SECURITY: Complete Lenny's 2021 intention: keep this setup for a year :-)

Last updated
Jul 11, 2021
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 10
OS edition
Pro
Login security
    • Password-less (PIN, Biometric, Face)
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Local account
Primary user
Admin user - Full permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Minimum - notify + do not dim desktop (insecure)
Network firewall
Third-party router
Real-time protection
  1. Software Restriction Policies similar to Hard Configurator recommended settings
  2. Microsoft Defender hardened through GPO similar to ConfigureDefender on MAX
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
  • NextDNS (Firefox)/Quad9 (Edge)
  • Trend Micro Home Protect in TP-Link AC4000 router
  • GPO hardening (disabling remote stuff and not used features)
  • UAC deny elevation of unsigned programs
  • ACL deny execute for Download Folder and Startup folders
  • Enabled Smartscreen for Explorer (added run-by-smartscreen)
  • Removed System and Admin ACL from quick backup documents folder on old HD (ransomware often goes for max rights)
  • Tweaked exploit protection settings of Microsoft Defender
Malware testing
No malware samples
Periodic security scanners
Microsoft Malicious Software Removal Tool only combined with periodic Microsoft Defender scan enabled
Secure DNS
Next DNS - Firefox
Quad9 - Edge
VPN
Bullet VPN
Password manager
None
Browsers, Search and Addons
Edge with hardened profile running inprivate:
- Bruce blank tab (also works incognito)
- AdGuard with only my filters to deal with annoyances and Kees1958

Firefox with hardened user.js running incognito
- Etag Stoppa
- NoScript
... running in Sandboxie
Maintenance and Cleaning
Process Explorer & Autoruns64
Personal Files & Photos backup
Syncback Free
Personal backup routine
Manual (maintained by self)
Device recovery & backup
Restore points and Windows Image Backup for software.
Windows Data Backup for Documents only
Syncback for USB and Quick documents backup to old HD
Neushield daily mirrors for Quick documents backup folder
Device backup routine
Manual (maintained by self)
PC activity
  1. Working from home. 
  2. Browsing the web. 
  3. Emails. 
  4. Shopping. 
  5. Streaming. 
Computer specs
Self build from parts of old PC's from relatives
- Asus motherboard
- Intel i7 950 with 8 GB RAM
- NVidia GT730 fan-less video card
- Samsung 860 SSD (250 GB for OS)
- OCZ Vortex SSD (120 GB for Documents)
- Seagate 2 TB HDD for media files
- Western Digital 1 TB HDD for image backup and windows image & data backup

USB 2TB drive connected to Router to serv as NAS (router also has TrendMicro Home protect).
USB drive is swapped with off-line second off-line backup USB every month
Personal changelog
12-2-21
Added Neushield Data Sentinel Free and changed uMatrix for uBlock on Edge WDAG sandbox
16-3-21
Same extensions in Edge and WDAG sandbox: blank tab, uBlockOrigin and PopUpOff
23-3-21
Replaced uB0 with Adguard again :)
1-4-21
Only using Edge anti-tracking and NextDNS as adblocking for Edge (in normal = hardened mode)
2-4-21
Back to Adguard with Quad9 DNS and removed PopUpOff and NextDNS
22-4-21
Back to Next DNS and replaced Adguard with AddBlockPlus, disabled Edge Application Guard (I did not use it anymore).
23-4-21
Kaspersky Cloud Free stopped working for unknown reason, reverted back to Microsoft Defender
26-4-21
Replaced Adguard DNS filter with Next DNS ad & tracking blocklist
27-4-21
Added Adguard DNS filter again as only DNS level blocklist
29-4-21
Replaced AdblockPlus with SmartAdblock (which is also a popup blocker)
4-5-21
Next DNS ad filter blocked a coupon code, so back to no ad-fiters in DNS. Added Kees1958 most commen EU-US, and set Edge anti-tracking to default again
11-7-21
Added Firefox with priivacy hardened user.js an sandboxie
Feedback Response

Most critical feedback

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
Wow. In the past i use them but revert as too much settings weren't designed for consumer.
Now i only use few which aren't available as settings native in Windows.
Well I should have said 90% of the baseline which is applicable for home users, so I did not accomplished the feat you probably have in mind.

I am not disappointed when you change your WOW response to LIKE :)

Note: setting it through GPO has some advantages like settings not being changed by applications (e.g firewall blocks of ransomware related sponsors/lolbins misuse)
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,156
Well I should have said 90% of the baseline which is applicable for home users, so I did not accomplished the feat you probably have in mind.

I am not disappointed when you change your WOW response to LIKE :)

Note: setting it through GPO has some advatages like settings not being changed by applications (e.g firewall blocks of ransomware related sponsors/lolbins misuse)
These settings can be changed by malware like any other Policies applied by editing the Registry. The only difference is that after several hours the GPO Refresh feature can restore the proper settings again. This cannot protect against ransomware attacks. Furthermore, if the malware is designed to fight the Policies, then it will be able to disable GPO Policies after they are restored, too.
Some Policies included in the baseline are in fact less restrictive than Windows default settings on Windows Home and Pro, so one has to understand well what they can do.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,156
ACL deny execute works only for: EXE, COM, SCR, BAT, and CMD files. The BAT and CMD files are blocked only when executed by the user directly from Explorer and not blocked when executed via command-line with cmd.exe.
ACL deny execute cannot block MSI installers, most scripts (Windows Script Host, PowerShell), and files with active content (CHM, HTA, MSC, etc.).
 

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
ACL deny execute works only for: EXE, COM, SCR, BAT, and CMD files. The BAT and CMD files are blocked only when executed by the user directly from Explorer and not blocked when executed via command-line with cmd.exe.
ACL deny execute cannot block MSI installers, most scripts (Windows Script Host, PowerShell), and files with active content (CHM, HTA, MSC, etc.).
:) don't worry ACL is not only defense, also using SRP and WD-Exploit settings, just a few examples

HTA does not run on my desktop, simply enables all settings in WD exploit protection. In GPO I have disabled installers to elevate, so I need to run as admin ro install manually. WSH is also blocked with WD Exploit protection. Contrary to cmd files ps1 files cannot be run as admin, so they are blocked with SRP
 
Last edited:

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
What was your reason to prefer Kaspersky Security Cloud Free over Microsoft Defender (with or without Configure Defender)?
Curious about that because you use so much other buit-in security features.
Last year I used Hard Configurator like and Configure Defender like settings (like because I set it manually in GPO), thanks to @Andy Ful I learned how to copy the settings of his great utilities*. Yes I like to use security what is already provided by Windows itself.

Reason to choose Kaspersky Cloud Free was that a husband of (girf)firend of my girlfriend put it on for her. He is an IT-er, I am a digital marketeer, so she figured the husband of her friend knew more about security than I did. So because I decided on same setup for all pc's I changed my setup :)

The guy convinced my girlfriend to change by showing how fast kaspersky icon appears and how slow the WD-icon appears,

* I did not like the nested allow exceptions for TMP files @Andy Ful makes with HC and SWH, everything runs/updates/install fine without this TMP hole in my SRP defence
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,156
:) don't worry ACL is not only defense, also using SRP and WD-Exploit settings, just a few examples

HTA does not run on my desktop, simply enables all settings in WD exploit protection. In GPO I have disabled installers to elevate, so I need to run as admin ro install manually. WSH is also blocked with WD Exploit protection. Contrary to cmd files ps1 files cannot be run as admin, so they are blocked with GPO
How do you block Windows Script Host by Exploit Protection?
 

Gandalf_The_Grey

Level 51
Verified
Trusted
Content Creator
Apr 24, 2016
4,002
Last year I used Hard Configurator like and Configure Defender like settings (like because I set it manually in GPO), thanks to @Andy Ful I learned how to copy the settings of his great utilities*. Yes I like to use security what is already provided by Windows itself.

Reason to choose Kaspersky Cloud Free was that a husband of (girf)firend of my girlfriend put it on for her. He is an IT-er, I am a digital marketeer, so she figured the husband of her friend knew more about security than I did. So because I decided on same setup for all pc's I changed my setup :)

The guy convinced my girlfriend to change by showing how fast kaspersky icon appears and how slow the WD-icon appears,

* I did not like the nested allow exceptions for TMP files @Andy Ful makes with HC and SWH, everything runs/updates/install fine without this TMP hole in my SRP defence
That icon thing is a little trick of Kaspersky, because when you click on it after a reboot it still take a while to load the full program.
But it's not a bad program for protection.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,156
...
* I did not like the nested allow exceptions for TMP files @Andy Ful makes with HC and SWH, everything runs/updates/install fine without this TMP hole in my SRP defence
If you allow EXE files, then allowing TMP files is logical and generally necessary, except when some installations do not use wrappers. You cannot run manually TMP files, they have to be run/loaded by the already running process. So, TMP files are not dangerous if the initial vectors of attack are properly covered. Furthermore, If one uses The H_C Strict_Recommended settings, then EXE and TMP files are blocked, too. One can also skip using the H_C's option and use his/her own setup to allow EXE files without allowing TMP files.

Anyway, if you have properly blocked/restricted scripts then your setup is OK in the home environment. Other vectors of attack are not so important with Kaspersky's protection.
 
Last edited:

Gandalf_The_Grey

Level 51
Verified
Trusted
Content Creator
Apr 24, 2016
4,002
It's K. GUI what takes some seconds to appears after every system start, protection services are enabled during early stage of Windows boot...
Yes I know, but that was only the illustrate that the K icon showing up earlier than the Microsoft Defender icon tells you nothing.
Protection has already been started in both cases.
 
F

ForgottenSeer 85179

Reason to choose Kaspersky Cloud Free was that a husband of (girf)firend of my girlfriend put it on for her. He is an IT-er, I am a digital marketeer, so she figured the husband of her friend knew more about security than I did. So because I decided on same setup for all pc's I changed my setup :)
This doesn't mean this guy know what he talking about.

A lot IT guys doesn't have the knowledge MT members have ;)
 

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
This doesn't mean this guy know what he talking about.

A lot IT guys doesn't have the knowledge MT members have ;)
True but her employer provided on-line security lessons to create security awareness (because they were forced to collaborate/meet/work digitally with Covid19. Upside is that she applies safe hex now (downside is that she does not take my word for security any more :) )

Her employer did it very smart. When you passed a (security awareness) test, you could order something to create a better home workplace. With every successful course finished employees got a bonus. With these incentives she got a large monitor and keyboard to go with her work laptop, a desk which you can change in height (so it is also possible to stand working), a good office chair, a 40 euro per month allowance for faster internet connection and our new AC4000 triband router (so she has one 5Ghz network for her own for work with VPN pass through).
 
Last edited:
Top