Advanced Plus Security Lenny's 2021 intention: keep this setup for a year :-)

Last updated
Jul 11, 2021
How it's used?
For home and private use
Operating system
Windows 10
On-device encryption
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
User Access Control
Notify me only when programs try to make changes to my computer (do not dim my desktop)
Smart App Control
Network firewall
Real-time security
  1. Software Restriction Policies similar to Hard Configurator recommended settings
  2. Microsoft Defender hardened through GPO similar to ConfigureDefender on MAX
Firewall security
Microsoft Defender Firewall
About custom security
  • NextDNS (Firefox)/Quad9 (Edge)
  • Trend Micro Home Protect in TP-Link AC4000 router
  • GPO hardening (disabling remote stuff and not used features)
  • UAC deny elevation of unsigned programs
  • ACL deny execute for Download Folder and Startup folders
  • Enabled Smartscreen for Explorer (added run-by-smartscreen)
  • Removed System and Admin ACL from quick backup documents folder on old HD (ransomware often goes for max rights)
  • Tweaked exploit protection settings of Microsoft Defender
Periodic malware scanners
Microsoft Malicious Software Removal Tool only combined with periodic Microsoft Defender scan enabled
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Edge with hardened profile running inprivate:
- Bruce blank tab (also works incognito)
- AdGuard with only my filters to deal with annoyances and Kees1958

Firefox with hardened user.js running incognito
- Etag Stoppa
- NoScript
... running in Sandboxie
Secure DNS
Next DNS - Firefox
Quad9 - Edge
Desktop VPN
Bullet VPN
Password manager
None
Maintenance tools
Process Explorer & Autoruns64
File and Photo backup
Syncback Free
System recovery
Restore points and Windows Image Backup for software.
Windows Data Backup for Documents only
Syncback for USB and Quick documents backup to old HD
Neushield daily mirrors for Quick documents backup folder
Risk factors
    • Working from home
    • Browsing to popular websites
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Streaming audio/video content from shady sites
Computer specs
Self build from parts of old PC's from relatives
- Asus motherboard
- Intel i7 950 with 8 GB RAM
- NVidia GT730 fan-less video card
- Samsung 860 SSD (250 GB for OS)
- OCZ Vortex SSD (120 GB for Documents)
- Seagate 2 TB HDD for media files
- Western Digital 1 TB HDD for image backup and windows image & data backup

USB 2TB drive connected to Router to serv as NAS (router also has TrendMicro Home protect).
USB drive is swapped with off-line second off-line backup USB every month
Notable changes
12-2-21
Added Neushield Data Sentinel Free and changed uMatrix for uBlock on Edge WDAG sandbox
16-3-21
Same extensions in Edge and WDAG sandbox: blank tab, uBlockOrigin and PopUpOff
23-3-21
Replaced uB0 with Adguard again :)
1-4-21
Only using Edge anti-tracking and NextDNS as adblocking for Edge (in normal = hardened mode)
2-4-21
Back to Adguard with Quad9 DNS and removed PopUpOff and NextDNS
22-4-21
Back to Next DNS and replaced Adguard with AddBlockPlus, disabled Edge Application Guard (I did not use it anymore).
23-4-21
Kaspersky Cloud Free stopped working for unknown reason, reverted back to Microsoft Defender
26-4-21
Replaced Adguard DNS filter with Next DNS ad & tracking blocklist
27-4-21
Added Adguard DNS filter again as only DNS level blocklist
29-4-21
Replaced AdblockPlus with SmartAdblock (which is also a popup blocker)
4-5-21
Next DNS ad filter blocked a coupon code, so back to no ad-fiters in DNS. Added Kees1958 most commen EU-US, and set Edge anti-tracking to default again
11-7-21
Added Firefox with priivacy hardened user.js an sandboxie
What I'm looking for?

Looking for maximum feedback.

Lenny_Fox

Level 22
Thread author
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Wow. In the past i use them but revert as too much settings weren't designed for consumer.
Now i only use few which aren't available as settings native in Windows.
Well I should have said 90% of the baseline which is applicable for home users, so I did not accomplished the feat you probably have in mind.

I am not disappointed when you change your WOW response to LIKE :)

Note: setting it through GPO has some advantages like settings not being changed by applications (e.g firewall blocks of ransomware related sponsors/lolbins misuse)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Well I should have said 90% of the baseline which is applicable for home users, so I did not accomplished the feat you probably have in mind.

I am not disappointed when you change your WOW response to LIKE :)

Note: setting it through GPO has some advatages like settings not being changed by applications (e.g firewall blocks of ransomware related sponsors/lolbins misuse)
These settings can be changed by malware like any other Policies applied by editing the Registry. The only difference is that after several hours the GPO Refresh feature can restore the proper settings again. This cannot protect against ransomware attacks. Furthermore, if the malware is designed to fight the Policies, then it will be able to disable GPO Policies after they are restored, too.
Some Policies included in the baseline are in fact less restrictive than Windows default settings on Windows Home and Pro, so one has to understand well what they can do.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
ACL deny execute works only for: EXE, COM, SCR, BAT, and CMD files. The BAT and CMD files are blocked only when executed by the user directly from Explorer and not blocked when executed via command-line with cmd.exe.
ACL deny execute cannot block MSI installers, most scripts (Windows Script Host, PowerShell), and files with active content (CHM, HTA, MSC, etc.).
 

Lenny_Fox

Level 22
Thread author
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
ACL deny execute works only for: EXE, COM, SCR, BAT, and CMD files. The BAT and CMD files are blocked only when executed by the user directly from Explorer and not blocked when executed via command-line with cmd.exe.
ACL deny execute cannot block MSI installers, most scripts (Windows Script Host, PowerShell), and files with active content (CHM, HTA, MSC, etc.).
:) don't worry ACL is not only defense, also using SRP and WD-Exploit settings, just a few examples

HTA does not run on my desktop, simply enables all settings in WD exploit protection. In GPO I have disabled installers to elevate, so I need to run as admin ro install manually. WSH is also blocked with WD Exploit protection. Contrary to cmd files ps1 files cannot be run as admin, so they are blocked with SRP
 
Last edited:

Lenny_Fox

Level 22
Thread author
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
What was your reason to prefer Kaspersky Security Cloud Free over Microsoft Defender (with or without Configure Defender)?
Curious about that because you use so much other buit-in security features.
Last year I used Hard Configurator like and Configure Defender like settings (like because I set it manually in GPO), thanks to @Andy Ful I learned how to copy the settings of his great utilities*. Yes I like to use security what is already provided by Windows itself.

Reason to choose Kaspersky Cloud Free was that a husband of (girf)firend of my girlfriend put it on for her. He is an IT-er, I am a digital marketeer, so she figured the husband of her friend knew more about security than I did. So because I decided on same setup for all pc's I changed my setup :)

The guy convinced my girlfriend to change by showing how fast kaspersky icon appears and how slow the WD-icon appears,

* I did not like the nested allow exceptions for TMP files @Andy Ful makes with HC and SWH, everything runs/updates/install fine without this TMP hole in my SRP defence
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
:) don't worry ACL is not only defense, also using SRP and WD-Exploit settings, just a few examples

HTA does not run on my desktop, simply enables all settings in WD exploit protection. In GPO I have disabled installers to elevate, so I need to run as admin ro install manually. WSH is also blocked with WD Exploit protection. Contrary to cmd files ps1 files cannot be run as admin, so they are blocked with GPO
How do you block Windows Script Host by Exploit Protection?
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Last year I used Hard Configurator like and Configure Defender like settings (like because I set it manually in GPO), thanks to @Andy Ful I learned how to copy the settings of his great utilities*. Yes I like to use security what is already provided by Windows itself.

Reason to choose Kaspersky Cloud Free was that a husband of (girf)firend of my girlfriend put it on for her. He is an IT-er, I am a digital marketeer, so she figured the husband of her friend knew more about security than I did. So because I decided on same setup for all pc's I changed my setup :)

The guy convinced my girlfriend to change by showing how fast kaspersky icon appears and how slow the WD-icon appears,

* I did not like the nested allow exceptions for TMP files @Andy Ful makes with HC and SWH, everything runs/updates/install fine without this TMP hole in my SRP defence
That icon thing is a little trick of Kaspersky, because when you click on it after a reboot it still take a while to load the full program.
But it's not a bad program for protection.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
* I did not like the nested allow exceptions for TMP files @Andy Ful makes with HC and SWH, everything runs/updates/install fine without this TMP hole in my SRP defence
If you allow EXE files, then allowing TMP files is logical and generally necessary, except when some installations do not use wrappers. You cannot run manually TMP files, they have to be run/loaded by the already running process. So, TMP files are not dangerous if the initial vectors of attack are properly covered. Furthermore, If one uses The H_C Strict_Recommended settings, then EXE and TMP files are blocked, too. One can also skip using the H_C's option and use his/her own setup to allow EXE files without allowing TMP files.

Anyway, if you have properly blocked/restricted scripts then your setup is OK in the home environment. Other vectors of attack are not so important with Kaspersky's protection.
 
Last edited:

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
That icon thing is a little trick of Kaspersky, because when you click on it after a reboot it still take a while to load the full program.
It's K. GUI what takes some seconds to appears after every system start, protection services are enabled during early stage of Windows boot...
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
It's K. GUI what takes some seconds to appears after every system start, protection services are enabled during early stage of Windows boot...
Yes I know, but that was only the illustrate that the K icon showing up earlier than the Microsoft Defender icon tells you nothing.
Protection has already been started in both cases.
 
F

ForgottenSeer 85179

Reason to choose Kaspersky Cloud Free was that a husband of (girf)firend of my girlfriend put it on for her. He is an IT-er, I am a digital marketeer, so she figured the husband of her friend knew more about security than I did. So because I decided on same setup for all pc's I changed my setup :)
This doesn't mean this guy know what he talking about.

A lot IT guys doesn't have the knowledge MT members have ;)
 

Lenny_Fox

Level 22
Thread author
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
This doesn't mean this guy know what he talking about.

A lot IT guys doesn't have the knowledge MT members have ;)
True but her employer provided on-line security lessons to create security awareness (because they were forced to collaborate/meet/work digitally with Covid19. Upside is that she applies safe hex now (downside is that she does not take my word for security any more :) )

Her employer did it very smart. When you passed a (security awareness) test, you could order something to create a better home workplace. With every successful course finished employees got a bonus. With these incentives she got a large monitor and keyboard to go with her work laptop, a desk which you can change in height (so it is also possible to stand working), a good office chair, a 40 euro per month allowance for faster internet connection and our new AC4000 triband router (so she has one 5Ghz network for her own for work with VPN pass through).
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top