Advice Request "Hardening" - the pros and cons?

[Zorro]

It's no secret that in Windows many different protective functions are disabled by default, but something, on the contrary, is already enabled from the very beginning. It is probably no coincidence that Microsoft leaves some features disabled. There are special programs for “hardening" the system, with which you can activate or deactivate certain functions, change the settings. Personally, I used the syshardener program. Many use Andy’s Hard Configurator. But sometimes you think, and maybe with the programs “hardeners” there are more problems than convenience? Is the system really worth the hardening? One combination of security programs (anti-virus class of Internet security) plus compliance with safety rules on the Internet, when working with mail, etc. not enough? What are the pros and cons of hardening the system, and what will be better - an anti-virus class of Internet security + own caution or hardened system + own caution? Are successful combinations of system hardening with security programs possible without explicit / hidden conflicts? For example, while I personally have not had any conflicts, but maybe I just do not deeply examine the program logs, and apparently does not indicate anything about the problems. In addition, security programs are constantly updated, additional functions appear and how it will be compatible with system hardening is unclear, and it will be difficult to search for reasons, since hardening affects many parameters. What is your opinion? What method of protecting the system will you choose to vote?

 

[Ink]

I would say "System hardening + own caution" is applicable for most non-Windows users.

+ Windows 10 comes with WDA built-in AV.
- Microsoft allows users to use 3p AV on non-S-Mode devices.
- Windows OS is still vulnerable to malware (due to end user).

+ Apple's macOS comes with no built-in AV, and nor does iOS/iPadOS.
- Mac users can still use 3p AV, still able to get malware
- Apple does not allow AV apps on the App Store, therefore you cannot install an AV for iOS.

+ Google's Android comes with passive Play Protect on certified supported devices.
- Google does allow AV apps on the Google Play Store, therefore you can install an AV for Android.
- Android has an extensive malware problem, much greater than iOS.

 

[plat]

Voted "antivirus (free) plus system hardening plus 3-4 security programs."

Since the "free" antivirus is bolstered Defender w/SmartScreen, plus 2 very small footprint security progs: NVTOSArmor and Andy Ful's wonderful Firewall Hardening Tool, I don't feel it's too much overkill. Six ASR rules via gpedit.msc and latest Windows updates for add'l system hardening.

Pretty importantly: the machine can breathe. It runs without lags or delays and boots in 10 sec.

If the "hardening" and/or extra security software is impacting the performance of the machine, BIG con. Really, really BIG.

 

[Sampei Nihira]

Too many choices with antivirus required.
I do not use it.
I can't vote.

 

[Zorro]

Too many choices with antivirus required.
I do not use it.
I can't vote.

Then the first answer without an antivirus is your choice

 

[Gandalf_The_Grey]

Windows Defender + Hard_Configurator + own caution helpend by the Netcraft extension.
And don't forget backups.

 

[BVLon]

It's no secret that in Windows many different protective functions are disabled by default, but something, on the contrary, is already enabled from the very beginning. It is probably no coincidence that Microsoft leaves some features disabled. There are special programs for “hardening" the system, with which you can activate or deactivate certain functions, change the settings. Personally, I used the syshardener program. Many use Andy’s Hard Configurator. But sometimes you think, and maybe with the programs “hardeners” there are more problems than convenience? Is the system really worth the hardening? One combination of security programs (anti-virus class of Internet security) plus compliance with safety rules on the Internet, when working with mail, etc. not enough? What are the pros and cons of hardening the system, and what will be better - an anti-virus class of Internet security + own caution or hardened system + own caution? Are successful combinations of system hardening with security programs possible without explicit / hidden conflicts? For example, while I personally have not had any conflicts, but maybe I just do not deeply examine the program logs, and apparently does not indicate anything about the problems. In addition, security programs are constantly updated, additional functions appear and how it will be compatible with system hardening is unclear, and it will be difficult to search for reasons, since hardening affects many parameters. What is your opinion? What method of protecting the system will you choose to vote?

Do you examine the startup sections of the registry and the startup folder as well? Also, do you examine the scheduled tasks? In a while we'll talk about RogueKiller and why I personally find it great.

 

[Sampei Nihira]

Then the first answer without an antivirus is your choice

What you mean precisely with own caution?

 

[ForgottenSeer 55474]

Hey, I use third party AV+Hardening+3-4 security programs & Caution.

 

[shmu26]

If you are the only person using the computer, and you know what you are doing, you can get away with a light, free antivirus and exercising proper caution.
But if you have inexperienced or click-happy users on the computer, you need a stronger security strategy.

 

[bribon77]

I think that all the options are valid, it is difficult to mark one, which if I remain with the precaution is fundamental I think.

 

[Tiamati]

I used Hard_Config (recomended settings) with Bitdefender Internet Security for a while in my own PC. The only drawback was the constant policies avoiding me to run .exe every time i forgot about it (basically all the time). I didn't notice any other conflict...

I was so confident that it can be used without disturbing, that i enabled Hard_config (with the allow *.EXE option enabled) along with Kaspersky free in my parents PC. They already used it for 2 months without calling after midnight wanting to kill me, so i think it's good so far.

Lately i moved on to Kaspersky Internet Security with TAM enabled. So i'm not currently using Hard_Config. I didn't have a lot of trouble till now too. But TAM is more friendly if you keep installing signed apps.

IMHO, a good free AV (bitdefender or kaspersky) + own caution is enough if you are the average user. But if you are like most here, and like to test somethings - not always 100% safe - from time to time, maybe hardening is a good idea

 

[show-Zi]

Hamburger (beef) + cola s
Hamburger (pork) + Pepsi m
Hamburger (chicken) + french fries + cola m

When I go to McDonald's, I am always confused by the many choices. I can not answer immediately for that reason.
About strengthening the system. I think extreme theory is a cutoff from the network. It has the potential to sacrifice convenience. I think it means that users adjust their registry and policies at their own volition, but I think it's a mere imitation to implement without understanding the settings recommended by others. If you aren't confident you can deal with a failure when it happens, it can be a destruction rather than a hardening.

Suppose you have the ability to disable mouse clicks and keyboard enter keys. It is both an enhancement and a loss. However, I think it would be useful if it works only when a dangerous link is detected.

 

[bribon77]

I used Hard_Config (recomended settings) with Bitdefender Internet Security for a while in my own PC. The only drawback was the constant policies avoiding me to run .exe every time i forgot about it (basically all the time). I didn't notice any other conflict...

I was so confident that it can be used without disturbing, that i enabled Hard_config (with the allow *.EXE option enabled) along with Kaspersky free in my parents PC. They already used it for 2 months without calling after midnight wanting to kill me, so i think it's good so far.

Lately i moved on to Kaspersky Internet Security with TAM enabled. So i'm not currently using Hard_Config. I didn't have a lot of trouble till now too. But TAM is more friendly if you keep installing signed apps.

IMHO, a good free AV (bitdefender or kaspersky) + own caution is enough if you are the average user. But if you are like most here, and like to test somethings - not always 100% safe - from time to time, maybe hardening is a good idea

In my opinion, when using a security suite, such as Bitdefender Internet Security, or KIS, there is no need for programs such as H_C, or Syshardener, it is assumed that a suite of that quality has it all, you just have to understand how it works, Adding more is exaggerating.

 

[ForgottenSeer 85911]

Hamburger (beef) + cola s
Hamburger (pork) + Pepsi m
Hamburger (chicken) + french fries + cola m

When I go to McDonald's, I am always confused by the many choices. I can not answer immediately for that reason.
About strengthening the system. I think extreme theory is a cutoff from the network. It has the potential to sacrifice convenience. I think it means that users adjust their registry and policies at their own volition, but I think it's a mere imitation to implement without understanding the settings recommended by others. If you aren't confident you can deal with a failure when it happens, it can be a destruction rather than a hardening.

Suppose you have the ability to disable mouse clicks and keyboard enter keys. It is both an enhancement and a loss. However, I think it would be useful if it works only when a dangerous link is detected.

all those choices are ridiculous and the reason most "normies" stay away from places like this

 

[Tiamati]

In my opinion, when using a security suite, such as Bitdefender Internet Security, or KIS, there is no need for programs such as H_C, or Syshardener, it is assumed that a suite of that quality has it all, you just have to understand how it works, Adding more is exaggerating.

Hello @bribon77 . I appreciate your comment, but let me add some thoughts. A security suit really add that much of protection in comparison with the simple AV or free versions - with default configs? In my experience no. At least with kaspersky. For example, KIS add a few options like application control and TAM (disabled by default). All other important modules are present in the free version. So, basically you get some extras like anti-banner, private mode, safe money, firewall but they would not affect my choice about hardening or not the system. If i would harden with the free version, so i would do it too for the full security suit, as this one won't add any module that would affect my option (except por TAM, disabled by default in this case). I'm not questioning your position about not hardening the system. I'm just saying that is not the fact you are using the full security suit that should affect the choice.

My experience with Bitdefender internet security is very similar to kaspersky in this case. You get everything that really matters with the free version (except you can't configure it as you want). Internet security add firewall and other features like vulnerable check, security delete, etc..., but none of them are absolutely essential or can't be substituted by others windows configs or softwares

 

[bribon77]

all those choices are ridiculous and the reason most "normies" stay away from places like this

I don't think it's ridiculous, @show-Zi says there are so many options to mark that he feels lost, like when you enter McDonald's.
It is an easy analogy to understand.

 

[Outpost]

I honestly don't see this whole problem. A "moderate" hardening of the system does not create particular problems in daily use. Many of my family, friends or acquaintances didn't even realize that I had hardened their operating system.

 

[show-Zi]

I don't think it's ridiculous, @show-Zi says there are so many options to mark that he feels lost, like when you enter McDonald's.
It is an easy analogy to understand.

It's just as you pointed out. There were many choices in the questionnaire, so I tried to express them by analogy.
I like jokes and metaphors, but I know the dangers. If the frequency doesn't match, it's just noise. So the opinion of georgann94 is also right.

Spoiler: The sentence is completely unrelated to the topic

What I'm thinking about now is how we can communicate the importance and importance of security to people who are not interested in it. Talking passionately about technical terms and security software is probably tiring and fruitless. Metaphor is a great way to make your content easier to understand and more interesting to listen to.

 

[Stopspying]

I'm 'Antivirus (Internet Security) + 3-4 additional security programs + own caution'

I don't run the additional security programs all of the time, I'll usually do things like weekly MalwareBytes AntiMalware and RogueKiller scans to check in case the main AV has slipped up somewhere. I'd rather not have all my eggs in the one basket.