Advanced Plus Security mkoundo laptop Security Config 2019

mkoundo · Jun 1, 2019

my security setup

oldschool · Jun 1, 2019

Advise using a standard user account. Nice, simple setup.

mkoundo · Jun 1, 2019

thanks oldschool, good suggestion.

i've been looking at using adguard dns which encrypts dns requests (currently using cloudflare 1.1.1.1). is this something you guys recommend?

oldschool · Jun 1, 2019

mkoundo said:
thanks oldschool, good suggestion.

i've been looking at using adguard dns which encrypts dns requests (currently using cloudflare 1.1.1.1). is this something you guys recommend?

I don't use one but probably a lot of members do. I wouldn't mind using OpenDNS here at home but can't with my ISP. There are some recent posts about Adguard DNS but you'll have to look for them. Sorry I can't offer more help.

blackice · Jun 1, 2019

I’ve used 1.1.1.1 with DNS over TLS and just straight without encryption. In my experience cloudflare is the best performing when using encryption.

JM Safe · Jun 3, 2019

Hello, good config.

Thanks for sharing.

mkoundo · Jun 3, 2019

Updated Config: User Account changed to Standard User with maximum UAC

mkoundo · Jun 9, 2019

Hi all, i'm contemplating using bitlocker on my laptop. it has two partitions: C: system drive and D: for data. From what i've read on the net, since i'm on win 10 home, i must use command line manage-bde. My laptop has tpm 2.0. I would like the boot up to be seamless with windows ie no additional password entry every time I start windows. From what i've read on the net, the commands i need are:

to check current status:
manage-bde -status

Add TPM key protector for each partition:
manage-bde -protectors -add c: -tpm
manage-bde -protectors -add d: -tpm

Add Recovery password in case i need to decrypt the partitions on another computer:
manage-bde -protectors -add c: -rp
manage-bde -protectors -add d: -rp

save recovery password:
manage-bde -protectors -get c:
manage-bde -protectors -get d:

Turn Bitlocker On with AES256 key and used space only encryption
manage-bde -on c: -em AES256 -used
manage-bde -on d: -em AES256 -used

To turn off:
manage-bde -off c:
manage-bde -off d:

In case of emergency, to unlock the drive using the recovery password:
manage-bde –unlock d: -recoverypassword 111111-222222-333333-444444-555555-666666-777777-888888

To pause protection, for example to update bios
manage-bde -protectors -disable c:
and then to re-enable:
manage-bde -protectors -enable c:

Is there anything I'm missing???

thanks

mkoundo · Oct 18, 2019

Latest update to my laptop:

Removed:

Ccleaner
Adwcleaner

Tweaked:

Avast tweaked to @Evjl's Rain Settings but left rootkit scans on boot activated (THANKS @Evjl's Rain)
Upgraded Aomei Backupper standard to pro (free license giveaway on MT - THANKS!)

Added:

NVT Syshardener @ default tweaks + a few more
Added @Evjl's Rain host file to silence avast
Macrium Reflect Free

everything running super smooth!

mkoundo · Oct 22, 2019

Latest update to my XPS13:

Removed:

Syshardener

Added:

Hard_Configurator [with @Andy Ful avast hardened profile & Firewall hardening]

mkoundo · Oct 25, 2019

hey all, question regarding hard_configurator [@Andy Ful avast hardened profile] and avast free [@Evjl's Rain Settings].

So since HC is blocking those extensions, do I still need them in avast.

It probably makes no difference but anyway,
thanks

oldschool · Oct 25, 2019

mkoundo said:
It probably makes no difference but anyway,

Correct.

ForgottenSeer 823865 · Oct 26, 2019

About bitlocker, i dont see the point of encrypting the system partition, it will cause huge issues in case of upgrading or other conditions.

What i recommend is moving your sensitive datas, those you want protect with bitlocker, to a non-system partition, and then bitlock this non-system partition. Then you system partition is safe and free to be modified while the non-system partition will be secured and never modified by an upgrade of the OS.

it is what i do. the only con, is if you have some cloud program requiring access to that partition they wont be able to reach it until it is unlocked. (which may also be a good thing lol)

mkoundo · Oct 27, 2019

Hi Umbra, thanks for the info.

Umbra said:
About bitlocker, i dont see the point of encrypting the system partition, it will cause huge issues in case of upgrading or other conditions.

What i recommend is moving your sensitive datas, those you want protect with bitlocker, to a non-system partition, and then bitlock this non-system partition. Then you system partition is safe and free to be modified while the non-system partition will be secured and never modified by an upgrade of the OS.

it is what i do. the only con, is if you have some cloud program requiring access to that partition they wont be able to reach it until it is unlocked. (which may also be a good thing lol)

Thales · Oct 27, 2019

Umbra said:
About bitlocker, i dont see the point of encrypting the system partition, it will cause huge issues in case of upgrading or other conditions.

What i recommend is moving your sensitive datas, those you want protect with bitlocker, to a non-system partition, and then bitlock this non-system partition. Then you system partition is safe and free to be modified while the non-system partition will be secured and never modified by an upgrade of the OS.

it is what i do. the only con, is if you have some cloud program requiring access to that partition they wont be able to reach it until it is unlocked. (which may also be a good thing lol)

Even if it is a laptop and easily accessible (but I am the only one who use it) by others? Because that is the issue in my case.
I work with money and always wanted to avoid evil maid attack scenario.

ForgottenSeer 823865 · Oct 27, 2019

Thales said:
Even if it is a laptop and easily accessible (but I am the only one who use it) by others? Because that is the issue in my case.
I work with money and always wanted to avoid evil maid attack scenario.

i also works with money, so:

1- when i leave my laptops, they are locked in my closet and the way i store them; i will know if someone has moved them. Old tricks always work.
2- i use an MS account.
3- i use a Pin.
4- i use biometrics (if available).
5- if point 1 seems to have been compromised, i check any sign in events during my absence on the logs.
6- I do serious banking in a dedicated VM, so i encrypt the VM , not my real system

So good luck to any Evil Maid LOL

mkoundo · Oct 27, 2019

All my financial records are encrypted with gpg. so for me bitlocker was a second layer (+ deleted files are bitlockered so can't be recovered).

Umbra said:
2- i use an MS account.

pardon my ignorance, but is this more secure than a local account?

Umbra said:
6- I do serious banking in a dedicated VM, so i encrypt the VM , not my real system

I'd be really interested to learn how exactly you do that.

thanks

ForgottenSeer 823865 · Oct 27, 2019

mkoundo said:
pardon my ignorance, but is this more secure than a local account?

yep, with a Local account, an attacker can remove/change the password protection.
With an MS account, your password is linked to an online account and the password can only be changed , not removed, for this the attacker need to login to your MS account (not easy to bypass ) where you smartly enabled 2FA (extremely difficult to bypass).

Andy Ful · Oct 30, 2019

mkoundo said:
...
Added:

Hard_Configurator [with @Andy Ful avast hardened profile & Firewall hardening]

It is a nice setup, but some precautions are needed.
This H_C setup assumes that all protection for EXE files is done by Avast!
It is suited for Avast set to Hardened Mode Aggressive, which checks any EXE file against Avast Whitelist Database in the cloud.
If you use another Avast setup, then you have to be cautious when running EXE files, especially from USB drives, flash drives, or EXE files in archives. The EXE files downloaded directly from the Internet should be protected by Avast CyberCapture feature (turned ON by default).
You can set the H_C <Run As SmartScreen> = Standard User, and then use "Run By SmartScreen" option in the right-click Explorer context menu to run (on demand) application installers or application updaters.

mkoundo · Oct 31, 2019

Hi Andy,

thanks for the advice. I can confirm that i have avast hardened mode aggressive and cybercapture turned on.

I'm still going through the examples in part 3 with simple test files to more fully appreciate the fundamentals of H_C. So far my computer has been running as expected.

Kudos on an excellent program.

p.s. the current H_C configuration disables microsoft office macros. What should I do to temporarily enable macros to run in my spreadsheets?

thanks again

Andy Ful said:
It is a nice setup, but some precautions are needed.
This H_C setup assumes that all protection for EXE files is done by Avast!
It is suited for Avast set to Hardened Mode Aggressive, which checks any EXE file against Avast Whitelist Database in the cloud.
If you use another Avast setup, then you have to be cautious when running EXE files, especially from USB drives, flash drives, or EXE files in archives. The EXE files downloaded directly from the Internet should be protected by Avast CyberCapture feature (turned ON by default).
You can set the H_C <Run As SmartScreen> = Standard User, and then use "Run By SmartScreen" option in the right-click Explorer context menu to run (on demand) application installers or application updaters.

Advanced Plus Security mkoundo laptop Security Config 2019

Level 8

Level 85

Level 8

Level 85

Level 39

Level 39

Level 8

Level 8

Level 8

Level 8

Level 8

Level 85

ForgottenSeer 823865

Level 8

Level 15

ForgottenSeer 823865

Level 8

ForgottenSeer 823865

From Hard_Configurator Tools

Level 8

Similar threads