Advanced Plus Security Lenny's 2021 intention: keep this setup for a year :-)

Last updated
Jul 11, 2021
How it's used?
For home and private use
Operating system
Windows 10
On-device encryption
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
User Access Control
Notify me only when programs try to make changes to my computer (do not dim my desktop)
Smart App Control
Network firewall
Real-time security
  1. Software Restriction Policies similar to Hard Configurator recommended settings
  2. Microsoft Defender hardened through GPO similar to ConfigureDefender on MAX
Firewall security
Microsoft Defender Firewall
About custom security
  • NextDNS (Firefox)/Quad9 (Edge)
  • Trend Micro Home Protect in TP-Link AC4000 router
  • GPO hardening (disabling remote stuff and not used features)
  • UAC deny elevation of unsigned programs
  • ACL deny execute for Download Folder and Startup folders
  • Enabled Smartscreen for Explorer (added run-by-smartscreen)
  • Removed System and Admin ACL from quick backup documents folder on old HD (ransomware often goes for max rights)
  • Tweaked exploit protection settings of Microsoft Defender
Periodic malware scanners
Microsoft Malicious Software Removal Tool only combined with periodic Microsoft Defender scan enabled
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Edge with hardened profile running inprivate:
- Bruce blank tab (also works incognito)
- AdGuard with only my filters to deal with annoyances and Kees1958

Firefox with hardened user.js running incognito
- Etag Stoppa
- NoScript
... running in Sandboxie
Secure DNS
Next DNS - Firefox
Quad9 - Edge
Desktop VPN
Bullet VPN
Password manager
None
Maintenance tools
Process Explorer & Autoruns64
File and Photo backup
Syncback Free
System recovery
Restore points and Windows Image Backup for software.
Windows Data Backup for Documents only
Syncback for USB and Quick documents backup to old HD
Neushield daily mirrors for Quick documents backup folder
Risk factors
    • Working from home
    • Browsing to popular websites
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Streaming audio/video content from shady sites
Computer specs
Self build from parts of old PC's from relatives
- Asus motherboard
- Intel i7 950 with 8 GB RAM
- NVidia GT730 fan-less video card
- Samsung 860 SSD (250 GB for OS)
- OCZ Vortex SSD (120 GB for Documents)
- Seagate 2 TB HDD for media files
- Western Digital 1 TB HDD for image backup and windows image & data backup

USB 2TB drive connected to Router to serv as NAS (router also has TrendMicro Home protect).
USB drive is swapped with off-line second off-line backup USB every month
Notable changes
12-2-21
Added Neushield Data Sentinel Free and changed uMatrix for uBlock on Edge WDAG sandbox
16-3-21
Same extensions in Edge and WDAG sandbox: blank tab, uBlockOrigin and PopUpOff
23-3-21
Replaced uB0 with Adguard again :)
1-4-21
Only using Edge anti-tracking and NextDNS as adblocking for Edge (in normal = hardened mode)
2-4-21
Back to Adguard with Quad9 DNS and removed PopUpOff and NextDNS
22-4-21
Back to Next DNS and replaced Adguard with AddBlockPlus, disabled Edge Application Guard (I did not use it anymore).
23-4-21
Kaspersky Cloud Free stopped working for unknown reason, reverted back to Microsoft Defender
26-4-21
Replaced Adguard DNS filter with Next DNS ad & tracking blocklist
27-4-21
Added Adguard DNS filter again as only DNS level blocklist
29-4-21
Replaced AdblockPlus with SmartAdblock (which is also a popup blocker)
4-5-21
Next DNS ad filter blocked a coupon code, so back to no ad-fiters in DNS. Added Kees1958 most commen EU-US, and set Edge anti-tracking to default again
11-7-21
Added Firefox with priivacy hardened user.js an sandboxie
What I'm looking for?

Looking for maximum feedback.

Lenny_Fox

Level 22
Thread author
Verified
Top Poster
Well-known
Oct 1, 2019
1,120

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Just when I was so happy with the TP-Link AC4000 router we paid from incentives my girlfriend earned by following security awareness courses sponsored by her employer

Scroll to the chapter about People's Republic China National Intelligence Law of 2017

:cry::cry::cry:
So, you think your TP-Link router has a backdoor and is sending all your data to the Chinese government?
If so, they will be very bored by my constant visiting of Malware Tips...
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Lenny, what are you going to do now with that router?
I think it's nearly impossible to avoid buying something that has Chinese technology inside.
In the Netherlands the KPN Experia box is made by ZTE (Chinese), the latest version 12 by Sagemcom (French?), the Ziggo Connect Box by Arris (US) or Compal (Taiwanese) but you don't know what other technology they use in their network and where that modem is manufactured.
 

Lenny_Fox

Level 22
Thread author
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Lenny, what are you going to do now with that router?
I think it's nearly impossible to avoid buying something that has Chinese technology inside.
In the Netherlands the KPN Experia box is made by ZTE (Chinese), the latest version 12 by Sagemcom (French?), the Ziggo Connect Box by Arris (US) or Compal (Taiwanese) but you don't know what other technology they use in their network and where that modem is manufactured.
Gandalf-san

I am going to keep using the router. I am not wearing a tin-foil hat. Beside that my budget does not allow throwing away stuff which works perfectly.

I work as part-time cook and part-time digital marketeer, due to Covid19 lockdown I the income as cook felt away, luckily I could work extra as digital marketeer (because some collegues had gotten Covid19). Downside of having two part-time jobs is that in Holland par-timers often get a "8 hour" contract, so when you have no work. you only get one day max compensation. Most people of marketing agency I work part-time for are recovered, so owner is reducing my working hours in January 2021 to just one day (the minimum he is obliged in my contract), because his clients are also lowering marketing budgets in 2021.

Luckily I helped the owner of the restaurant I worked for. During the second lockdown he decided to invest in his restaurant and is using the lockdown for a complete overhaul. The contractor he hired, saw me painting (I use my left hand as easily as my right hand) and asked whether I could work for him (because his painter is still recovering from the first Covid19 wave in the Netherlands). So I am going to work 4 days a week as a house painter next year for at least three months and probably half a year.

So I am thinking about changing my nick name at the forum to TAFNAL ;)

Have a nice 'oudejaarsavond' and a 'gelukkig nieuwjaar'

/L
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Gandalf-san

I am going to keep using the router. I am not wearing a tin-foil hat. Beside that my budget does not allow throwing away stuff which works perfectly.

I work as part-time cook and part-time digital marketeer, due to Covid19 lockdown I the income as cook felt away, luckily I could work extra as digital marketeer (because some collegues had gotten Covid19). Downside of having two part-time jobs is that in Holland par-timers often get a "8 hour" contract, so when you have no work. you only get one day max compensation. Most people of marketing agency I work part-time for are recovered, so owner is reducing my working hours in January 2021 to just one day (the minimum he is obliged in my contract), because his clients are also lowering marketing budgets in 2021.

Luckily I helped the owner of the restaurant I worked for. During the second lockdown he decided to invest in his restaurant and is using the lockdown for a complete overhaul. The contractor he hired, saw me painting (I use my left hand as easily as my right hand) and asked whether I could work for him (because his painter is still recovering from the first Covid19 wave in the Netherlands). So I am going to work 4 days a week as a house painter next year for at least three months and probably half a year.

So I am thinking about changing my nick name at the forum to TAFNAL ;)

Have a nice 'oudejaarsavond' and a 'gelukkig nieuwjaar'

/L
I knew you were not wearing a tin-foil hat, but I was surprised you linked that pdf and didn't see the purpose.

Tough times in this crisis. Good to hear that you that you found new work TAFNAL-san.

And I also wish you a nice 'oudejaarsavond' (new year's eve) and a 'gelukkig nieuwjaar' (happy new year) (y)
 

Lenny_Fox

Level 22
Thread author
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
12-2-21 change

Added Neushield Data Sentinel Free and changed uMatrix for uBlock on Edge WDAG sandbox

Removed System and Admins from Quick Documents Backup Folder Access Control List, because most ransomware tries to elevate to maximum rights, which will prevent (when all defense fail) ransomware access to my quick documents backup folder. Using OneDrive personal fault to protect two documents folders (with tax and insurance stuff in it).

So my backup strategy
1. Yearly backup of tax and insurance folder to OneDrive personal vault
2. Six month manual backup of system image one month after every major Windows Update (I delay image backup always one month, just to be sure everything is okay)
3. Quarterly manual backup of all data to USB drive with Syncback of which one drive always is offline (I have two 2GB USB drives which I rotate USB drives always keeping one at my parents). The other USB drive is used as NAS for easy sharing and copying of images of my grirlfriend and I (so we have all images on Desktop + Laptop + NAS)
4. Monthly manual backup with Windows backup of documents on R drive on patch tuesday
5. Ad hoc (usually daily) backup with Syncback of to Quick Documents backup folder only on R-drive
6. Automated daily mirror with Neushield Data Sentinel of Quick Documents backup folder

P.S. I lost 5 kilogram just by working 4 days a week in the cold as a painter. Because 1 day online-marketing job had nothing I worked extra today in the freezing cold. Really hard work now because paint does not 'ooze' out nicely with temperatures below zero.
 
Last edited:

Lenny_Fox

Level 22
Thread author
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
@Gandalf_The_Grey

I only let Neushield mirror/guard my Documents Quick backup folder. What I noticed is that Neushield sets a restore point every day. Probably to revoke software changes to. No problems. My Windows data backup seems to write the backup as a concatenated file, which Neushield probably interprets as one file. To me it seems like expected behavior to double data storage size when the data is mirrored (as one file).

File based backup solutions like Syncback also don't play nice with seamless incremental backups (like Windows backup). When I add only one mail to my outlook PST file, to Syncback the pst file is chanhed and will backu it up fully. I expect Neushield handles the Windows backup similar.

I use Windows Backup, not file history (doing manual backups).
1613216045506.png

Backs up to
1613216272551.png


No Skinny Fox yet, still a can away from a six pack :)
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
In that case I think NeuShield can't work with file history, at least for me.
I use next to sync with OneDrive (Microsoft 365 account) file history as extra offline backup method for the three main laptops here in the house.
That all works fine for years with a 500GB external HDD, but with NeuShield I ran out of space and I can't use file history anymore with that external HDD.
After uninstalling NeuShield, deleting the old backup and making a new backup with file history everything works fine as before.
 

Lenny_Fox

Level 22
Thread author
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Update: using NextDNS (website load lag is gone) added AdGuard's first party trackers (because excellent EU-US most prevalent ad&trackere 'only' covers third-party). Sort of best of worlds approach (Next DNS - Edge tracking on default - Kees1958 3rd-party - Adguard 1st-party).

1615533025152.png



When using Edge Application Guard with BulletVPN and (IP from Germany) I have Adguard CNAME tracker list enabled (with default VPN).
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top