Max90 Security Config 2023.
- Thread starter Max90
- Start date
- Last updated
- Mar 24, 2023
- How it's used?
- For home and private use
- OS (desktop)
- Other operating system (see below)
- Other operating system
- Windows10 Pro with WDAC & SRP
- On-device encryption
- None
- User sign-in
-
- Biometrics, Windows Hello PIN, Apple TouchID
- OS update
- Automatically download and install system updates
- User Access Control
- Always notify
- WiFi network firewall
- Router firewall is On
- About WiFi router
-
Home Care protection and QoS enabled. TP-Link tri-band router with the two 5Ghz channels separated for work and home use. The 2.4 Ghz is channel for smart phones with our IoT devices on the 2.4 Ghz guest network with a lease time of 8 hours.
- Malware protection
-
Microsoft Defender on MAX set through GPO (Zero Tolerance cloud protection, ASR-rules and Protected Folders enabled)
- Firewall protection
- Microsoft Defender Firewall for Windows 11 / 10
- About custom security
-
1. Early Launch Anti Malware set to allow good only at startup
2. Enabled Integrity Guard for Office, Edge and often attacked Windows medium Integrity Level system processes
3. WDAC for user folders with explicit allow for security, image and data backup and cleanup programs
4. Blocking LoLBins with Application Control, Exploit Protection and SRP
5. Sofware Restriction Policy in user folders for standard user
- Periodic malware scanners
-
Monthly Windows Malicious Software Removal Tool, Norton Scan & Erase and SophosScanAndClean
- Malware samples
- I do not participate in malware testing.
- Default browser & extensions
-
Edge hardened through registry (enabling sandboxes, reducing site permissions, disabling Microsoft annoyances and features as much as possible, forcing NextDNS over HTTPS)
Allowing (whitelisting) only two extensions: Blank new Tab and UBlockOrigin, with the following filters:
- Kees1958 EU-US most used ad&tracking networks (third-party block)
- Kees1958 EU US most used URL tracking parameters
- LennyFox News websites without ads
- LennyFox Youtube without ads
- Secure DNS
-
NextDNS with all security features enabled and extra blocking non latin character Top Level Domains. For privacy I enabled blocking cloacked CNAME and added OISD-filter and enabled the option to allow affiliate tracking (to prevent Google search result links getting blocked when clicked on).
- VPN
-
Windscribe free 30GB
- Password manager
-
None, by head
- Maintenance tools
-
Windows own Disk Cleanup and Wise Registry Cleaner
- Personal backup
-
Syncback FREE to a second HD (data is on SSD) and once a month to USB disk. The ad hoc backup to second HD is extra protected with NTFS file permissions only allowing standard users full access (most ransomware tries to get admin/system rights
)
- How often I backup?
- Manually
- Emergency recovery
-
Macrium Reflect free image backup
- Risk factors
-
- Browsing to popular websites
- Working from home
- Opening email attachments
- Buying from online stores, entering banks card details
- Logging into my bank account
- Downloading software and files from reputable sites
- Streaming audio/video content from trusted sites or paid subscriptions
- Notable changes
-
Cleaned up and updated settings
- What I'm looking for?
-
Looking for minimum feedback.
thanks 
I liked MBAM Browser Guard, but back to AdGuard MV2 again with following filters
- Kees1958 EU US most used ads & trackers networks
- Kees1958 EU US most used URL trackers
- LennyFox Allow list for Dutch payment services
- LennyFox Youtube without ads
- LennyFox News websites without ads
and Jan Willy's easy-medium mode for Adguard with extra warning for Most Abused Top Level Domains (second rule with $document)
||*$third-party,script,subdocument,denyallow=NL|BE|DE|UK|EU|com|org|net|io
||*$document,domain=adult|porn|sex|sexy|xxx|webcam|cam|live|date|cyou|casino|poker|bet|best|win|racing|top|uno|support|help|email|stream|surf|site|work|review|info|review|icu|xyz|sbs|bid|moe|casa|club|rest|life|quest|gives|fit|monster|tokyo|asia|cn|ru|su|tk|pw|cc|ws|vg
Because of Jan Willy's rule, the third-party surface exposure is limited, allowing to create a simple strict warning ($document) rule for most abused TLD's.
For trusted websites, just add a denyallow to the end of the second rule (e.g. ......pw|cc|vg,denyallow=hardware.info)
PS. I noticed Kees1958 has updated his lists again
- Kees1958 EU US most used ads & trackers networks
- Kees1958 EU US most used URL trackers
- LennyFox Allow list for Dutch payment services
- LennyFox Youtube without ads
- LennyFox News websites without ads
and Jan Willy's easy-medium mode for Adguard with extra warning for Most Abused Top Level Domains (second rule with $document)
||*$third-party,script,subdocument,denyallow=NL|BE|DE|UK|EU|com|org|net|io
||*$document,domain=adult|porn|sex|sexy|xxx|webcam|cam|live|date|cyou|casino|poker|bet|best|win|racing|top|uno|support|help|email|stream|surf|site|work|review|info|review|icu|xyz|sbs|bid|moe|casa|club|rest|life|quest|gives|fit|monster|tokyo|asia|cn|ru|su|tk|pw|cc|ws|vg
Because of Jan Willy's rule, the third-party surface exposure is limited, allowing to create a simple strict warning ($document) rule for most abused TLD's.
For trusted websites, just add a denyallow to the end of the second rule (e.g. ......pw|cc|vg,denyallow=hardware.info)
PS. I noticed Kees1958 has updated his lists again
Last edited:
Set all Edge security and anti-tracking to STRICT again, therefor installed uBlockOrigin again (to see what Edge anti-tracking is missing),
uBlockOrigin (cosmetic filtering off) with the following lists
- Kees1958 - EU US most used URL trackers (remove parameters from URL)
- LennyFox - News websites without ads (for these websites Cosmetic Filtering Enabled)
- LennyFox - Videos (like Youtube) without ads
My filter rule: ||*$third-party,script,frame,to=~NL|~BE|~DE|~UK|~com|~io|~net|~org
uBlockOrigin (cosmetic filtering off) with the following lists
- Kees1958 - EU US most used URL trackers (remove parameters from URL)
- LennyFox - News websites without ads (for these websites Cosmetic Filtering Enabled)
- LennyFox - Videos (like Youtube) without ads
My filter rule: ||*$third-party,script,frame,to=~NL|~BE|~DE|~UK|~com|~io|~net|~org
Last edited:
- Mar 29, 2018
- 6,415
I find this makes for troublesome breakages which I can't figure out.
I have removed it also, would not play a video on cnn, relying on Edge STRICT blocking plus some own created rules.
Last edited:
Had some issues with website functionality breaking. Therefore EDGE anti-tracking and security back to basic and also removed all adblocking filters in NextDNS.
To keep the number of rules under 30.000 (no need with MV2) I used a trick by
1. Disabled cosmetic filtering and deselected importing and applying cosmetic rules in filter lists.
2. Copying LennyFox news websites and video (youtube) filter lists into My Filters and enabled cosmetin filtering for all websites in My Filters.
3. Only using the following filter lists
- AdGuard URL parameter filter
- AdGuard optimized Base + EasyList advertising
- AdGuard optimized tracking protection
Total number of network rules 24.138 with 60 cosmetic rules
To keep the number of rules under 30.000 (no need with MV2) I used a trick by
1. Disabled cosmetic filtering and deselected importing and applying cosmetic rules in filter lists.
2. Copying LennyFox news websites and video (youtube) filter lists into My Filters and enabled cosmetin filtering for all websites in My Filters.
3. Only using the following filter lists
- AdGuard URL parameter filter
- AdGuard optimized Base + EasyList advertising
- AdGuard optimized tracking protection
Total number of network rules 24.138 with 60 cosmetic rules
Last edited:
- Mar 29, 2018
- 6,415
I'm enjoying using straight medium mode. For me, it's just easier to use instead of trying to find different combos of filter lists, rules, etc. But variety is the spice of life, eh?
I'm enjoying using straight medium mode. For me, it's just easier to use instead of trying to find different combos of filter lists, rules, etc. But variety is the spice of life, eh?
Do you have filters enabled with straight medium mode?I have spend a lot of time tweaking and micro managing my AdBlocker, may be it is time for a looser approach, thanks for the wise words.
Last edited:
- Mar 29, 2018
- 6,415
Yes, most default lists plus some extras, some of which I probably don't need.
Could not sleep because I just returned from work abroad. I always seem to have more problems to overcome jetlag flying eastward. On Saturday my wife goes shopping with her friends, so I made two image backups (of my desktop and her laptop) and did a fresh install of Windows11 to see whether i could Smart Application Control working on her laptop.
By tweaking the registry key I could force SAC on without problems. Because I had Avast Free on her laptop I decided to keep it and I was also able to add H_C SRP to the mix (by setting the AppLocker rule count to zero). Only downside was that I could not run her favorite photobook software (unsigned DLL's blocked). So I reverted to the old image and decided to make a WDAC policy (Windows Defender Application Control Wizard Configure Windows Defender Application Control | WDAC and SPynetGirl automated scripts for WDAC ).
Now her Windows11 laptop runs without SAC but with WDAC ISG (no dynamic code security), Avast Free (hardened) and SRP (SWH-like & some sponsors blocked), seems to work well
To keep an eye on this setup I changed my setup identical to hers, so temporarily on different setup (with Microsoft Recommended Block rules in WDAC and additional sponsors blocked with SRP for basic user, see spoiler).
By tweaking the registry key I could force SAC on without problems. Because I had Avast Free on her laptop I decided to keep it and I was also able to add H_C SRP to the mix (by setting the AppLocker rule count to zero). Only downside was that I could not run her favorite photobook software (unsigned DLL's blocked). So I reverted to the old image and decided to make a WDAC policy (Windows Defender Application Control Wizard Configure Windows Defender Application Control | WDAC and SPynetGirl automated scripts for WDAC ).
Now her Windows11 laptop runs without SAC but with WDAC ISG (no dynamic code security), Avast Free (hardened) and SRP (SWH-like & some sponsors blocked), seems to work well
To keep an eye on this setup I changed my setup identical to hers, so temporarily on different setup (with Microsoft Recommended Block rules in WDAC and additional sponsors blocked with SRP for basic user, see spoiler).
Last edited:
Decided to make my temporary setup my new setup (change from Microsoft Defender to Avast Free and fom strictly managerd WDAC to loosely managed ISG), I had to reduce Early AntiMalware protection from good only to good and unknown (since I am still using WDAC and AVAST has its own root-kit scan on startup it is no big deal). Because I decided to sort of mirror my setup with my wife's windows 11 laptop.
I am running Egde with a hardened profile with anti-racking on balanced and enhanced security on basic. For both options I have enabled STRICT mode for inprivate browsing, so when I switch to inprivate browsing, I automatically increase tracking and javascript protection.
EDIT: although I like Avast Free very much, I decided to change to F-secure Safe, which I get as a rebranded Ziggo Safe-online from my ISP for free. Years ago I read somewhere that it was better to use different Anti-Virus solutions because the chance that they both miss a sample is smaller. After installing I realized that F-secure uses Avira signatures data base, so I think I changed for a dummy reason (since Avast and Avira both belong to Norton, my guess is that they share signatures).
I am running Egde with a hardened profile with anti-racking on balanced and enhanced security on basic. For both options I have enabled STRICT mode for inprivate browsing, so when I switch to inprivate browsing, I automatically increase tracking and javascript protection.
EDIT: although I like Avast Free very much, I decided to change to F-secure Safe, which I get as a rebranded Ziggo Safe-online from my ISP for free. Years ago I read somewhere that it was better to use different Anti-Virus solutions because the chance that they both miss a sample is smaller. After installing I realized that F-secure uses Avira signatures data base, so I think I changed for a dummy reason (since Avast and Avira both belong to Norton, my guess is that they share signatures).
Last edited:
Similar threads
