Advanced Security Lenny's Security Config 2024

Last updated
Apr 19, 2024
How it's used?
For home and private use
Operating system
Windows 11
Other operating system
Running as standard user on Windows 11 Pro
On-device encryption
N/A
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
Off
Network firewall
Enabled
About WiFi router
We have a tri-band router at home. One 5Ghz channel for me and one 5Ghz for my wife. All IOT devices and smartphones are on the Guest network of 2.4 Ghz (the 2.4 Ghz band itself is not used) with a short lease time (12 hours). It is a setup idea I copied from a member on MT. It actually works very well for us. In all our rooms of our appartement we achieve maximum ISP contract WIFI speeds (up/down) with this 'each has its own channel' setup. This setup also has some security benefits (the 2.4 Ghz network is partitioned and the 5 Ghz networks have MAC-IP binding). Our router is supposed to have stateful packet inspection on top of the NAT-firewall and checks for clients using not updated vulnerable protocols (and blocks them).
Real-time security
  1. Running Standard User with deny elevation for unsigned
  2. Microsoft Defender in cloud "Zero Tolerance" (whitelist) mode
  3. WDAC-ISG (local tighter whitelist mode for user folders as fallback)
  4. Software Restriction Policy default deny in user folders for Standard User
  5. DocumentsAntiExploit + FirewallHardening + Network hardening + Service hardening
Firewall security
Microsoft Defender Firewall
About custom security
  1. Enabled Code Integrity Guard for Office 2019 and often exploited Windows processes running as standard user
  2. Enabled all attack surface reduction rules of Micorsoft Defender (using powershell)
  3. Enabled Protected folders and advanced ransomware protection
Periodic malware scanners
Microsoft Malware Removal Tool (runs automatically on monthly patch Tuesday)
Malware sample testing
I do not participate in malware testing
Environment for malware testing
None, do not participate
Browser(s) and extensions
  1. Chrome 'trusted sites' profile with hardened permissions with TrafficLight, DarkReader and AdGuard with custom filters only
  2. Chrome 'web surfing' profile with most site permission blocked with TrafficlLight, DarkReader and AdGuard with custom filters only
  3. Edge as PDF reader with nearly all site permissions blocked and all security features in strict (and all Microsoft bloat disabled)
Secure DNS
  1. Windows DNS settings
    NextDNS free 1st account with all security features enabled including parental control with only a few Top Level Domains allowed like @TairikuOkami)
  2. Chrome - DNS over HTTPS setting
    NextDNS free 2nd account with security enabled and AdGuard NDS plus OISD.NL blocklists enabled, no logs

Desktop VPN
Free Windscribe (using only when on holiday for banking)
Password manager
None
File and Photo backup
Syncback Free to external USB HD and we are using an extra Gmail account to send important documents to (e.g. insurance, mortgage, testament, work contracts etc)
Active subscriptions
    • None
System recovery
EaseUS free
Risk factors
    • Browsing to popular websites
    • Working from home
    • Making audio/video calls
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
Laptop with Ryzen7 5700U, 16GB RAM and 1TB M2.SSD with Windows 11 Pro
Notable changes
  1. Dropped third-party security, back to WHHL and Defender on MAX.
  2. Running standard user again and blocking LolBins
  3. Set default deny SRP on user folders
  4. Copied Andy's setup using Windows Pro features
What I'm looking for?

Looking for maximum feedback.

Practical Response

Practical Response

Level 7
Mar 10, 2024
339
LennyFox said:
Agree, but some habits can be automated and enforced by tools. I have two chrome profiles with wo different DNS settings (with different security measures and limitations), which are my similar to using my admin and standard user account, The good habit is to use the correct profile for the intended purpose (web surfing versus trusted sites). With technology the user is always part of the solution (with good habits) or part of the problem (ignorance or over confidence), but no matter how good your driving skills or habits are, you are safer in a 5 star NCAP car than a 2 star NCAP car, you are safer with safety belt and airbag than only applying (the good habit of holding) the steering wheel firmly with two hands in the ten for two position.
Click to expand...
Which level of awareness would you consider yourself as to how the operating system works? Now ask yourself the same awareness of the security tools you are using. Do you find yourself looking things up or asking questions to configure these tools, do you know for a fact you are doing so properly based on your knowledge of the tool and operating system. Now consider an average users that has less "awareness" then you do, do you really think they would fair well, when I'm betting you can not claim your are completely competent with both the OS and tools.

It hinges more on the habits then it does the tools. It does not matter if they are running windows default or a 3rd party suite if they lack habits and are happy go lucky clickers that just don't care. The seatbelt, airbag would all be pointless in a careless environment at highspeeds.

Safer indeed.

I wont continue this and hijack your thread anymore then we have, but there are plenty of convos on the forum conserving this.
 
Last edited:
  • Like
Reactions: Nevi, toto_10 and LennyFox
L

LennyFox

Level 7
Thread author
Jan 18, 2024
307
The only program needing execution rights in user folders, moved to a web service (y) , so I tightened Software restriction Policies to default deny

1713249440563.png
 
Last edited:
  • Like
Reactions: toto_10, oldschool and Nevi

Similar threads

SpyNetGirl
    • Like
    • +Reputation
    • Hundred Points
Harden Windows Security | Only with official documented methods | Always up to date
Replies
75
Views
10,407
Other security for Windows, Mac, Linux
Warencom
W

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top