Advanced Plus Security Happy wife happy life setup

Last updated
Feb 6, 2020
Desktop OS
Windows 11
Login security
Primary sign-in
Microsoft account
Primary user
Admin user - Full permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Real-time protection
Kaspersky Security Cloud FREE
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Hard Configurator with default deny for dangereous file extension in user folders (allowing MSI, EXE and TMP) and blocking script processing sponsors/LOLbins (allowing execution when UAC elevated a process or running as Adminstrator).

Added Windows Defender Exploit Protection for Office programs and Edge browser (most important feature for all Microsoft signed script processing user programs is to enabled Code Integrity Guard and additionally set a 'do not allow child processes' for Word, Excel and PowerPoint).

Added DocumentsAntiexploit set MsOffice to ON2 (can't be overruled in trustcenter) and checked and hardened remaining setting of the Office Trustcenter manually (tighten trusted locations, disable unnecessary add-ins, macro's, active-X, use protected view etc).

Added a 'Traverse folder/ Deny Execute' Access Control List for Everyone in:
- Public User
- Startup folders (both ProgramData and AppData)
- Downloads folder
- Outlook Mail folder on second harddisk
- My Documents on second harddisk
- My Pictures on second harddisk
- My Videos on second harddisk

Windows 10 Pro - Group Policy hardening
- Disabled remote/assistance/sharing features and services
- Disabled stuff I don't use (gadgets, netmeeting, workspace, games, rss feeds, etc)
- Deny execution access on Removable disk & turn off autoplay
- Restricted HKCU legacy run (run/don't run, custom user interface, run at startup, legacy run)

.
Malware testing
No malware samples
Periodic security scanners
Sysinternals Process Explorer and Autoruns and Microsoft's monthly Windows Malicious Software Removal Tool (MSRT).
Browsers, Search and Addons
Opera hardened by setting most of the website permissions to block and uMatrix blocking third-party code references like scripts, frames and xmlhttprequest.

Edge with most website permission on default, disabled Smartscreen with added Adguard (using Peter Low blocklist and 20 User Rules for things missed by blocklist using Adguard's easy to use 'block ads on this website' rule creator feature )

.
Maintenance and Cleaning
Windows build-in
Personal Files & Photos backup
Windows Data Backup plus SyncBackfree monthly backup to USB
Personal backup routine
Device recovery & backup
Windows Image Backup
Device backup routine
PC activity
  1. Banking. 
  2. Browsing the web. 
  3. Streaming. 
  4. Working from home. 
Computer specs
Personal changelog
Running admin again, replaced Windows Defender for Kaspersky Free

Lenny_Fox

Level 22
Thread author
Verified
Top poster
Well-known
Oct 1, 2019
1,126
Thanks, forgot to mention running the monthly Windows Malicious Software Removal Tool (MSRT). I prefer to roll back to a clean image when programs in UAC protected folders are infected. When AV-finds poisoned documents and deletes them, I also check my documents backup (AV-scan).

Because my girlfriend uses the same setup, all custom security settings are geared towards reducing the attack surface while maintaining full functionality and compatibility
- setting software restriction policy for dangereous file extension while allowing MSI, EXE and TMP executables
- setting software restriction policy for script processing LOLbins, while allowing them to run elevated
- adding strong exploit protection designed by Microsoft for Microsoft (no compatibility issues, no functional restrictions)
- adding ACL restrictions on sub-folders which should not host executable code

To be honest, I would have stayed on all Microsoft security setup when the IT-guy had not convinced my girlfriend that Kaspersky is the best. This setup shows I am open minded by using an US operating systemwith a Russian AV, an US browser with a Russian Ad-blocker and a Chinese Browser-VPN with a third-party content blocker of a Canadian developer.
 
Last edited:

Dhruv2193

Level 9
Verified
Well-known
Nov 7, 2016
442
Good decision-using software from different countries and not being paranoid like many users who don't like software just because it is from a particular country.
 
  • Like
Reactions: Outpost