SECURITY: Complete Gandalf_The_Grey's Security Config 2021

Last updated
Oct 13, 2021
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 11
OS edition
Home
Login security
    • Password-less (PIN, Biometric, Face)
Primary sign-in
Microsoft account
Primary user
Admin user - Full permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Network firewall
Third-party router
Real-time protection
Ziggo Safe Online by F-Secure 18.0
Simple Windows Hardening 1.0.1.0 beta
HomeCare by Trend Micro on TP-Link Archer AX6000 router
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Ziggo Safe Online by F-Secure
Default settings
Windows 11
Memory Integrity enabled
Simple Windows Hardening ver. 1.0.1.0 beta
Basic recommended settings and restricted SMB123
Foxit PDF Reader 11.1.0.52543
Protected View for all files, Safe Reading Mode enabled, JavaScript disabled
Malware testing
No malware samples
Periodic security scanners
HitmanPro and AdwCleaner (for the kids)
Secure DNS
From ISP (Ziggo)
VPN
AdGuard VPN (seldom used)
Password manager
Bitwarden extension
Browsers, Search and Addons
Microsoft Edge with uBlock Origin, Bitwarden, Browsing Protection by F-Secure and Microsoft Editor
Maintenance and Cleaning
Autoruns, CCleaner, Disk Cleanup, PatchMyPC and SUMo
Personal Files & Photos backup
Windows File History on external drive (weekly)
OneDrive with Microsoft 365 ransomware protection (always on sync)
Personal backup routine
Automatic (scheduled)
Device recovery & backup
Windows system image
Device backup routine
Manual (maintained by self)
PC activity
  1. Working from home. 
  2. Browsing the web. 
  3. Emails. 
  4. Shopping. 
  5. Banking. 
  6. Multimedia. 
Computer specs
Acer Aspire VN7-791G-576X
Intel Core i5-4210H
Intel HD Graphics 4600 / NVIDIA GeForce GTX 860M
Kingston 16GB Dual-Channel DDR3 PC3-12800 RAM
Samsung SSD 850 EVO M.2 250GB
Seagate HDD ST1000LM014-1EJ164 1TB
Realtek High Definition Audio
Personal changelog
2020.12.29 Filled the new fields
2020.12.30 installed Ziggo Safe Online
2021.01.04 back to Microsoft Defender with Hard_Configurator and added SpywareBlaster
2021.01.06 removed SpywareBlaster and went with stronger H_C -setup
2021.02.01 back to simpler setup with ConfigureDefender and Simple Windows hardening. Added Process Lasso
2021.02.08 Filled the new fields, no changes to config
2021.02.12 Microsoft Defender caused problems, back to KSCF and removed Process Lasso
2021.03.03 Update Kaspersky Security Cloud Free to the latest version, removed HitmanPro and enabled Microsoft Defender periodic scanning.
2021.03.28 back to Microsoft Defender Antivirus
2021.04.25 back to Ziggo Safe Online
2021.05.03 back to Microsoft Defender Antivirus
2021.05.07 switched from the uBlock Origin to the AdGuard extension
2021.10.04 back to Ziggo Safe Online and uBlock Origin
2021.10.05 back to the AdGuard extension
2021.10.13 upgraded to Windows 11 and back to uBlock Origin
Feedback Response

Most critical feedback

F

ForgottenSeer 89360

This is a very solid configuration for a home user, thanks for sharing with us.

BTW what's HomeCare by Trend Micro on TP-Link Archer AX6000 router?

Update: I found it, seems like what Trend Micro offers with their secure router. It offers Intrusion Prevention, amongst other features. Very nice choice!
It should also be blocking malicious websites.
 
Last edited by a moderator:

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,979
This is a very solid configuration for a home user, thanks for sharing with us.

BTW what's HomeCare by Trend Micro on TP-Link Archer AX6000 router?

Update: I found it, seems like what Trend Micro offers with their secure router. It offers Intrusion Prevention, amongst other features. Very nice choice!
It should also be blocking malicious websites.
Thanks, here is link explaining HomeCare:
EDIT: added a screenshot from my router:
Schermafbeelding 2020-12-24 185740.jpg
 
Last edited:
F

ForgottenSeer 89360

I tested AVs abilities to block dodgy websites a while ago and it looks like Trend Micro evaluates the reviews of shopping websites. Shopping platforms with bad reviews on Facebook for example, get blocked regardless of the fact that they don't serve malware or phishing. Having their web-filtering on a router level provides extra layer of safety.
Example of dodgy shopping platform blocked by Trend: Online Shopping for Dresses,Shoes and Bags-moonalano.com

Edit: Screenshot added.
Capture[735].PNG
 
Last edited by a moderator:

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,979
I tested AVs abilities to block dodgy websites a while ago and it looks like Trend Micro evaluates the reviews of shopping websites. Shopping platforms with bad reviews on Facebook for example, get blocked regardless of the fact that they don't serve malware or phishing. Having their web-filtering on a router level provides extra layer of safety.
Example of dodgy shopping platform blocked by Trend: Online Shopping for Dresses,Shoes and Bags-moonalano.com
I added a screenshot from HomeCare on my router in my post above you.
It's a great extra layer, but with a laptop it works only when I'm home (most of the time nowadays).
It even blocked some spam page on my work laptop today.
That page isn't blocked for me and is not flagged at VirusTotal:
 
F

ForgottenSeer 89360

It's blocked by Trend Micro home products, it looks like someone has read the Facebook reviews. Maybe this category just isn't covered in the router, but since you are mostly away it's not that important anyway. Trend Micro is still good in filtering out malware-related webpages.
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,979
It's blocked by Trend Micro home products, it looks like someone has read the Facebook reviews. Maybe this category just isn't covered in the router, but since you are mostly away it's not that important anyway. Trend Micro is still good in filtering out malware-related webpages.
No, it was an error in your link possibly by the forum software.
The https link is okay, the http link manually typed by me gets blocked but only by HomeCare on my router, not by the rest of my config.
 

ErzCrz

Level 10
Verified
Aug 19, 2019
453
Great set-up! I'd been playing around with various solutions this past week but keep coming back to the same solution as yours. Sadly my ISP router isn't as fancy though I can block categories via DNS (Sky shield).I suppose having been caught out by ransomeware a few years back, leads me to being paranoid and I end up going back to Comodo but H_C blocks and checks new files and locks down the system,

Anyway, great setup, I'll be following suit.

E
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,979
Great set-up! I'd been playing around with various solutions this past week but keep coming back to the same solution as yours. Sadly my ISP router isn't as fancy though I can block categories via DNS (Sky shield).I suppose having been caught out by ransomeware a few years back, leads me to being paranoid and I end up going back to Comodo but H_C blocks and checks new files and locks down the system,

Anyway, great setup, I'll be following suit.

E
Thanks, my ISP provided router is also not fancy and has bad WIFI coverage, that's why I let them set it in bridge mode and added my own TP-Link router.
Now I have extra protection (HomeCare by Trend Micro on the router) and great wifi coverage for these times that I work from home and both my kids are following school lessons via Teams in their own bedrooms.

I can certainly understand that having been caught by ransomware makes you paranoid.
Do you know how you got it and why your security failed that time?

I have been using and testing various free solutions myself (F-Secure Safe (free through my ISP), Kaspersky Security Cloud Free and Comodo Firewall.
Thanks to all the tests done and discussions posted here and of course my own experience I always come back to built-in protection enhanced by some extra tools.

I think a good AV, an up-to-date chromium-based browser with an adblocker and regularly performing backups could do a lot to protect you.
Personally, I like the extra protection given by OneDrive with Microsoft 365 ransomware protection when you pay for Microsoft (Office) 365.
 

ErzCrz

Level 10
Verified
Aug 19, 2019
453
Thanks, my ISP provided router is also not fancy and has bad WIFI coverage, that's why I let them set it in bridge mode and added my own TP-Link router.
Now I have extra protection (HomeCare by Trend Micro on the router) and great wifi coverage for these times that I work from home and both my kids are following school lessons via Teams in their own bedrooms.

I can certainly understand that having been caught by ransomware makes you paranoid.
Do you know how you got it and why your security failed that time?

I have been using and testing various free solutions myself (F-Secure Safe (free through my ISP), Kaspersky Security Cloud Free and Comodo Firewall.
Thanks to all the tests done and discussions posted here and of course my own experience I always come back to built-in protection enhanced by some extra tools.

I think a good AV, an up-to-date chromium-based browser with an adblocker and regularly performing backups could do a lot to protect you.
Personally, I like the extra protection given by OneDrive with Microsoft 365 ransomware protection when you pay for Microsoft (Office) 365.
Cool.

It was researching some things online and opened a word document link. Was using chrome and Comodo at the time but just with the default setup. It was partially blocked but files still got corrupted along with shadowcopy backup. Anyway, I think H_C or a tweaked Comodo or even the browser tweaks and uBlock would have protected me better. At present just tinkering with CIS in Proactive mode but it's more approving legitimate actions than anything else.

A lot to be said for built-in protection tweaked with H_C locks down the system well and the CD/FH tweaks makes it just as good as the competition out there. I don't use Controlled Folder but I do backup docs to OneDrive weekly.
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,979
Cool.

It was researching some things online and opened a word document link. Was using chrome and Comodo at the time but just with the default setup. It was partially blocked but files still got corrupted along with shadowcopy backup. Anyway, I think H_C or a tweaked Comodo or even the browser tweaks and uBlock would have protected me better. At present just tinkering with CIS in Proactive mode but it's more approving legitimate actions than anything else.

A lot to be said for built-in protection tweaked with H_C locks down the system well and the CD/FH tweaks makes it just as good as the competition out there. I don't use Controlled Folder but I do backup docs to OneDrive weekly.
I hope as regular users we will get access to Application Guard for Office in the future.
Looks for me as a good solution against the threat you faced.
Controlled folder access is a mild nuisance on my mostly static system (not being a gamer) and is like it seems easily bypassed so no real loss there when not using it.
Backups are (as you are already doing) the best defense against ransomware.

Be sure to test them because when I was using the automatic OneDrive sync not all files got backupped using file history (my second backup method) because of the OneDrive Files On-Demand feature. Problem solved after disabling that feature.
 

HarborFront

Level 59
Verified
Content Creator
Oct 9, 2016
4,834
This is a very solid configuration for a home user, thanks for sharing with us.

BTW what's HomeCare by Trend Micro on TP-Link Archer AX6000 router?

Update: I found it, seems like what Trend Micro offers with their secure router. It offers Intrusion Prevention, amongst other features. Very nice choice!
It should also be blocking malicious websites.
Yes, Trend Micro is also available in other routers (eg. Asus, Linksys etc) and for FREE. They are very generous in their free offering as compared to BitDefender (as NetArmor subscription) in Netgear routers. In exchange Trend Micro will collect all your personal info
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,979
I really like your simple yet effective configuration. Have you considered using Adguard Desktop? And what is your default DNS?
I have licenses for AdGuard desktop, but I don't like it's HTTPS filtering done by a root certificate and have to install another program.
Furthermore, one click on the interface of uBlock Origin shows me what's connected and what's filtered or blocked.
I prefer uBlock Origin in this mode: Browser Add-on - uBlock0rigin in Medium mode for Lighter and Stronger Protection, with Less websites breakage and hassle
I sometimes switch between the AdGuard extension and uBlock Origin but generally I prefer uBlock Origin because it has the least impact on browsing.
My AdGuard licenses are used on the 4 Android phones in my household and our iPad.

My default DNS is the one provided by my ISP (Ziggo) because it's simply the fastest for me.
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,979
How are your experiences with Driver Easy Pro if can ask? the reviews are quite mixed and I'm not sure if its worth purchasing.
I find it difficult to say. It's good but not great. Finds updated drivers but not for all, for example I don't get an updated Realtek Audio driver, but I get the latest Nvidia driver. What is good that I have no issues with drivers not fit for the different laptops here in my household. I had such problems with for example Snappy Driver Installer.
 
Top