SECURITY: Complete mkoundo laptop Security Config 2019

Last updated
Dec 25, 2019
Windows Edition
Home
Login security
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Local account
Primary user
Standard user - Limited permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Real-time protection
Emsisoft Antimalware
Hard_Configurator [OS & firewall hardening]
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Emsisoft [default]
Hard_Configurator [@Andy Ful recommended enhanced & recommended firewall hardening ]
Malware testing
No malware samples
Periodic security scanners
On demand scanners:
  • malwarebytes antimalware free
  • Hitman Pro free
Browsers, Search and Addons
Hardened Chrome
  • ublock origin in medium mode
chrome://flags

- Anonymize local IPs exposed by WebRTC.
- Extension Content Verification - Enforce Strict
- Reduce default 'referer' header granularity.
- Block scripts loaded via document.write
- TLS 1.3 hardening for local anchors
- Enable GPU AppContainer Lockdown.
- Treat risky downloads over insecure connections as active mixed content
- Strict-Origin-Isolation
- Show Safety Tip UI when visiting low-reputation websites
- Secure DNS lookups
- Password Leak Detection
Maintenance and Cleaning
  • gpg encryption
  • bandizip archiver
  • notepad++
Personal Files & Photos backup
  • macrium reflect free
Personal backup routine
Manual (maintained by self)
Device recovery & backup
macrium reflect free
Device backup routine
Manual (maintained by self)
PC activity
  1. Banking. 
  2. Browsing the web. 
  3. Streaming. 
  4. Browsing to unknown sites. 
  5. Working from home. 
Computer specs
Dell xps 13 9380
i5-8265U
UHD Graphics 620
8GB DDR3
256GB SSD

my phone:

oldschool

Level 59
Verified
Mar 29, 2018
4,888
thanks oldschool, good suggestion.

i've been looking at using adguard dns which encrypts dns requests (currently using cloudflare 1.1.1.1). is this something you guys recommend?
I don't use one but probably a lot of members do. I wouldn't mind using OpenDNS here at home but can't with my ISP. There are some recent posts about Adguard DNS but you'll have to look for them. Sorry I can't offer more help.
 

mkoundo

Level 5
Verified
Jul 21, 2017
235
Hi all, i'm contemplating using bitlocker on my laptop. it has two partitions: C: system drive and D: for data. From what i've read on the net, since i'm on win 10 home, i must use command line manage-bde. My laptop has tpm 2.0. I would like the boot up to be seamless with windows ie no additional password entry every time I start windows. From what i've read on the net, the commands i need are:

to check current status:
manage-bde -status

Add TPM key protector for each partition:
manage-bde -protectors -add c: -tpm
manage-bde -protectors -add d: -tpm

Add Recovery password in case i need to decrypt the partitions on another computer:
manage-bde -protectors -add c: -rp
manage-bde -protectors -add d: -rp

save recovery password:
manage-bde -protectors -get c:
manage-bde -protectors -get d:

Turn Bitlocker On with AES256 key and used space only encryption
manage-bde -on c: -em AES256 -used
manage-bde -on d: -em AES256 -used

To turn off:
manage-bde -off c:
manage-bde -off d:

In case of emergency, to unlock the drive using the recovery password:
manage-bde –unlock d: -recoverypassword 111111-222222-333333-444444-555555-666666-777777-888888


To pause protection, for example to update bios
manage-bde -protectors -disable c:
and then to re-enable:
manage-bde -protectors -enable c:


Is there anything I'm missing???

thanks
 
  • Like
Reactions: Nevi and venustus

mkoundo

Level 5
Verified
Jul 21, 2017
235
Latest update to my laptop:

Removed:
  • Ccleaner
  • Adwcleaner
Tweaked:
  • Avast tweaked to @Evjl's Rain Settings but left rootkit scans on boot activated (THANKS @Evjl's Rain)
  • Upgraded Aomei Backupper standard to pro (free license giveaway on MT - THANKS!)
Added:
  • NVT Syshardener @ default tweaks + a few more
  • Added @Evjl's Rain host file to silence avast
  • Macrium Reflect Free
everything running super smooth!

avast.png
 

mkoundo

Level 5
Verified
Jul 21, 2017
235
hey all, question regarding hard_configurator [@Andy Ful avast hardened profile] and avast free [@Evjl's Rain Settings].
gfONjZL.png
Untitled.png

So since HC is blocking those extensions, do I still need them in avast.

It probably makes no difference but anyway,
thanks
 
F

ForgottenSeer 823865

About bitlocker, i dont see the point of encrypting the system partition, it will cause huge issues in case of upgrading or other conditions.

What i recommend is moving your sensitive datas, those you want protect with bitlocker, to a non-system partition, and then bitlock this non-system partition. Then you system partition is safe and free to be modified while the non-system partition will be secured and never modified by an upgrade of the OS.

it is what i do. the only con, is if you have some cloud program requiring access to that partition they wont be able to reach it until it is unlocked. (which may also be a good thing lol)
 

mkoundo

Level 5
Verified
Jul 21, 2017
235
Hi Umbra, thanks for the info. (y)(y)

About bitlocker, i dont see the point of encrypting the system partition, it will cause huge issues in case of upgrading or other conditions.

What i recommend is moving your sensitive datas, those you want protect with bitlocker, to a non-system partition, and then bitlock this non-system partition. Then you system partition is safe and free to be modified while the non-system partition will be secured and never modified by an upgrade of the OS.

it is what i do. the only con, is if you have some cloud program requiring access to that partition they wont be able to reach it until it is unlocked. (which may also be a good thing lol)
 

Thales

Level 12
Nov 26, 2017
572
About bitlocker, i dont see the point of encrypting the system partition, it will cause huge issues in case of upgrading or other conditions.

What i recommend is moving your sensitive datas, those you want protect with bitlocker, to a non-system partition, and then bitlock this non-system partition. Then you system partition is safe and free to be modified while the non-system partition will be secured and never modified by an upgrade of the OS.

it is what i do. the only con, is if you have some cloud program requiring access to that partition they wont be able to reach it until it is unlocked. (which may also be a good thing lol)

Even if it is a laptop and easily accessible (but I am the only one who use it) by others? Because that is the issue in my case.
I work with money and always wanted to avoid evil maid attack scenario.
 
F

ForgottenSeer 823865

Even if it is a laptop and easily accessible (but I am the only one who use it) by others? Because that is the issue in my case.
I work with money and always wanted to avoid evil maid attack scenario.
i also works with money, so:

1- when i leave my laptops, they are locked in my closet and the way i store them; i will know if someone has moved them. Old tricks always work.
2- i use an MS account.
3- i use a Pin.
4- i use biometrics (if available).
5- if point 1 seems to have been compromised, i check any sign in events during my absence on the logs.
6- I do serious banking in a dedicated VM, so i encrypt the VM , not my real system ;)

So good luck to any Evil Maid LOL
 

mkoundo

Level 5
Verified
Jul 21, 2017
235
All my financial records are encrypted with gpg. so for me bitlocker was a second layer (+ deleted files are bitlockered so can't be recovered).

2- i use an MS account.

pardon my ignorance, but is this more secure than a local account?

6- I do serious banking in a dedicated VM, so i encrypt the VM , not my real system

I'd be really interested to learn how exactly you do that.

thanks
 
  • Like
Reactions: Nevi and venustus
F

ForgottenSeer 823865

pardon my ignorance, but is this more secure than a local account?
yep, with a Local account, an attacker can remove/change the password protection.
With an MS account, your password is linked to an online account and the password can only be changed , not removed, for this the attacker need to login to your MS account (not easy to bypass ) where you smartly enabled 2FA (extremely difficult to bypass).
 

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,029
...
Added:
  • Hard_Configurator [with @Andy Ful avast hardened profile & Firewall hardening]
It is a nice setup, but some precautions are needed.
This H_C setup assumes that all protection for EXE files is done by Avast!
It is suited for Avast set to Hardened Mode Aggressive, which checks any EXE file against Avast Whitelist Database in the cloud.
If you use another Avast setup, then you have to be cautious when running EXE files, especially from USB drives, flash drives, or EXE files in archives. The EXE files downloaded directly from the Internet should be protected by Avast CyberCapture feature (turned ON by default).
You can set the H_C <Run As SmartScreen> = Standard User, and then use "Run By SmartScreen" option in the right-click Explorer context menu to run (on demand) application installers or application updaters.(y)
 

mkoundo

Level 5
Verified
Jul 21, 2017
235
Hi Andy,

thanks for the advice. I can confirm that i have avast hardened mode aggressive and cybercapture turned on.

I'm still going through the examples in part 3 with simple test files to more fully appreciate the fundamentals of H_C. So far my computer has been running as expected.

Kudos on an excellent program. (y) (y) (y)

p.s. the current H_C configuration disables microsoft office macros. What should I do to temporarily enable macros to run in my spreadsheets?

thanks again

It is a nice setup, but some precautions are needed.
This H_C setup assumes that all protection for EXE files is done by Avast!
It is suited for Avast set to Hardened Mode Aggressive, which checks any EXE file against Avast Whitelist Database in the cloud.
If you use another Avast setup, then you have to be cautious when running EXE files, especially from USB drives, flash drives, or EXE files in archives. The EXE files downloaded directly from the Internet should be protected by Avast CyberCapture feature (turned ON by default).
You can set the H_C <Run As SmartScreen> = Standard User, and then use "Run By SmartScreen" option in the right-click Explorer context menu to run (on demand) application installers or application updaters.(y)
 
Last edited:
Top