* eu * noop
* info * noop
* io * noop
* net * noop
* org * noop
* uk * noop
behind-the-scene * * noop
behind-the-scene * 1p-script noop
behind-the-scene * 3p noop
behind-the-scene * 3p-frame noop
behind-the-scene * 3p-script noop
behind-the-scene * image noop
behind-the-scene * inline-script noop

Static Filters:
! Block beacons, plugins and websockets everywhere
||*$ping,object,websocket

! Block potentially unsafe third-party content to unencrypted websites
|HTTP://*$third-party,~document,~stylesheet,~image,~media

! Block opening webpages on top level domains and countries I never visit
||*$document,~stylesheet,~image,~media,~script,~subdocument,~xmlhttprequest,domain=~com|~info|~io|~eu|~net|~org|~uk

! Inject javascript to blur Google FLOC interest tagging
*##+js(no-floc)

! Block switch to Chrome popop on google domains (search, maps, etc)
||ogs.google.*/widget/callout$all

! Block Google search URL paramater tracking
||google.*/search$removeparam=biw
||google.*/search$removeparam=bih
||google.*/search$removeparam=dpr
||google.*/search$removeparam=sa
||google.*/search$removeparam=source
||google.*/search$removeparam=aqs
||google.*/search$removeparam=sourceid
||google.*/search$removeparam=ei
||google.*/search$removeparam=gs_lcp
||google.*/search$removeparam=gclid

! youtube.com
||youtube.com/subscribe_embed?$third-party
||youtube.com/subscribe_widget$third-party
youtube.com###alert-banner > .ytd-browse > .yt-alert-with-actions-renderer
youtube.com###mealbar\:3 > ytm-mealbar.mealbar-promo-renderer
youtube.com###notification-footer
youtube.com###secondary-links
youtube.com###yt-feedback
youtube.com###yt-hitchhiker-feedback
youtube.com###yt-lang-alert-container
youtube.com##.yt-consent
youtube.com##.ytd-banner-promo-renderer.style-scope.ytd-banner-promo-renderer-content
youtube.com##.ytd-banner-promo-renderer.style-scope.ytd-banner-promo-renderer-background
youtube.com##.ytd-primetime-promo-renderer
youtube.com##.ytd-statement-banner-renderer
youtube.com##.ytp-ce-playlist
youtube.com##.ytp-pause-overlay
youtube.com##.ytp-title-channel
youtube.com##+js(json-prune, *.playerResponse.adPlacements)
youtube.com##+js(json-prune, *.playerResponse.playerAds)
youtube.com##+js(json-prune, 2.playerResponse.adPlacements playerResponse.adPlacements playerResponse.playerAds adPlacements playerAds)
youtube.com##+js(json-prune, 2.playerResponse.adPlacements)
youtube.com##+js(json-prune, playerResponse.adPlacements)
youtube.com##+js(json-prune, playerResponse.playerAds)
youtube.com##+js(set, ytInitialPlayerResponse.adPlacements, null)
youtube.com##div[class^="ytd-consent"]
youtube.com##ytd-popup-container > .ytd-popup-container > #contentWrapper > .ytd-popup-container[position-type="OPEN_POPUP_POSITION_BOTTOMLEFT"]
youtube.com#@##consent-bump
||gstatic.com/youtube/img/promos/*.jpeg$image,domain=youtube.com

Hopefully not to many major changes as this works well.
 
Last edited by a moderator:

ErzCrz

Level 12
Thread author
Verified
Top poster
Well-known
Aug 19, 2019
594
I have reverted to my Comodo Internet Security setup with Firefox as default browser and Thunberbird email client. Reverted Edge Expoit tweaks as it kept showing alerts with Comodo running.

I hadn't planned to change back but uses less resources than MD and a good default deny setup. Comodo does take a fair bit of tweaking but does what it does well. I'm sure I'll end up switching back at some point to the H_C config.
 

ErzCrz

Level 12
Thread author
Verified
Top poster
Well-known
Aug 19, 2019
594
Just for info, one of the motivations that made me I switch from MD as default protection is that I'm still on an old machine, I don't plan on upgrading yet, I have basic Windows 10 Home version that was upgraded from 8.1 and I'm not subscribing to 365 so I'm inherently less protected by default than someone who has the current / Win 11 compatible kit. That and Comodo uses about 24meg of ram running whereas MD with ConfigureDefender set to High uses 240meg average (140 with default setting).

Edge is good but CIS/CF seems to flow better with FF though CIS's web protection only seems to work with http.

Hard_Configure / SimpleWindowsHardening enables most of those features which is great so I may see about a H_C or SWH combination with CIS or CF at some point once I work out how best to get the two working together without issue.
 
F

ForgottenSeer 92963

As you are hardening the web browser using uBlockOrigin advanced features, this one might be worth evaluating

! Block eval javascript command
*##+js(noeval)

! Allow using eval for example.com
example.com.#@#+js(noeval)
 
Last edited by a moderator:
F

ForgottenSeer 92963

@ErzCrz,

Since you are using Firefox (chromium based browser users can set this in site permissions), you could limit first-party website in the same way you did with third-party. I removed INFO on purpose in the 3p NOOP since those websites are mostly first-party, for the same reason I did not include IO in the no-scripting FALSE, because they are mostly used as third-party

_____ restrict first-party similar to third-party in MY RULES ______

no-scripting: * true
no-scripting: com false
no-no-scripting: eu false
no-scripting: info false
no-scripting: net false
no-scripting: org false
no-scripting: uk false

* * 3p block
* * 3p-frame block
* * 3p-script block
* com * noop
* eu * noop
* io * noop
* net * noop
* org * noop
* uk * noop
 

ErzCrz

Level 12
Thread author
Verified
Top poster
Well-known
Aug 19, 2019
594
@ErzCrz,

Since you are using Firefox (chromium based browser users can set this in site permissions), you could limit first-party website in the same way you did with third-party. I removed INFO on purpose in the 3p NOOP since those websites are mostly first-party, for the same reason I did not include IO in the no-scripting FALSE, because they are mostly used as third-party

_____ restrict first-party similar to third-party in MY RULES ______

no-scripting: * true
no-scripting: com false
no-no-scripting: eu false
no-scripting: info false
no-scripting: net false
no-scripting: org false
no-scripting: uk false

* * 3p block
* * 3p-frame block
* * 3p-script block
* com * noop
* eu * noop
* io * noop
* net * noop
* org * noop
* uk * noop
That's a huge help, thanks so much!

Loving how my setup is now labelled Advanced Plus Security now. Maybe the system has to be hardened to make it complete.

Anyway, these are useful whichever setup I use so I should augment my Edge rules as well. I expect I'll be back to MD before long but I'm still experimenting with tweaks and comparing things. Plan wasn't to do that this year but it's not been exactly going to plan :D
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,187
...
Hard_Configure / SimpleWindowsHardening enables most of those features which is great so I may see about a H_C or SWH combination with CIS or CF at some point once I work out how best to get the two working together without issue.

I am not sure if this would be recommendable. Your current setup seems to be sufficiently complex. Anyway, you can ask @cruelsister if there are some loopholes that should be hardened.(y)
 

ErzCrz

Level 12
Thread author
Verified
Top poster
Well-known
Aug 19, 2019
594
I am not sure if this would be recommendable. Your current setup seems to be sufficiently complex. Anyway, you can ask @cruelsister if there are some loopholes that should be hardened.(y)
Thanks, just exploring options. I like both setups and my helping knowledge is more Comodo based. I doubt there's any need for hardening with Comodo but worth a look.

Today's test showed less resources used with Edge H_C CD High setup compared to Comodo FF configuration but it's more about browser resource usage for that. Also CD set to High was misinterpreted as 240mb idle previously but I hadn't realized a scan was running in the background. Currently MD using 150mb average.

Anyway, thanks for the info/reply.
 
F

ForgottenSeer 92963

@Andy Ful and @ErzCrz

Andy what about adding SWH with SRP enabled (standard) and Windows Hardening disabled. In this way Comodo deals with executables and scriptors and SWH is just an additional hardening of user space to stop first stages of advanced attacks by blocking risky file extensions in userland for standard user/medium integrity processes only?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,187
@Andy Ful and @ErzCrz

Andy what about adding SWH with SRP enabled (standard) and Windows Hardening disabled. In this way Comodo deals with executables and scriptors and SWH is just an additional hardening of user space to stop first stages of advanced attacks by blocking risky file extensions in userland for standard user/medium integrity processes only?

Unfortunately, I do not use Comodo so I cannot say with confidence which SWH settings are not necessary.
I guess that there exists a Comodo setup with some restricted LOLBins which does not need SWH at all.

Edit.
I am not a fan of Comodo's HIPS, because no one really knows how is their impact on Windows system processes (current and introduced in the future). The auto-sandbox feature is more predictable. The Comodo's features are very strong - this can be sometimes a disadvantage for Windows stability.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,187
At first glance, it seems that SWH can make the Comodo setup more convenient if the user needs scripting. The scripts cannot be whitelisted in Comodo. So, the user can allow scripting in Comodo and use SWH to restrict scripts. A similar problem can be with some other LOLBins (Sponsors). But, I would not fully disable <Windows Hardening> in SWH. Disabling several remote features, SMB protocols, or hardening MS Office (Adobe Reader) will not hurt.
 

ErzCrz

Level 12
Thread author
Verified
Top poster
Well-known
Aug 19, 2019
594
Just updating... Blocking java via noeval seems to be working pretty well. I have had to whitelist a few websites that I use regularly but otherwise going well with uBO tweaks. Thanks again @Kees1958 :D

! Block eval javascript command
*##+js(noeval)

! Allow using eval for example.com
website.*#@#+js(noeval)

CIS configuration going okay without much issue though nothing logged over the past 7 days of browsing etc though files automatically added to trusted file list. CIS and MD with H_C are certainly two different approaches.

Anyway, interesting experiment so far.
 

cruelsister

Level 39
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 13, 2013
2,891
It might be amusing for you to run an innocuous Scriptor on your setup: Download and run Kaspersky Virus Removal Tool. KVRT will drop a cmd script initially (into Local/Temp) to be run when you close the application. This script will delete the application files that the original installer unpacks (also in Local/Temp) as well as deleting a driver that was dropped in Windows/System and a run once (for the Script) registry entry. Although totally fine, these commands can as well be used by horrible people in malware to do truly nasty things (not that I would know, of course).

Now determine who blocks what and when...
 

ErzCrz

Level 12
Thread author
Verified
Top poster
Well-known
Aug 19, 2019
594
It might be amusing for you to run an innocuous Scriptor on your setup: Download and run Kaspersky Virus Removal Tool. KVRT will drop a cmd script initially (into Local/Temp) to be run when you close the application. This script will delete the application files that the original installer unpacks (also in Local/Temp) as well as deleting a driver that was dropped in Windows/System and a run once (for the Script) registry entry. Although totally fine, these commands can as well be used by horrible people in malware to do truly nasty things (not that I would know, of course).

Now determine who blocks what and when...
Hmm, interesting. In that circumstance I'd be better with a hardened system but it's a bit over my head to be honest. Hard_Configurator would probably stop that script I'm guessing.

Anyway, you make a interesting point as always :)
 
F

ForgottenSeer 92963

@SecureKongo and @ErzCrz

Simple Windows Hardening blocks running scripts in user space and optionally sets some registry keys to make powershell less prone to misuse. SWH also has an option to disable Wscript but not CMD (I have had a long conversation with Andy on this, but I could not convince him to add that also).

With Hard_Configurator you can also block executing sponsors. H_C in recommended settings allows admins to overrule the Software Restriction Policies. This means you can always install stuf by right-click "run as admin". On top of that H_C has two usability modes to make life easier for you:

  1. Update mode (set to ON)
    This allows software to update from the ProgramData and %UserProfile%\AppData folders (by allowing EXE, MSI and TMP). Most installed software updates from Temp folder or their own folders in ProgramData or AppData. This is like SWH only for two specified folders.

  2. Allow EXE, TMP and MSI (globally)
    This is basically the same as SWH, only with the added security to block sponsors as well.

Link to manual: Hard_Configurator/Hard_Configurator - Manual.pdf at master · AndyFul/Hard_Configurator

To reassure you: I block sponsors since I am running a Windows Pro version (XP Pro), since Windows10 (I think from 2019) I am also blocking CMD and Wscript through Group Policy for current User with no problems (but I am running a Microsoft Office + Edge setup with SyncBack Free and Macrium Free on my standard user and additionally FileZilla plus Visual Studio on my admin account).
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,187
@SecureKongo and @ErzCrz
...
With Hard_Configurator you can also block executing sponsors. H_C in recommended settings allows admins to overrule the Software Restriction Policies. This means you can always install stuf by right-click "run as admin".

The H_C and SWH can also prevent admins to overrule the Software Restriction Policies. The H_C must be run with "-p" switch and SWH has got a special option * Policy Scope * . I do not recommend preventing admins in H_C, except for Basic_Recommended_Settings + a few Sponsors blocked.

On top of that H_C has two usability modes to make life easier for you:

  1. Update mode (set to ON)
    This allows software to update from the ProgramData and %UserProfile%\AppData folders (by allowing EXE, MSI and TMP). Most installed software updates from Temp folder or their own folders in ProgramData or AppData. This is like SWH only for two specified folders.

  2. Allow EXE, TMP and MSI (globally)
    This is basically the same as SWH, only with the added security to block sponsors as well.

Link to manual: Hard_Configurator/Hard_Configurator - Manual.pdf at master · AndyFul/Hard_Configurator

These settings can be loaded via the Windows_10_Basic_Recommended setting profile.

To reassure you: I block sponsors since I am running a Windows Pro version (XP Pro), since Windows10 (I think from 2019) I am also blocking CMD and Wscript through Group Policy for current User with no problems ...

In H_C, one can use <Block Sponsors> and "Script Interpreters" <ON> + "Enhanced" <ON> to block popular script interpreters and LOLBins. This is a better solution compared to GPO, because the blocked events can be easily seen via <Tools><Blocked Events / Security Logs>.
If the computer is used both at home and work, then it is possible to prevent also admins to bypass SRP (-p switch).(y)
 
Last edited:
F

ForgottenSeer 92963

For normal home use SRP should never be applied for admins (which Miccrosoft describes as "for all users, except Admins"). As most tests show, most premium brand AntiVirus will block 99,99% of all ordinary executables. By blocking risky file extensions and blocking sponsors for "all users, except Admins" with SRP, the average home user is well protected without having to deal with popups or negative impact on functionality (executing programs).