Latest changes
Feb 6, 2020
Operating system
Windows 10 Pro
OS version
1909
System type
64-bit operating system; x64-based processor
Security updates
Automatically allow security and feature updates
Windows UAC
Always notify
Firewall protection
Microsoft Defender Firewall
Account privileges
Administrator account
Account type
Sign in with associated Microsoft ID
Account log-in
  1. Windows Hello PIN
Exposure to malware
No malware samples are downloaded
Real-time Malware protection
Kaspersky Security Cloud FREE
RTP configuration
Hard Configurator with default deny for dangereous file extension in user folders (allowing MSI, EXE and TMP) and blocking script processing sponsors/LOLbins (allowing execution when UAC elevated a process or running as Adminstrator).

Added Windows Defender Exploit Protection for Office programs and Edge browser (most important feature for all Microsoft signed script processing user programs is to enabled Code Integrity Guard and additionally set a 'do not allow child processes' for Word, Excel and PowerPoint).

Added DocumentsAntiexploit set MsOffice to ON2 (can't be overruled in trustcenter) and checked and hardened remaining setting of the Office Trustcenter manually (tighten trusted locations, disable unnecessary add-ins, macro's, active-X, use protected view etc).

Added a 'Traverse folder/ Deny Execute' Access Control List for Everyone in:
- Public User
- Startup folders (both ProgramData and AppData)
- Downloads folder
- Outlook Mail folder on second harddisk
- My Documents on second harddisk
- My Pictures on second harddisk
- My Videos on second harddisk

Windows 10 Pro - Group Policy hardening
- Disabled remote/assistance/sharing features and services
- Disabled stuff I don't use (gadgets, netmeeting, workspace, games, rss feeds, etc)
- Deny execution access on Removable disk & turn off autoplay
- Restricted HKCU legacy run (run/don't run, custom user interface, run at startup, legacy run)

.
Periodic scanners
Sysinternals Process Explorer and Autoruns and Microsoft's monthly Windows Malicious Software Removal Tool (MSRT).
Browser and Add-ons
Opera hardened by setting most of the website permissions to block and uMatrix blocking third-party code references like scripts, frames and xmlhttprequest.

Edge with most website permission on default, disabled Smartscreen with added Adguard (using Peter Low blocklist and 20 User Rules for things missed by blocklist using Adguard's easy to use 'block ads on this website' rule creator feature )

.
Privacy tools and VPN
Using Adguard's malware protection (Google's Safe Browsing) in stead of Edge's Smartscreen and enabled edge://flags #reduced-referrer-granularity and #enable-webrtc-hide-local-ips-with-mdns for enhanced privacy.

Using Opera's VPN and WebRTC with #chromium-ua-compatibility and #opera-doh about://flags enabled for enhanced privacy.

.
Password manager
Memory
Search engine
on Opera using DuckDuckGo and on Edge using Startpage (blocking the ads) in address bar and Google.NL in Home button
Maintenance tools
Windows build-in
Photos and Files backup
Windows Data Backup plus SyncBackfree monthly backup to USB
File Backup schedule
Once or multiple times per month
Backup and Restore
Windows Image Backup
Backup schedule
Once or more per month
Computer Activity
  1. Online banking
  2. Browsing the web and checking emails
  3. Streaming movies, TV shows and music from the Internet
  4. Office and other work-related software (Work from Home)
Computer Specifications
Your changelog
Running admin again, replaced Windows Defender for Kaspersky Free

Lenny_Fox

Level 14
Verified
Thanks, forgot to mention running the monthly Windows Malicious Software Removal Tool (MSRT). I prefer to roll back to a clean image when programs in UAC protected folders are infected. When AV-finds poisoned documents and deletes them, I also check my documents backup (AV-scan).

Because my girlfriend uses the same setup, all custom security settings are geared towards reducing the attack surface while maintaining full functionality and compatibility
- setting software restriction policy for dangereous file extension while allowing MSI, EXE and TMP executables
- setting software restriction policy for script processing LOLbins, while allowing them to run elevated
- adding strong exploit protection designed by Microsoft for Microsoft (no compatibility issues, no functional restrictions)
- adding ACL restrictions on sub-folders which should not host executable code

To be honest, I would have stayed on all Microsoft security setup when the IT-guy had not convinced my girlfriend that Kaspersky is the best. This setup shows I am open minded by using an US operating systemwith a Russian AV, an US browser with a Russian Ad-blocker and a Chinese Browser-VPN with a third-party content blocker of a Canadian developer.
 
Last edited:

Dhruv2193

Level 9
Verified
Good decision-using software from different countries and not being paranoid like many users who don't like software just because it is from a particular country.
 
  • Like
Reactions: Outpost
Top