- Oct 1, 2019
- 1,120
Old laptop died, while helping an uncle migrating from old desktop to new laptop, so he gave me his old PC
Last edited:
Lenny_FoX Desktop Config 2021
- Thread starter Lenny_Fox
- Start date
I think this is the first time i now read here a good Windows config with internal Windows protection. I use nearly the same.
Good work!
Good work!
- May 13, 2017
- 2,646
Local account only & Windows Hello PIN? Is that even possible? 
- Apr 28, 2015
- 8,916
I have also local account password and Windows PIN, both different
Windows Hello is only saved locally and protected by TPMLocal account only & Windows Hello PIN? Is that even possible?
Good config!
Just curious, are you still dual booting with Linux, or have you moved away completely back to Windows?
Just curious, are you still dual booting with Linux, or have you moved away completely back to Windows?
- May 4, 2018
- 2,261
Maybe try bitwarden?
Good config either way.
~LDogg
Good config either way.
~LDogg
- Oct 1, 2019
- 1,120
REPLACED my less alphabet with Adblock for Youtube
Because my own Less Alphabet failed to block in stream advertisements in Youtube, I removed that list from AdGuard and added Adblock for Youtube, but allow it only to run on Youtube by a forum Member who used the bypass-paywals extension only on demand when running into a paywall).
REPLACED Application Guard on-demand with uMatrix on-demand
Because Edge launches much faster without the Virtal machine sandbox of Application Guard, I removed Application Guard and added uMatrix again for on-demand usage:
Why Adguard and uMatrix instead uBlock Origin with advanced dynamic filtering?
Smart forum users could suggest uBlock Origin, but I like Adguard's stealth mode (is like Clean URL's but I can tweak it) and I like it's additional cookie parameter to block cloud flare cookies. I also like the fact that uMatrix shows all the info (connected domains) while the filtering engine of uMatrix is OFf
___________ My Adguard USER RULES ---------------
Because my own Less Alphabet failed to block in stream advertisements in Youtube, I removed that list from AdGuard and added Adblock for Youtube, but allow it only to run on Youtube by a forum Member who used the bypass-paywals extension only on demand when running into a paywall).
REPLACED Application Guard on-demand with uMatrix on-demand
Because Edge launches much faster without the Virtal machine sandbox of Application Guard, I removed Application Guard and added uMatrix again for on-demand usage:
Why Adguard and uMatrix instead uBlock Origin with advanced dynamic filtering?
Smart forum users could suggest uBlock Origin, but I like Adguard's stealth mode (is like Clean URL's but I can tweak it) and I like it's additional cookie parameter to block cloud flare cookies. I also like the fact that uMatrix shows all the info (connected domains) while the filtering engine of uMatrix is OFf
___________ My Adguard USER RULES ---------------
Last edited:
- Jan 14, 2015
- 1,761
Interesting choice of Adguard with uMatrix. thanks for sharing the config
I never use such extensions. Your quote is corrupt ?
uMatrix doesn't provide that isolation from Application Guard. You reduce your security with that setup.
Also uMatrix doesn't increase your browser security at all. Other stuff is already handled by AdGuard
So without uMatrix (i guess from Google extension store?) you can disable external stores which increase your browser security
I also use AdGuard too
- Oct 1, 2019
- 1,120
Corrected, thanks
Yep, uMatrix by far does not provide isolation like VM Sandbox of WDAG, you are right about that. I disagree about uMatrix not increasing security.
With my settings, uMatrix blocks scripts, frames and XML HTTP request does the same as NoScript blocking scripts, frames and fetch (well not really because Fetch API sort of provides simular functionality, but works differently). Meaning no javascript can execute, making it a harmless CSS, HTML (text and media) website. I don't now of in the wild examples of payload execution without javascript execution. So when eneabled uMatrix increases security as far as I know
Last edited:
Can be archived with browser internal permissions
- Oct 1, 2019
- 1,120
Got bored with my current security setup, because it seems to do its job perfectly. What is the use of joining a Security Forum and not messing with your security setup. Most MT-members have probably bricked their system more often due to security tweaking as with malware infections. Being a junior member I want to be part of this distinct club who fix things which aint broken.
So here is my new setup which i will be trying out for a while.
First I changed from Standard user to Administrator and temporarily disabled "Validate Admin Sgnatures" to install Defender Control. After disabling Windows Defender I enabled "Validate Admin Signatures" again (meaning unsigned software is blocked by UAC when it wants to elevate to High Integrity Level.
Next I broke my first safehex rule to not use software which is not activily maintained and download and installed OSArmor. Because I want a signature based whitelist I also downloaded NoVirus Thanks Signer Extractor and ran it to find out which (signed) programs I have installed
My Security setup will be based on Windows Defender Exploit protection, Andy Ful's Simple Windows Hardening and OSArmor.
First thing I did is taking control of the protection settings, making OSArmor transparent by using my own rules only
Next I configured my own block rules [Edited thanks to tip of @Andy Ful]
And my own signature based exclusions (whitelist), based on signatures found by Signature Extractor
Overall delay of starting of executables increased from 1.5 to 1second for first program launch and repetive starts from 0.6 to 1 second. Which shows that WD is lighter than OSArmor on my PC.
Interesting to know forum members opinions
So here is my new setup which i will be trying out for a while.
First I changed from Standard user to Administrator and temporarily disabled "Validate Admin Sgnatures" to install Defender Control. After disabling Windows Defender I enabled "Validate Admin Signatures" again (meaning unsigned software is blocked by UAC when it wants to elevate to High Integrity Level.
Next I broke my first safehex rule to not use software which is not activily maintained and download and installed OSArmor. Because I want a signature based whitelist I also downloaded NoVirus Thanks Signer Extractor and ran it to find out which (signed) programs I have installed
My Security setup will be based on Windows Defender Exploit protection, Andy Ful's Simple Windows Hardening and OSArmor.
First thing I did is taking control of the protection settings, making OSArmor transparent by using my own rules only
Next I configured my own block rules [Edited thanks to tip of @Andy Ful
]And my own signature based exclusions (whitelist), based on signatures found by Signature Extractor
Overall delay of starting of executables increased from 1.5 to 1second for first program launch and repetive starts from 0.6 to 1 second. Which shows that WD is lighter than OSArmor on my PC.
Interesting to know forum members opinions
Last edited:
- Oct 1, 2019
- 1,120
Only for first party from block to allow and not on demand from allow to block for first AND third--party
- May 10, 2019
- 2,289
I am using Windows Hello PIN on my HP 290 G1 which does not support TPM (no such option in BIOS). How my PIN is protected?Windows Hello is only saved locally and protected by TPM
Take a look at windows defender overview or open "TPM.msc" from start menu first to check that out
Totally fine. For insecure sites I use application guard edge anyway
As browser is itself sandboxed and JavaScript exploits are rar & fast fixed blocking Javascript only increase security in theory nowadays.
For privacy it doesn't help either as blocking increase uniqueness.
I only block it in my surfing profile because of less annoying sites.
But in the end all depends of own setup, needs, thread Modell, ...
Just my experience after years using uMatrix on deny-all mode
- Jan 14, 2015
- 1,761
Just a side note. There's many benefits to joining a security forum and not tamper and break your system. Also in case you are not aware most that tweak a lot use VMS for that to test things first
- Jul 5, 2019
- 605
Are you going to test it? At first sight it feels like driving a car without fastening seat belts.
- Dec 23, 2014
- 8,514
On Windows 10, you can skip the block rules for MS Office, and simply apply blocking child processes for these applications via Exploit Protection from Microsoft Security Center (does not require Microsoft Defender).
Edit.
"SWH + these OSA custom settings" is an interesting semi-locked setup. The user can install/update the applications on the base of a shortlist of available signers. I suspect that it also allows installing/updating most of the UWP apps from Microsoft Store. By using SWH to Protect the system drive (except user profiles) the setup will not break anything in the system.
Anyway, for most MT members, it would be like living in the exclusive penitentiary.
Last edited:
Similar threads
