Recent changes
Dec 25, 2019
Windows Edition
Home
Sign-in account
Sign in with local account
Log-in security
    • Account password
    • Windows Hello PIN
    • Windows Hello Fingerprint
Account permissions
Standard account
Security updates
Automatically allow security and feature updates
Windows UAC
Always notify
Malware samples
No - Malware samples are not purposely downloaded
Real-time Malware protection
Emsisoft Antimalware
Hard_Configurator [OS & firewall hardening]
Firewall protection
Microsoft Defender Firewall
RTP configuration
Emsisoft [default]
Hard_Configurator [@Andy Ful recommended enhanced & recommended firewall hardening ]
Periodic scanners
On demand scanners:
  • malwarebytes antimalware free
  • Hitman Pro free
VPN and Privacy
  • avast secureline vpn
  • cloudflare 1.1.1.1
Browser(s) and Add-ons
Hardened Chrome
  • ublock origin in medium mode
chrome://flags

- Anonymize local IPs exposed by WebRTC.
- Extension Content Verification - Enforce Strict
- Reduce default 'referer' header granularity.
- Block scripts loaded via document.write
- TLS 1.3 hardening for local anchors
- Enable GPU AppContainer Lockdown.
- Treat risky downloads over insecure connections as active mixed content
- Strict-Origin-Isolation
- Show Safety Tip UI when visiting low-reputation websites
- Secure DNS lookups
- Password Leak Detection
Maintenance tools
  • gpg encryption
  • bandizip archiver
  • notepad++
Photos and Files backup
  • macrium reflect free
File backup schedule
Manually managed on a weekly basis
Backup and rollback
macrium reflect free
Backup schedule
Manually managed on a weekly basis
Activity usage
  1. Financial and sensitive documents
  2. Generic web browsing
  3. Streaming audio and video content from the Internet
  4. Downloading files from unfamiliar sites
  5. Working from home
Computer hardware
Dell xps 13 9380
i5-8265U
UHD Graphics 620
8GB DDR3
256GB SSD

my phone:

oldschool

Level 57
Verified
thanks oldschool, good suggestion.

i've been looking at using adguard dns which encrypts dns requests (currently using cloudflare 1.1.1.1). is this something you guys recommend?
I don't use one but probably a lot of members do. I wouldn't mind using OpenDNS here at home but can't with my ISP. There are some recent posts about Adguard DNS but you'll have to look for them. Sorry I can't offer more help.
 

mkoundo

Level 3
Verified
Hi all, i'm contemplating using bitlocker on my laptop. it has two partitions: C: system drive and D: for data. From what i've read on the net, since i'm on win 10 home, i must use command line manage-bde. My laptop has tpm 2.0. I would like the boot up to be seamless with windows ie no additional password entry every time I start windows. From what i've read on the net, the commands i need are:

to check current status:
manage-bde -status

Add TPM key protector for each partition:
manage-bde -protectors -add c: -tpm
manage-bde -protectors -add d: -tpm

Add Recovery password in case i need to decrypt the partitions on another computer:
manage-bde -protectors -add c: -rp
manage-bde -protectors -add d: -rp

save recovery password:
manage-bde -protectors -get c:
manage-bde -protectors -get d:

Turn Bitlocker On with AES256 key and used space only encryption
manage-bde -on c: -em AES256 -used
manage-bde -on d: -em AES256 -used

To turn off:
manage-bde -off c:
manage-bde -off d:

In case of emergency, to unlock the drive using the recovery password:
manage-bde –unlock d: -recoverypassword 111111-222222-333333-444444-555555-666666-777777-888888


To pause protection, for example to update bios
manage-bde -protectors -disable c:
and then to re-enable:
manage-bde -protectors -enable c:


Is there anything I'm missing???

thanks
 

mkoundo

Level 3
Verified
Latest update to my laptop:

Removed:
  • Ccleaner
  • Adwcleaner
Tweaked:
  • Avast tweaked to @Evjl's Rain Settings but left rootkit scans on boot activated (THANKS @Evjl's Rain)
  • Upgraded Aomei Backupper standard to pro (free license giveaway on MT - THANKS!)
Added:
  • NVT Syshardener @ default tweaks + a few more
  • Added @Evjl's Rain host file to silence avast
  • Macrium Reflect Free
everything running super smooth!

avast.png
 
F

ForgottenSeer 823865

About bitlocker, i dont see the point of encrypting the system partition, it will cause huge issues in case of upgrading or other conditions.

What i recommend is moving your sensitive datas, those you want protect with bitlocker, to a non-system partition, and then bitlock this non-system partition. Then you system partition is safe and free to be modified while the non-system partition will be secured and never modified by an upgrade of the OS.

it is what i do. the only con, is if you have some cloud program requiring access to that partition they wont be able to reach it until it is unlocked. (which may also be a good thing lol)
 

mkoundo

Level 3
Verified
Hi Umbra, thanks for the info. (y)(y)

About bitlocker, i dont see the point of encrypting the system partition, it will cause huge issues in case of upgrading or other conditions.

What i recommend is moving your sensitive datas, those you want protect with bitlocker, to a non-system partition, and then bitlock this non-system partition. Then you system partition is safe and free to be modified while the non-system partition will be secured and never modified by an upgrade of the OS.

it is what i do. the only con, is if you have some cloud program requiring access to that partition they wont be able to reach it until it is unlocked. (which may also be a good thing lol)
 

Thales

Level 9
About bitlocker, i dont see the point of encrypting the system partition, it will cause huge issues in case of upgrading or other conditions.

What i recommend is moving your sensitive datas, those you want protect with bitlocker, to a non-system partition, and then bitlock this non-system partition. Then you system partition is safe and free to be modified while the non-system partition will be secured and never modified by an upgrade of the OS.

it is what i do. the only con, is if you have some cloud program requiring access to that partition they wont be able to reach it until it is unlocked. (which may also be a good thing lol)

Even if it is a laptop and easily accessible (but I am the only one who use it) by others? Because that is the issue in my case.
I work with money and always wanted to avoid evil maid attack scenario.
 
F

ForgottenSeer 823865

Even if it is a laptop and easily accessible (but I am the only one who use it) by others? Because that is the issue in my case.
I work with money and always wanted to avoid evil maid attack scenario.
i also works with money, so:

1- when i leave my laptops, they are locked in my closet and the way i store them; i will know if someone has moved them. Old tricks always work.
2- i use an MS account.
3- i use a Pin.
4- i use biometrics (if available).
5- if point 1 seems to have been compromised, i check any sign in events during my absence on the logs.
6- I do serious banking in a dedicated VM, so i encrypt the VM , not my real system ;)

So good luck to any Evil Maid LOL
 

mkoundo

Level 3
Verified
All my financial records are encrypted with gpg. so for me bitlocker was a second layer (+ deleted files are bitlockered so can't be recovered).

2- i use an MS account.

pardon my ignorance, but is this more secure than a local account?

6- I do serious banking in a dedicated VM, so i encrypt the VM , not my real system

I'd be really interested to learn how exactly you do that.

thanks
 
F

ForgottenSeer 823865

pardon my ignorance, but is this more secure than a local account?
yep, with a Local account, an attacker can remove/change the password protection.
With an MS account, your password is linked to an online account and the password can only be changed , not removed, for this the attacker need to login to your MS account (not easy to bypass ) where you smartly enabled 2FA (extremely difficult to bypass).
 

Andy Ful

Level 65
Verified
Trusted
Content Creator
...
Added:
  • Hard_Configurator [with @Andy Ful avast hardened profile & Firewall hardening]
It is a nice setup, but some precautions are needed.
This H_C setup assumes that all protection for EXE files is done by Avast!
It is suited for Avast set to Hardened Mode Aggressive, which checks any EXE file against Avast Whitelist Database in the cloud.
If you use another Avast setup, then you have to be cautious when running EXE files, especially from USB drives, flash drives, or EXE files in archives. The EXE files downloaded directly from the Internet should be protected by Avast CyberCapture feature (turned ON by default).
You can set the H_C <Run As SmartScreen> = Standard User, and then use "Run By SmartScreen" option in the right-click Explorer context menu to run (on demand) application installers or application updaters.(y)
 

mkoundo

Level 3
Verified
Hi Andy,

thanks for the advice. I can confirm that i have avast hardened mode aggressive and cybercapture turned on.

I'm still going through the examples in part 3 with simple test files to more fully appreciate the fundamentals of H_C. So far my computer has been running as expected.

Kudos on an excellent program. (y) (y) (y)

p.s. the current H_C configuration disables microsoft office macros. What should I do to temporarily enable macros to run in my spreadsheets?

thanks again

It is a nice setup, but some precautions are needed.
This H_C setup assumes that all protection for EXE files is done by Avast!
It is suited for Avast set to Hardened Mode Aggressive, which checks any EXE file against Avast Whitelist Database in the cloud.
If you use another Avast setup, then you have to be cautious when running EXE files, especially from USB drives, flash drives, or EXE files in archives. The EXE files downloaded directly from the Internet should be protected by Avast CyberCapture feature (turned ON by default).
You can set the H_C <Run As SmartScreen> = Standard User, and then use "Run By SmartScreen" option in the right-click Explorer context menu to run (on demand) application installers or application updaters.(y)
 
Last edited: