SECURITY: Complete Fallen's Security Config 2021

Last updated
Feb 23, 2021
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 10
OS edition
Pro
Login security
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Microsoft account
Primary user
Admin user - Full permissions
Other users
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Network firewall
Third-party router
Real-time protection
Norton 360
Software firewall
Provided by a third-party security vendor. Refer to 'Real-time protection' for details.
Custom RTP, Firewall and OS settings
Norton 360:
  • Antivirus
Boot Time Protection set to Aggressive.
SONAR Advanced Mode set to Aggressive.
  • Firewall
Block Traffic for Malicious Applications set to Aggressive.
  • Administrative Settings
Idle Time Optimizer is Off.
Detailed Error Data Collection set to Never.
  • List of features removed in Windows
Microsoft Remote Help
Windows Media Player
Windows Fax and Scan
Windows Hello Face Recognition
Windows PowerShell Integrated Scripting Environment
Internet Printing Service
Internet Explorer
Working Folder Client
OpenSSH Client
SMB Direct
  • Group Policy settings:
Data Collection and Preview Builds
Allow commercial data pipeline - Disabled
Allow Desktop Analytics Processing - Disabled
Allow device name to be sent in Windows diagnostic data - Disabled
Allow Telemetry - Disabled
Allow Update Compliance Processing - Disabled
Configure the Commercial ID - Disabled
Configure diagnostic data upload endpoint for Desktop Analytics - Disabled
Disable deleting diagnostic data - Disabled
Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service - Disabled
Limit Enhanced diagnostic data to the minimum required by Windows Analytics - Disabled
Configure Connected User Experiences and Telemetry - Disabled
Configure collection of browsing data for Desktop Analytics - Disabled
  • Internet Communication Management
Internet Communication settings
Turn off handwriting recognition error reporting - Enabled
Turn off Windows Customer Experience Improvement Program - Enabled
Turn off Help and Support Center "Did you know?" content - Enabled
Turn off Help and Support Center Microsoft Knowledge Base search - Enabled
Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com - Enabled
Turn off Windows Error Reporting - Enabled
Turn off the Windows Messenger Customer Experience Imprevement Program - Enabled
Turn off handwriting personalization data sharing - Enabled
  • Control Panel
Allow Online Tips - Disabled
  • Handwriting personalization
Turn off automatic learning - Enabled
  • BitLocker Drive Encryption
Disable new DMA devices when this computer is locked - Enabled
Choose drive encryption method and cipher strength - Enabled (256-bit).
Allow Secure Boot for integrity validation - Enabled
Require additional authentication at startup - Enabled (TPM is required).
  • Windows Error Reporting
Disable Windows Error Reporting - Enabled
Do not send additional data - Enabled
  • Mitigation Options
Untrusted Font Blocking - Enabled
  • User Profiles
Turn off the advertising ID - Enabled
  • Microsoft Support Diagnostic Tool - All services disabled.
  • Scripted Diagnostics - All services disabled.
  • Desktop Gadgets - Disabled
  • Turn off Autoplay - Enabled
  • Application Compatibility
Turn off Application Telemetry - Enabled
Turn off Inventory Collector - Enabled
  • Find My Device
Turn On/Off Find My Device - Disabled
  • Microsoft User Experience Virtulization
Windows Apps
Finance, Games, Maps, Music, News, Reader, Sports, Travel, Video, Weather - Disabled
  • Online Assistance
Turn off Active Help - Enable
  • Search
Allow Cloud Search - Disabled
Allow Cortana - Disabled
Allow Cortana above lock screen - Disabled
Allow Cortana Page in OOBE on an AAD account - Disabled
Allow search and Cortana to use location - Disabled
Do not allow web search - Enabled
Prevent indexing e-mail attachments - Enabled
  • Shutdown Options
Turn off legacy remote shutdown interface - Enabled
  • Speech
Allow Automatic Update of Speech Data - Disabled
  • Text Input
Improve inking and typing recognition - Disabled
  • File Explorer Options
Show sync provider notifications - Uncheck
  • OneDrive disabled
  • Advertising ID disabled
  • Cortana disabled
  • Usage of location data for Cortana disabled
  • Non-critical notifications disabled
  • Web search disabled
- Settings
Lock screen - Slideshow, Picture.
Get fun facts, tips, tricks, and more on your lock screen - Off

- Start
Show suggestions occasionally in Start - Off

- Remote Desktop
Enable Remote Desktop - Off

- Notifications & actions
Show me the Windows welcome experience after updates and occasionally when I signed in to highlight what's new and suggested - Uncheck
Suggest ways I can finish setting up my device to get the most out of Windows - Uncheck
Get tips, tricks, and suggestions as you use Windows - Uncheck

- Setting \ Privacy
Speech - Off
Inking & typing personalization - Off
Diagnostics & feedback - Off
Activity history - Send my activity history to Microsoft is uncheck.
Location - Off
Camera - Off
Microphone - Off
Voice activation - Off
Account info - Off
Contacts - Off
Calendar - Off
Phone calls - Off
Call history - Off
Email - Off
Task - Off
Messaging - Off
Radios - Off
Other devices - Off
Background apps - Off (except WS)
App diagnostics - Off
Pictures - Off
Videos - Off
File system - Off
  • Windows Update - Delivery Optimization
Allow downloads from other PCs - Off
Malware testing
No malware samples
Periodic security scanners
MBAM and EKK.
Secure DNS
NextDNS CLI (Configured on RPi Zero WH).
VPN
I have my own VPN server; WireGuard + Pi-hole + Unbound.
Password manager
Bitwarden
Browsers, Search and Addons
Microsoft Edge w/ some flags - uBlock Origin, Bitwarden and Norton Safe Web.
Mozilla Firefox w/ some tweaks - uBlock Origin, Decentraleyes and Bitwarden.
Maintenance and Cleaning
Windows Tools and Revo Uninstaller Portable.
Personal Files & Photos backup
WD My Book 3TB
Personal backup routine
Manual (maintained by self)
Device recovery & backup
Macrium Reflect
Device backup routine
Manual (maintained by self)
PC activity
  1. Browsing the web. 
  2. Emails. 
  3. Shopping. 
  4. Banking. 
  5. Browsing to unknown sites. 
  6. Working from home. 
  7. Multimedia. 
  8. Streaming. 
Computer specs
CPU: AMD Ryzen 7 2700X
RAM: Corsair Vengeance 16GB DDR4
SSD: WD Green 240GB
GPU: MSI Geforce GTX1080
MBA: MSI X470 Gaming M7 AC
PSU: Corsair TX850M 850W
Feedback Response

Most critical feedback

FALLEN

Level 2
Feb 13, 2015
95
Hi,
This my security configuration for 2021.

On my system Norton usually uses 15-50 MB of memory. Not just RAM usage, Norton is very light, maybe the lightest AV. I love it.

Untitled.png


Cloudflare is just a little faster than NextDNS for me. But NextDNS has very good features, so I chose NextDNS.

test.png

By the way, Cloudflare's response time 1ms. It doesn't make any difference anyway.
 

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,069
Thanks for your advice.
Added:
  • Password (Aa-Zz, 0-9, Symbols)
The previous state was set to None, which is not possible with a Microsoft account.

Now you have chosen Password, which is also less secure.

Windows Hello PIN is unique to the local device. It is neither your MS acc. password nor is it stored by Microsoft. It can only be used by Windows 10 device is was setup upon.


The Windows Hello options are:

1614107185196.png


Optionally, Hello PIN allows for letters and symbols.

1614107489923.png
 

FALLEN

Level 2
Feb 13, 2015
95
@Spawn I appreciate why you think that, but simply I don't need that, password protection too, but I activated anyway. We have security guards, receptions, card system, security cams, steel door, if some burglar break our security, I will congrat him. And most important thing, I don't have important documents and stuff.
 
  • Like
Reactions: venustus

FALLEN

Level 2
Feb 13, 2015
95
That's normal when you add false information.
OK, I've got your point. Too bad, there is no way to block you.

Btw, my answer is here. I activated password login because it's "better than nothing". I didn't say you anything about Windows Hello. I just thanked for your advice, that's it. There is no false information.
 
Last edited:
  • Haha
Reactions: Spawn
Top