Advanced Plus Security Max90 Security Config 2023

Last updated
Dec 14, 2022
Use case
Private use
Desktop OS
Windows 10
Other OS info
Windows10 Pro running SUA
Device encryption
None
Login unlock
    • Password
OS updates
Automatic updates
User Access Control
Always notify
WiFi network security
Router firewall: ON
Firmware: up-to-date
Malware protection
10 Layers to pass :) inspired by Andy Full's free hardening programs
1. Early Launch Anti malware allowing known GOOD drivers only to load at system boot
2. Running Standard User with Medium Integrity Level rights and UAC set to deny elevation of unsigned
3. Microsoft Defender hardened with GPO identical to ConfigureDefender settings on MAXimum protection level (cloud whitelist)
4. Windows Defender Application Control (WDAC) for user folders allowing only Microsoft signed + Syncback free (data backup) to update
5. Software Restriction default deny Policy for Standard User with Microsoft recommended block rules and enhanced sponsor blocks of H_C
6. Selection of recommended hardening of Microsoft Security Baseline (2019) which did not interfere with daily usage plus CMD + Wscript disabled
7. Defender Exploit protection: Core Isolation and ASR enabled plus plus Code Integrity Guard for most Microsoft programs running with Medium Integrity Level.
8. Defender Ransomwae protection with Controlled Folders Access enabled for all user folders including program startup folders (smart trick of Andy).
9. Edge hardened by tweaking the registry like enabling AppContainer and disabling most site permissions and scripts disabled for HTTP websites.
10. NextDNS (Google Safe search, threat feeds and AI), TrendMicro Web Reputation Service in my router, Edge Smartscreen
Firewall protection
Microsoft Defender Firewall for Windows 11 / 10
Custom security info
TP-Link tri-band router with 2.4 Ghz channel for smart phones, the other two 5Ghz channels are separate networks for work and home use. All IoT devices are on the 2.4 Ghz guest home work with a lease time of 8 hours. I have enabled ALL Home Care protection features (including TrendMicro Web Reputation service) and the firewall
Periodic scanners
Monthly Windows Malicious Software Removal Tool and SophosScanAndClean
Malware samples
I do not participate in malware testing.
Default browser / extensions
Edge with DuckDuckGo as search engine (but having set google.nl als home page) with only two extensions: Blank New Tab page and AdGuardV4 with following filters:
1. Kees1958 EU + US most used ad & tracking filter
2. Kees1958 Tracking parameter filter
3. Lenny Fox news websites
4. Lenny Fox videos (which is only Youtube)
5. Jan Willy user rules (easy medium mode for AG)
Secure DNS
Next DNS with all security features enabled, non latin TopLevelDomains blocked and parental control enabled for piracy, dating, gambling and porn (because these categories often contain malvertising).
VPN
Windscribe free 30GB
Password manager
None, by head
Maintenance tools
Cleanmgr
Personal backup
Syncback FREE to a second HD (data is on SSD) and once a month to USB disk. The ad hoc backup to second HD is extra protected with NTFS file permissions only allowing ADMIN-user full access
Backup frequency
Manual
Recovery backup
Macrium Reflect free image backup
Recovery plan integrity
Many successful results with my recovery plan
Risk factors
    • Browsing to popular websites
    • Working from home
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Downloading software and files from reputable sites
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Coding and development
Notable changes
18-10-2022 Added Windscribe FREE
19-10-2022 Added Dark Reader extension
06-12-2022 Removed Dark Reader and Ghostery and added AdGuardV4
08-12-2022 Removed allow signature for Macrium Reflect Free 8 (since it is eol)
11-12-2022 Changed filters for AGv4 thanks to tips of Jan Willy
14-12-2022 Changed from SWH to default deny SRP in user folders for Standard user thanks to malware news post of Gandalf the Grey
19-12-2022 Disabled TrendMicro Web Reputation Service and added Bitdefender TrafficLight extension to Edge
25-12-2022 Replaced Bitdefender TrafficLight with McFee SiteAdvisor
09-01-2023 Replaced McFee SiteAdvisor with MBAM Browser Guard and enabled TrendMicro Web Reputation Service in the router again.
20-01-2023 Changed filter of AG and removed McFee Site Advisor
Feedback response

Not looking for any specific feedback, but suggestions welcomed.

M

Max90

Level 5
Thread author
Nov 9, 2022
210
Here is my super solid security setup using Microsoft Security only (okay it is my hobby, so would be a shame when I would post a weak setup).

I am running an all Microsoft setup with only three non Microsoft third-party programs (Macrium reflect free, Syncback free and SophosScanAndClean)

Using WDAC-Toolkit since Version 1, that is why this setup has been unchanged and stable since 2019. This is also the reason why I did not update Microsoft Security Baseline policies from 2019 (don't fix when it ain't broken). Recent updates were Windows 10 22H2, Macrium reflect 7 to 8 and Syncback 9 to 10. I am still on Office 2019 (not planning to move to office 365). The only other changes I made last three years were updating Edge hardened settings and use of extensions.

I have been running this quadruple whitelisting approach (ELAM, MAX, WDAC, SRP) on Standard User since 2019 and have no updating issues nor daily usage limitations, so unless there is a compelling reason to change, I will be keeping those four whitelist/deny layers until Windows 10 won't be supported anymore. Tips on browser extensions (Advertising and URL protection) are welcome, though, so feel free to post tips on advertising and malware blocking extensions.
 
Last edited:
  • Like
Reactions: Asterixpl, Zero Knowledge, mkoundo and 6 others
M

Max90

Level 5
Thread author
Nov 9, 2022
210
Victor M said:
Hi Max90,

Does a WDAC protected box allow Windows Update ?
Click to expand...
Yes it works flawlessly when allowing Windows signed programs. Allow all Microsoft is a default profile you can select in the WDAC-toolkit. It is easy to select other (additional) signers. You can open a signed program and teh WDAC toolkit reads all the details, next you can select the allow level (just like in AppLocker).
 
M

Max90

Level 5
Thread author
Nov 9, 2022
210
@Kongo I found it, thanks

I keep dark mode extension because I sort of developed the habit to visite other websites while watching / waiting for new posts answers on MT. Noticed that I am more onlin e and dark mode is easier on the eyes.
 
  • Like
Reactions: Divine_Barakah and Kongo
M

Max90

Level 5
Thread author
Nov 9, 2022
210
Added Adguard V4 again because Microsoft supports MV2 until january 2024 (link)

I used mostly Adguard filters but was attended to other filter listthanks to @Jan Willy (y)
- Kees1958 addendum to Disconnect filters used by Edfe and Firefox (link)
- Kees1958 tracking param filter (link)
- LennyFox videos (youtube) filter (link)
- LenyFox news websites (link)

User rules: Jan Willy's easy medium mode (link) denyallow=com|edu|eu|inf|io|ms|net|nl|org with 1 allow exception
@@*.uk.co/^$domain=bbc.com

(also Adguard DNS and Next DNS and OISD filters enabled on NextDNS)
 
Last edited:
  • Like
Reactions: CyberTech, Zero Knowledge, oldschool and 1 other person
M

Max90

Level 5
Thread author
Nov 9, 2022
210
@Jan Willy

Thanks for attending me on this. It looks like I can omit the tracking servers list. 👍 rule count dropped by 5000 rules :cool: to just over 2700

I ran AG MV3 with Next DNS and Edge ant-tracking on STRICT with only User Rules. Problem with AG MV3 is that it has not (yet) such an excellent logger like AG V4 which I am running now. I am getting used to AG more and more and I am actually finding AG's logger easier to use than uBO's logger (at least for my use of looking at cosmetic rules and checking effectiveness of own user rules).I am getting more and more convinced that DNS privacy filters are well suited for blocking trackers and advertisements (at least when using well curated filterlists like Next, AdGuard and OISD)
 
Last edited:
  • Like
Reactions: CyberTech, Jan Willy and oldschool
M

Max90

Level 5
Thread author
Nov 9, 2022
210
Pitched up my SRP from SWH-like behavior (allowing exe and msi, blocking all other risky file extensions) to a full default deny for standard user in user space

Thanks @Gandalf_The_Grey for posting this: Security News - Microsoft-signed malicious Windows drivers used in ransomware attacks

1671017018102.png


:) according to Microsoft I need to contact a support person for WDAC and my system administrator for SRP.
 
Last edited:
  • Like
  • +Reputation
Reactions: oldschool, Moonhorse and harlan4096
oldschool

oldschool

Level 72
Verified
Top Poster
Well-known
Mar 29, 2018
6,130
Some serious redundancy going on with your latest addition, but complex to set up. WDAC just isn't user-friendly.

This is a nice addition: (y)(y)
Defender Exploit Protection code integrity enabled for Explorer, Svchost, Powershell,
Click to expand...
:) according to Microsoft I need to contact a support person for WDAC and my system administrator for SRP.
Click to expand...
:D:D:D
 
  • Like
Reactions: Max90
M

Max90

Level 5
Thread author
Nov 9, 2022
210
oldschool said:
Some serious redundancy going on with your latest addition, but complex to set up. WDAC just isn't user-friendly.
Click to expand...
They are different mechanism, which kick-in after each other.

User folders for standard user: WDAC allow Microsoft & Syncback + WD MAX cloud whitelist + SRP default deny in user space + Protected Folders cloud based write & delete whitelist
User folders for admin: WDAC allow Microsoft & Syncback + WD MAX cloud whitelist
UAC protected folders: WD MAX cloud whitelist

All Microsoft signed and Syncback update without problems. Windows updates without requiring admin elevation. I use my PC to work and relax, not for installing or trying out programs.

You can set WDAC to fallback to AUDIT mode in case of critical issues. While running in AUDIT mode you can use the output to add exclusions. For a whitelisting tool it is fairly user friendly. I don't want a whitelist solution communicating through a user-mode program to respond to blocks (and allow them). Such a tunnel between ring3 and ring0 kills the idea of rights segregation. But yes whitelisting solutions are not user friendly by design.
 
Last edited:
  • Like
Reactions: oldschool
M

Max90

Level 5
Thread author
Nov 9, 2022
210
After some URL testing (link), I decided for MBAM Browser Guard (reason), This is not because extension A is better than B, but because it is the most complementary with the other URL phishing/scam/malware filtering mechanisms I am already using. So I settled for malware URL-filtering protection:
1. NextDNS with all security protections enabled with non-latin character TLD domains blocked (manually selected all Arabic, Chinese, Cyrillic, Hindi character TLD's from the list)
2. TrendMicro Web Reputation Service in my router
3. Microsoft SmartScreen enabled in Edge
4. MBAM Browser Guard with advertising protection disabled and suspicious TLD blocking enabled

After implememting the Tips of JanWilly I am using the following filters
1. NextDNS with NextDNS, AdGuardDNS and OISD filters
2. Edge Anti-Tracking on STRICT
3. AdGuard V4 with
- Kees1958 addendum to Disconnect filters used by Edge and Firefox
- Kees1958 tracking param filter
- LennyFox videos (youtube) filter
- LennyFox news websites
- User rules as posted by JanWilly (easy Medium mode)

Thanks for all feedback and suggestions (y)
 
Last edited:
  • Like
Reactions: CyberTech, oldschool, Kongo and 4 others
M

Max90

Level 5
Thread author
Nov 9, 2022
210
After daily malware URL testing for a week, comparing several malware block extensions and comparing the best extension with using no extention at all (only NextDNS, router and browser build-in), I noriced that it is really not making any difference, therefor applying Occam's Razor principle and removed the URL malware filter extension in the browser. I also decided after NextDNS ad filters blocking something, that it is easier to apply to old rule: block malware URL's at DNS and ads in the browser and disabled privacy filters in NextDNS. For the same reson (only having to disable AdGuard) I set Edge anti-tracking to default again.
 
  • Like
Reactions: ErzCrz, oldschool, Jan Willy and 1 other person

Similar threads

silversurfer
    • Like
Update Microsoft Office in 2023: what you need to know
Replies
0
Views
139
Business & Productivity
silversurfer
silversurfer
ErzCrz
    • Like
    • Applause
    • +Reputation
Advanced Plus Security ErzCrz Security Config 2023
Replies
98
Views
10,718
Computer Security Configuration
ErzCrz
ErzCrz
F
    • Like
Service Host: Network List Service...Virus?
Replies
11
Views
697
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top