- Oct 1, 2019
- 1,124
May 2021 be a better year for all than 2020, stay safe and healthy
Lenny's 2021 intention: keep this setup for a year :-)
- Thread starter Lenny_Fox
- Start date
- Last updated
- Jul 11, 2021
- How it's used?
- For home and private use
- OS (desktop)
- Windows 10
- On-device encryption
- Log-in security
-
- Secure biometrics (Windows Hello, Apple TouchID, Fingerprints)
- Security updates
- Automatic - allow all updates
- Windows UAC
- Notify me only when programs try to make changes to my computer (do not dim my desktop)
- Windows 11 SAC
- WiFi network firewall
- Real-time security
-
- Software Restriction Policies similar to Hard Configurator recommended settings
- Microsoft Defender hardened through GPO similar to ConfigureDefender on MAX
- Firewall security
- Microsoft Defender Firewall (Windows)
- About custom security
-
- NextDNS (Firefox)/Quad9 (Edge)
- Trend Micro Home Protect in TP-Link AC4000 router
- GPO hardening (disabling remote stuff and not used features)
- UAC deny elevation of unsigned programs
- ACL deny execute for Download Folder and Startup folders
- Enabled Smartscreen for Explorer (added run-by-smartscreen)
- Removed System and Admin ACL from quick backup documents folder on old HD (ransomware often goes for max rights)
- Tweaked exploit protection settings of Microsoft Defender
- Periodic malware scanners
-
Microsoft Malicious Software Removal Tool only combined with periodic Microsoft Defender scan enabled
- Malware sample testing
- I do not participate in malware testing
- Browser(s) and extensions
-
Edge with hardened profile running inprivate:
- Bruce blank tab (also works incognito)
- AdGuard with only my filters to deal with annoyances and Kees1958
Firefox with hardened user.js running incognito
- Etag Stoppa
- NoScript
... running in Sandboxie
- Secure DNS
-
Next DNS - Firefox
Quad9 - Edge
- Desktop VPN
-
Bullet VPN
- Password manager
-
None
- Maintenance tools
-
Process Explorer & Autoruns64
- File and Photo backup
-
Syncback Free
- System recovery
-
Restore points and Windows Image Backup for software.
Windows Data Backup for Documents only
Syncback for USB and Quick documents backup to old HD
Neushield daily mirrors for Quick documents backup folder
- Risk factors
-
- Working from home
- Browsing to popular websites
- Opening email attachments
- Buying from online stores, entering banks card details
- Streaming audio/video content from shady sites
- Computer specs
-
Self build from parts of old PC's from relatives
- Asus motherboard
- Intel i7 950 with 8 GB RAM
- NVidia GT730 fan-less video card
- Samsung 860 SSD (250 GB for OS)
- OCZ Vortex SSD (120 GB for Documents)
- Seagate 2 TB HDD for media files
- Western Digital 1 TB HDD for image backup and windows image & data backup
USB 2TB drive connected to Router to serv as NAS (router also has TrendMicro Home protect).
USB drive is swapped with off-line second off-line backup USB every month
- Notable changes
-
12-2-21
Added Neushield Data Sentinel Free and changed uMatrix for uBlock on Edge WDAG sandbox
16-3-21
Same extensions in Edge and WDAG sandbox: blank tab, uBlockOrigin and PopUpOff
23-3-21
Replaced uB0 with Adguard again
1-4-21
Only using Edge anti-tracking and NextDNS as adblocking for Edge (in normal = hardened mode)
2-4-21
Back to Adguard with Quad9 DNS and removed PopUpOff and NextDNS
22-4-21
Back to Next DNS and replaced Adguard with AddBlockPlus, disabled Edge Application Guard (I did not use it anymore).
23-4-21
Kaspersky Cloud Free stopped working for unknown reason, reverted back to Microsoft Defender
26-4-21
Replaced Adguard DNS filter with Next DNS ad & tracking blocklist
27-4-21
Added Adguard DNS filter again as only DNS level blocklist
29-4-21
Replaced AdblockPlus with SmartAdblock (which is also a popup blocker)
4-5-21
Next DNS ad filter blocked a coupon code, so back to no ad-fiters in DNS. Added Kees1958 most commen EU-US, and set Edge anti-tracking to default again
11-7-21
Added Firefox with priivacy hardened user.js an sandboxie
- What I'm looking for?
-
Looking for maximum feedback.
Wow. In the past i use them but revert as too much settings weren't designed for consumer.
Now i only use few which aren't available as settings native in Windows.
- Oct 1, 2019
- 1,124
Well I should have said 90% of the baseline which is applicable for home users, so I did not accomplished the feat you probably have in mind.
I am not disappointed when you change your WOW response to LIKE
Note: setting it through GPO has some advantages like settings not being changed by applications (e.g firewall blocks of ransomware related sponsors/lolbins misuse)
Last edited:
Maybe you can make a thread with your polices?
- Oct 1, 2019
- 1,124
Okay when I get bored having the same setup, I will dig into it (need to explain why also, so it is some work to make it usefull to others)
- Dec 23, 2014
- 7,703
These settings can be changed by malware like any other Policies applied by editing the Registry. The only difference is that after several hours the GPO Refresh feature can restore the proper settings again. This cannot protect against ransomware attacks. Furthermore, if the malware is designed to fight the Policies, then it will be able to disable GPO Policies after they are restored, too.Well I should have said 90% of the baseline which is applicable for home users, so I did not accomplished the feat you probably have in mind.
I am not disappointed when you change your WOW response to LIKE
Note: setting it through GPO has some advatages like settings not being changed by applications (e.g firewall blocks of ransomware related sponsors/lolbins misuse)
Some Policies included in the baseline are in fact less restrictive than Windows default settings on Windows Home and Pro, so one has to understand well what they can do.
- Apr 28, 2015
- 8,450
PassWord Manager? thanks for sharing
- Apr 24, 2016
- 6,145
What was your reason to prefer Kaspersky Security Cloud Free over Microsoft Defender (with or without Configure Defender)?
Curious about that because you use so much other buit-in security features.
Curious about that because you use so much other buit-in security features.
- Dec 23, 2014
- 7,703
ACL deny execute works only for: EXE, COM, SCR, BAT, and CMD files. The BAT and CMD files are blocked only when executed by the user directly from Explorer and not blocked when executed via command-line with cmd.exe.
ACL deny execute cannot block MSI installers, most scripts (Windows Script Host, PowerShell), and files with active content (CHM, HTA, MSC, etc.).
ACL deny execute cannot block MSI installers, most scripts (Windows Script Host, PowerShell), and files with active content (CHM, HTA, MSC, etc.).
- Oct 1, 2019
- 1,124
don't worry ACL is not only defense, also using SRP and WD-Exploit settings, just a few examplesHTA does not run on my desktop, simply enables all settings in WD exploit protection. In GPO I have disabled installers to elevate, so I need to run as admin ro install manually. WSH is also blocked with WD Exploit protection. Contrary to cmd files ps1 files cannot be run as admin, so they are blocked with SRP
Last edited:
- Oct 1, 2019
- 1,124
Last year I used Hard Configurator like and Configure Defender like settings (like because I set it manually in GPO), thanks to @Andy Ful I learned how to copy the settings of his great utilities*. Yes I like to use security what is already provided by Windows itself.
Reason to choose Kaspersky Cloud Free was that a husband of (girf)firend of my girlfriend put it on for her. He is an IT-er, I am a digital marketeer, so she figured the husband of her friend knew more about security than I did. So because I decided on same setup for all pc's I changed my setup
The guy convinced my girlfriend to change by showing how fast kaspersky icon appears and how slow the WD-icon appears,
* I did not like the nested allow exceptions for TMP files @Andy Ful makes with HC and SWH, everything runs/updates/install fine without this TMP hole in my SRP defence
- Dec 23, 2014
- 7,703
How do you block Windows Script Host by Exploit Protection?
HTA does not run on my desktop, simply enables all settings in WD exploit protection. In GPO I have disabled installers to elevate, so I need to run as admin ro install manually. WSH is also blocked with WD Exploit protection. Contrary to cmd files ps1 files cannot be run as admin, so they are blocked with GPO
- Apr 24, 2016
- 6,145
That icon thing is a little trick of Kaspersky, because when you click on it after a reboot it still take a while to load the full program.Last year I used Hard Configurator like and Configure Defender like settings (like because I set it manually in GPO), thanks to @Andy Ful I learned how to copy the settings of his great utilities*. Yes I like to use security what is already provided by Windows itself.
Reason to choose Kaspersky Cloud Free was that a husband of (girf)firend of my girlfriend put it on for her. He is an IT-er, I am a digital marketeer, so she figured the husband of her friend knew more about security than I did. So because I decided on same setup for all pc's I changed my setup
The guy convinced my girlfriend to change by showing how fast kaspersky icon appears and how slow the WD-icon appears,
* I did not like the nested allow exceptions for TMP files @Andy Ful makes with HC and SWH, everything runs/updates/install fine without this TMP hole in my SRP defence
But it's not a bad program for protection.
- Dec 23, 2014
- 7,703
If you allow EXE files, then allowing TMP files is logical and generally necessary, except when some installations do not use wrappers. You cannot run manually TMP files, they have to be run/loaded by the already running process. So, TMP files are not dangerous if the initial vectors of attack are properly covered. Furthermore, If one uses The H_C Strict_Recommended settings, then EXE and TMP files are blocked, too. One can also skip using the H_C's option and use his/her own setup to allow EXE files without allowing TMP files.
Anyway, if you have properly blocked/restricted scripts then your setup is OK in the home environment. Other vectors of attack are not so important with Kaspersky's protection.
Last edited:
- Apr 28, 2015
- 8,450
It's K. GUI what takes some seconds to appears after every system start, protection services are enabled during early stage of Windows boot...
- Apr 24, 2016
- 6,145
Yes I know, but that was only the illustrate that the K icon showing up earlier than the Microsoft Defender icon tells you nothing.
Protection has already been started in both cases.
This doesn't mean this guy know what he talking about.Reason to choose Kaspersky Cloud Free was that a husband of (girf)firend of my girlfriend put it on for her. He is an IT-er, I am a digital marketeer, so she figured the husband of her friend knew more about security than I did. So because I decided on same setup for all pc's I changed my setup
A lot IT guys doesn't have the knowledge MT members have
- Oct 1, 2019
- 1,124
Simply enable all protections of WD-exploit, it breaks wscript, so it can't run
same with mshta.exe
- Oct 1, 2019
- 1,124
True but her employer provided on-line security lessons to create security awareness (because they were forced to collaborate/meet/work digitally with Covid19. Upside is that she applies safe hex now (downside is that she does not take my word for security any moreThis doesn't mean this guy know what he talking about.
A lot IT guys doesn't have the knowledge MT members have
)Her employer did it very smart. When you passed a (security awareness) test, you could order something to create a better home workplace. With every successful course finished employees got a bonus. With these incentives she got a large monitor and keyboard to go with her work laptop, a desk which you can change in height (so it is also possible to stand working), a good office chair, a 40 euro per month allowance for faster internet connection and our new AC4000 triband router (so she has one 5Ghz network for her own for work with VPN pass through).
Last edited:
- Oct 1, 2019
- 1,124
Sensitive stuff I remember by head, fun stuff (like MT-forum login) I am using Edge password manager.PassWord Manager? thanks for sharing
Similar threads
