SECURITY: Complete Gandalf_The_Grey's laptop config for 2020

Last updated
Nov 30, 2020
About device
Primary device
Operating system
Windows 10
Sign-in identity
Sign-in with Microsoft account
Log-in security
Permissions
Administrator user account
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Malware samples
No - malware is not downloaded
Firewall protection
Microsoft Defender Firewall
Real-time malware protection
Microsoft Defender Antivirus
HomeCare by Trend Micro on TP-Link Archer AX6000 router
RTP & OS hardening settings
Microsoft Defender Antivirus set to High with ConfigureDefender
Controlled Folder Access enabled (not on the kid's laptops)
Memory integrity under Core Isolation enabled (not on the kid's laptops)
Hard_Configurator with Windows_10_Basic_Recommended_Settings
Periodic scanning
HitmanPro, Kaspersky Virus Removal Tool and AdwCleaner (for the kids)
Browsers
Microsoft Edge with uBlock Origin, Bitdefender TrafficLight, Bitwarden and Microsoft Editor
Google Chrome with the same extensions plus the Microsoft Defender Browser Protection extension on the kid's laptops.
They use Edge for school and Chrome for fun
Optimisation apps
Autoruns, CCleaner, PatchMyPC, SUMo and Driver Easy Pro
My Files & Photos backup
Windows File History on external drive (weekly)
OneDrive with Microsoft 365 ransomware protection (always on sync)
My Files backup schedule
Automatic - sync to a trusted cloud provider, or local attached storage
Device recovery & settings
Windows system image
Device backup schedule
Computer specifications
Acer Aspire VN7-791G-576X
Intel Core i5-4210H
Intel HD Graphics 4600 / NVIDIA GeForce GTX 860M
Kingston 16GB Dual-Channel DDR3 PC3-12800 RAM
Samsung SSD 850 EVO M.2 250GB
Seagate HDD ST1000LM014-1EJ164 1TB
Realtek High Definition Audio
Device activity usage
  1. Generic web browsing
  2. Financial and sensitive documents
  3. Working from home
  4. Video and photo editing
  5. Streaming audio and video content from the Internet
  6. Shared among other family members
Your changelog
2020.02.23 removed VoodooShield and uBlock Origin and added Kaspersky Security Cloud Free and AdGuard (extension).
2020.03.09 removed AdGuard and Kaspersky Security Cloud Free and added Hard_Configurator 5.0.0.1 beta uBlock Origin and the Netcraft extension. replaced Bandizip with Explzh because of the advertisements in the free version.
2020.03.22 removed Hard_Configurator, kept ConfigureDefender, DocumentsAntiExploit and RunBySmartscreen.
Added NoVirusThanks SysHardener, VoodooShield and the Certificate Info extension.
2020.03.28 added Ziggo safe Online and Hard_Configurator and removed SysHardner.
2020.03.30 removed CCleaner Pro
2020.04.05 installed HC 5.0.01 beta with recommended settings. Removed VoodooShield.
Tried to minimize extensions: replaced uBlock Origin with AdGuard and removed Certificate Info and Netcraft. Added Microsoft Editor. All extensions are now from the Microsoft Store except Browsing Protection by F-Secure (installed automatically).
2020.04.22 Removed Ziggo Safe Online and Hard_Configurator Trying Windows Defender with Comodo Firewall.
2020.05.04 removed Comodo Firewall and installed Emsisoft Ant-Malware Home.
2020.05.08 replaced Emsisoft Anti-Malware with Kaspersky Security Cloud Free
2020.05.18 replaced KSC Free with WD and uninstalled some browser extensions.
2020.07.05 back to Bitwarden and Bitdefender TrafficLight and WhitelistCloud added.
2020.07.08 switched form WhitelistCloud to VoodooShield Pro. Went from uBlock Origin to AdGuard.
2020.07.15 Back to KSC Free.
2020.08.09 added SpywareBlaster 5.7 Private Beta with MS Edge support.
2020.08.12 back to Microsoft Defender Antivirus
2020.08.15 back to Kaspersky Security Cloud Free
2020.08.31 removed O&O ShutUp 10 and went back to Microsoft Defender
2020.09.27 removed Bitdefender TrafficLight and went back from Simple Windows Hardening to Hard_Configurator
2020.10.27 went from WD to KSCFree and from uBlock Origin to AdGuard.
2020.11.14 back to WD on high and simplified config

Gandalf_The_Grey

Level 42
Verified
Trusted
Content Creator
Apr 24, 2016
3,127
Thinking about Simple Windows Hardening vs Hard_Configurator.
If you use Simple Windows Hardening with ConfigureDefender, FirewallHardening and use Autoruns isn't easier to just use Hard_Configurator with the Windows_10_Basic_Recommended_Settings profile instead?
One tool to install and not having to download and maintain multiple portable programs.
The protection level is the same.
Any pros or cons?
@Andy Ful What do you think?
 

silversurfer

Level 68
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
5,784
Thinking about Simple Windows Hardening vs Hard_Configurator.
If you use Simple Windows Hardening with ConfigureDefender, FirewallHardening and use Autoruns isn't easier to just use Hard_Configurator with the Windows_10_Basic_Recommended_Settings profile instead?
One tool to install and not having to download and maintain multiple portable programs.
The protection level is the same.
Any pros or cons?
Just going to use H_C as you are able to handle tools like that...
I'm personally running WD/MD and using H_C included tools like CD & FH, that's for me easier to control over the main GUI of H_C.
 

Gandalf_The_Grey

Level 42
Verified
Trusted
Content Creator
Apr 24, 2016
3,127
@Gandalf_The_Grey

No idea. These configs are the same.
You can use SWH + ConfigureDefender + FirewallHardening via 3 shortcuts on your Desktop (copy these applications first to Windows folder) or use H_C. It will be rather the choice of taste (like which GUI do you like better).:)
After trying both configs I like the one with the standalone tools more.
Just pinned those 3 to the startmenu.
Less exes installed in total and the logging is better / more filtered.
Example: the log of ConfigureDefender contains entries when Microsoft Defender (and the system) starts. Not needed I think.
The logs of the standalone ConfigureDefender doesn't show them.
Both contain some blocks for Controlled Folder Access (needed).
 

Gandalf_The_Grey

Level 42
Verified
Trusted
Content Creator
Apr 24, 2016
3,127
Experimenting with the for me best and most easy protection for the laptops in my household/family
Tried VoodooShield, but one of the laptops in my household froze completely with it.
Tried Comodo Firewall with CS settings, but it has still a problem with unrecognizing safe Windows files, so needs to be babysitted.
So back to Hard_Configurator where whitelisting is easier than in Simple Windows Hardening because of the apply changes button.
When something is blocked on the laptops of my children it's quite easy to see in the log and if needed whitelist by file.
@Andy Ful Is it correct that there is no apply settings button in Simple Windows Hardening or am I missing something?
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,621
That's correct, but what do you do after whitelisting a file? Do you have to log out or reboot?
Both SWH and H_C ver. 5.1.1.2 apply whitelisted SRP entries on the fly - no need to reboot or Log off. When the reboot is required, then H_C will alert while pressing the <REFRESH> button, SWH alerts about the reboot only when SMB settings are changed.
SWH is much simpler and does not need the <REFRESH> button.

Edit.
If you use this config on the child's computer, then you can set in ConfigureDefender the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" to ON. This should not be a problem, but if something will be blocked by this rule, then please remember to wait about 2 days, or if you are certain that the file is clean set this rule temporarily to Audit and next install/update and finally run the installed/updated application. Do not try to whitelist the blocked file in H_C or exclude it in WD, because this will not work when this ASR rule was triggered.
 
Last edited:

Gandalf_The_Grey

Level 42
Verified
Trusted
Content Creator
Apr 24, 2016
3,127
@SeriousHoax browser cache problem inspired me to try Kaspersky Security Cloud again (y)
Running great so far, I have slightly more system and browsing speed compared to Windows Defender on high settings.
I hope that Simple Windows Hardening and Documents Anti Exploit from @Andy Ful compensate for the lack of application control in the free version.
This time I also changed form uBlock origin to AdGuard, both are great and maybe I will switch back sometime.
But this time AdGuard's log was more helpful in unbreaking a website my daughter needed for school.
And it is easy to report such breakage and it will be solved in a few days by the AdGuard filter maintainers.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,621
@SeriousHoax browser cache problem inspired me to try Kaspersky Security Cloud again (y)
Running great so far, I have slightly more system and browsing speed compared to Windows Defender on high settings.
I hope that Simple Windows Hardening and Documents Anti Exploit from @Andy Ful compensate for the lack of application control in the free version.
This time I also changed form uBlock origin to AdGuard, both are great and maybe I will switch back sometime.
But this time AdGuard's log was more helpful in unbreaking a website my daughter needed for school.
And it is easy to report such breakage and it will be solved in a few days by the AdGuard filter maintainers.
Just use standalone RunBySmartscreen to run not-trusted files, especially when extracted from archives or originated from flash drives (USB drives).(y)
 

SeriousHoax

Level 34
Verified
Mar 16, 2019
2,358
Surfing is almost the same, in testing I have a slightly lower ping, maybe it's because I want it but browsing feels a bit snappier 🤔
Surprising. In my case, I don't notice speed difference if I just casually browse the web but if I go for accurate measurements using a stopwatch (😂) then I can see that with Defender it's slightly faster.
 

FireHammer

Level 8
Aug 27, 2020
384
Inspired by the config of @silversurfer : SECURE: Complete - silversurfer Laptop Security Config 2020
I decided to see what config worked the best on my laptop:
Windows Defender (with ConfigureDefender at High)
Ziggo Safe Online (F-Secure Safe (free from my ISP))
Kaspersky Security Cloud Free
For me, Kaspersky Security Cloud Free is the lightest on my system at the moment while still offering very good protection.
Replaced (maybe temporarily) uBlock Origin with AdGuard for adding Googles Safe Browsing to the mix.
Hi, @Gandalf_The_Grey I also have been offered F-Secure Safe from my ISP-STOFA, but I like Bitdefender more. (y)
 

Gandalf_The_Grey

Level 42
Verified
Trusted
Content Creator
Apr 24, 2016
3,127
Are you still using Adguard? I saw a few months old on ongoing issue on their GitHub about few YouTube ads being missed by Adguard. Have you experienced anything like this?
Yep, I'm still using AdGuard. No problems with YouTube ads.
I have added the two filters from Yuki2718: AdGuard Social media Plus and AdGuard Tracking Protection Plus. Maybe those helped?
 
Top