Basic Security Meltcheesedec Security Configuration 2018

[meltcheesedec]

Thanks to @Exterminator I am much happier using Macrium for backup/imaging -
Removed:
- 'System Image Backup Software:' = "Windows Built-in"
Added:
- 'System Image Backup Software:' = "Macrium Reflect Free and viBoot"

Thanks to @askalan I have an additional updating tool in my configuration -
Added:
- 'Frequently used System Utilities:' = "Patch My PC"

Google Safe Browsing is utilized OOTB in most commonly-used browsers, including the two I use (Firefox and Chrome); even though it is ubiquitous, I consider it an important layer in most of our security configurations, so I will state it explicitly -
Added:
- 'Browsers and Extensions:' = "FireFox (with Google Safe Browsing OOTB)"
- 'Browsers and Extensions:' = "Chrome (with Google Safe Browsing OOTB)"

I removed ScriptSafe/NoScript because I was only using a portion of their functionalities (in order to actually render most web pages), and feel comfortable with Adguard for Windows and the other layers in my security configuration -
Removed:
- 'Browsers and Extensions:' = "FireFox: ScriptSafe"
- 'Browsers and Extensions:' = "Chrome: NoScript"
- 'Content Blocker (Ads, Scripts, Trackers):' = "NoScript/ScriptSafe"

I removed TrafficLight because I feel comfortable with Adguard for Windows and the other layers in my security configuration -
Removed:
- 'Browsers and Extensions:' = "FireFox: TrafficLight"
- 'Browsers and Extensions:' = "Chrome: TrafficLight"

There has been much recent debate within the Adguard community concerning Adguard Assistant (userscript) vs. Adguard browser extension in integration mode - e.g.,
Adguard Assistant ,
Integration mode-only Assistant browser extension and
Move Adguard Assistant (Chrome)
. I've decided to revert to Adguard Assistant because of recent updates/improvements to this userscript, and my typical use case involving only rare requirements to turn off Adguard, at which point I turn it off at the Adguard for Windows (desktop app) level instead of at the browser level -
Removed:
- 'Browsers and Extensions:' = "FireFox: Adguard extension (integration mode)"
- 'Browsers and Extensions:' = "Chrome: Adguard extension (integration mode)"
Added:
- 'Browsers and Extensions:' = "FireFox: Adguard Assistant (userscript installed with OOTB Adguard for Windows desktop app)"
- 'Browsers and Extensions:' = "Chrome: Adguard Assistant (userscript installed with OOTB Adguard for Windows desktop app)"

Google Backup and Sync has replaced Google Drive and Google Photos -
Removed:
- 'Data Backup Software:' = "Files: Google Drive (Cloud)"
- 'Data Backup Software:' = "Photos/Videos: Google Photos (Cloud)"
Added:
- 'Data Backup Software:' = "Files (Google Drive) and Photos/Videos (Google Photos): Google Backup and Sync (Cloud)"

Thanks to @askalan , I -
Removed:
- 'Frequently used System Utilities:' = "f.lux"
Added:
- 'Frequently used System Utilities:' = "Night Light (Windows 10 Creators Update)"

@Umbra , @DeepWeb , @JM Security , @Exterminator @askalan : might you be interested in commenting on these changes?

 

[meltcheesedec]

Added:
Changed from
- Windows BitLocker
to
- Windows BitLocker (TPMAndPIN configured via manage-bde)

Added:
Changed from
- AppGuard Personal
to
- AppGuard Personal ('Protection Level' = "Locked Down"; configuration guided step-by-step via AppGuard; PM me for more info)

Removed:
- Click&Clean extension in Firefox & Chrome

@Umbra , @DeepWeb , @JM Security , @Exterminator , @askalan : might you be interested in commenting as to whether my configuration is secure as of 2018-02?

 

[JM Safe]

Yes, you have a good config.

You are protected.

 

[Syafiq]

Great config, very small chances of you to getting infected... almost none. Thanks for sharing your config

 

[meltcheesedec]

Thank you @JM Security and @Syafiq

 

[DeepWeb]

Looks secure. I just hope it's not too heavy on resources.

 

[meltcheesedec]

@DeepWeb : I'm probably biased, but my objective data seems to indicate that my current configuration uses fewer resources than any of my previous configurations (and is the most secure by far). Which of the products in my configuration do you feel use significant resources?

 

[shmu26]

Hi, you use Windows Defender and AppGuard in locked down mode, right?
Might be good to recheck with @Lockdown about it, because he has been talking about how to configure AppGuard for use with WD, and there might be some changes. Not sure if it impacts your version of Appguard or not.

 

[ForgottenSeer 69673]

Might be good to recheck with @Lockdown about it, because he has been talking about how to configure AppGuard for use with WD, and there might be some changes. Not sure if it impacts your version of Appguard or not.

I have not seen his posts on this. first time I heard of it.

 

[shmu26]

I have not seen his posts on this. first time I heard of it.

He doesn't post much on the open forums anymore.
The issue is that Windows Defender now runs from programdata, which is considered user space. So this gives rise to certain issues, the more subtle of which involve memory guard.
I don't want to get into details because
1 I don't understand all the issues well enough as they apply to the various Appguard protection levels
2 I am not sure which versions of AG they apply to

Maybe @Lockdown can clarify?

 

[ForgottenSeer 69673]

Maybe @Lockdown can clarify?

Yes that would be nice. I guess I have not noticed any blocks of WD files with version 4-4-6-1

 

[DeepWeb]

@DeepWeb : I'm probably biased, but my objective data seems to indicate that my current configuration uses fewer resources than any of my previous configurations (and is the most secure by far). Which of the products in my configuration do you feel use significant resources?

I mean if everything works well together with Windows Defender Antivirus, great news!

 

[shmu26]

Yes that would be nice. I guess I have not noticed any blocks of WD files with version 4-4-6-1

I assume you are talking about Windows 10 current version, right?

The trickier issue is the memory guard, because if WD processes are running from user space, by default they will be memory guarded, and that's not good for an AV.

If you are in standard mode, you will never see execution blocks for WD, because WD files are signed by microsoft.
If you are in locked down mode, and you have made the necessary exceptions to user space, you also will not see execution blocks.
But the memory guard issue remains.

 

[shmu26]

So allow me to correct myself: the memory guard issue applies only to protected mode, because in protected mode, WD is running from user space. Therefore, the user should do the following:
Trusted Publisher list > Microsoft > MemGuard > OFF

But in locked down mode, like @meltcheesedec has it, this is not necessary -- because the relevant WD processes are excluded from user space:
c:\programdata\microsoft\windows defender\platform\*\msmpeng.exe
c:\programdata\microsoft\windows defender\platform\*\mpcmdrun.exe
c:\programdata\microsoft\windows defender\platform\*\nissrv.exe
c:\programdata\microsoft\windows defender\platform\scans\mppayloaddata\mpengine.exe

So, @meltcheesedec , it turns out that it was a false alarm on my part, as you are in locked down mode. Sorry for hijacking your thread...

 

[ForgottenSeer 69673]

I also run in lockdown mode.

 

[shmu26]

I also run in lockdown mode.

Yeah, there is another way of doing it for locked down mode, but it is less secure: instead of excepting the relevant processes from user space, you can put them on the power apps list. That's the point I was unclear about. So it turns out that the power app method is not recommended.

 

[meltcheesedec]

@shmu26 , you are not hijacking my thread at all . This topic is important for those of us who use Windows Defender for antivirus and AppGuard for Software Restriction Policy.

Here is official communication I received from AppGuard Support regarding this issue you brought up (which merely restates what you wrote above):
"
Microsoft moved its Antimalware service and other protection services to User Space (ProgramData) in October 2017. Therefore the user needs to make some changes in their AppGuard policy.

Locked Down mode:

Add to User Space and set to NO

c:\programdata\microsoft\windows defender\platform\*\msmpeng.exe
c:\programdata\microsoft\windows defender\platform\*\mpcmdrun.exe
c:\programdata\microsoft\windows defender\platform\*\nissrv.exe
c:\programdata\microsoft\windows defender\platform\scans\mppayloaddata\mpengine.exe

Protected mode:

Trusted Publisher list > Microsoft > MemGuard > OFF
"

I follow this above guidance; and, I frankly built my entire AppGuard configuration in Locked Down mode via step-by-step guidance from AppGuard Support. As a result Windows Defender is a practically a minor-player, OOTB-With-Windows-OS afterthought in my security configuration ( SECURE - Meltcheesedec Security Configuration 2018 ).