Advanced Plus Security mkoundo laptop Security Config 2019

Last updated
Dec 25, 2019
Windows Edition
Home
Log-in security
Security updates
Allow security updates and latest features
User Access Control
Always notify
Real-time security
Emsisoft Antimalware
Hard_Configurator [OS & firewall hardening]
Firewall security
Microsoft Defender Firewall
About custom security
Emsisoft [default]
Hard_Configurator [@Andy Ful recommended enhanced & recommended firewall hardening ]
Periodic malware scanners
On demand scanners:
  • malwarebytes antimalware free
  • Hitman Pro free
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Hardened Chrome
  • ublock origin in medium mode
chrome://flags

- Anonymize local IPs exposed by WebRTC.
- Extension Content Verification - Enforce Strict
- Reduce default 'referer' header granularity.
- Block scripts loaded via document.write
- TLS 1.3 hardening for local anchors
- Enable GPU AppContainer Lockdown.
- Treat risky downloads over insecure connections as active mixed content
- Strict-Origin-Isolation
- Show Safety Tip UI when visiting low-reputation websites
- Secure DNS lookups
- Password Leak Detection
Maintenance tools
  • gpg encryption
  • bandizip archiver
  • notepad++
File and Photo backup
  • macrium reflect free
System recovery
macrium reflect free
Risk factors
    • Logging into my bank account
    • Browsing to popular websites
    • Streaming audio/video content from shady sites
    • Browsing to unknown / untrusted / shady sites
    • Working from home
Computer specs
Dell xps 13 9380
i5-8265U
UHD Graphics 620
8GB DDR3
256GB SSD

my phone:

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
thanks oldschool, good suggestion.

i've been looking at using adguard dns which encrypts dns requests (currently using cloudflare 1.1.1.1). is this something you guys recommend?
I don't use one but probably a lot of members do. I wouldn't mind using OpenDNS here at home but can't with my ISP. There are some recent posts about Adguard DNS but you'll have to look for them. Sorry I can't offer more help.
 

mkoundo

Level 8
Thread author
Verified
Well-known
Jul 21, 2017
358
Hi all, i'm contemplating using bitlocker on my laptop. it has two partitions: C: system drive and D: for data. From what i've read on the net, since i'm on win 10 home, i must use command line manage-bde. My laptop has tpm 2.0. I would like the boot up to be seamless with windows ie no additional password entry every time I start windows. From what i've read on the net, the commands i need are:

to check current status:
manage-bde -status

Add TPM key protector for each partition:
manage-bde -protectors -add c: -tpm
manage-bde -protectors -add d: -tpm

Add Recovery password in case i need to decrypt the partitions on another computer:
manage-bde -protectors -add c: -rp
manage-bde -protectors -add d: -rp

save recovery password:
manage-bde -protectors -get c:
manage-bde -protectors -get d:

Turn Bitlocker On with AES256 key and used space only encryption
manage-bde -on c: -em AES256 -used
manage-bde -on d: -em AES256 -used

To turn off:
manage-bde -off c:
manage-bde -off d:

In case of emergency, to unlock the drive using the recovery password:
manage-bde –unlock d: -recoverypassword 111111-222222-333333-444444-555555-666666-777777-888888


To pause protection, for example to update bios
manage-bde -protectors -disable c:
and then to re-enable:
manage-bde -protectors -enable c:


Is there anything I'm missing???

thanks
 
  • Like
Reactions: Nevi and Venustus

mkoundo

Level 8
Thread author
Verified
Well-known
Jul 21, 2017
358
Latest update to my laptop:

Removed:
  • Ccleaner
  • Adwcleaner
Tweaked:
  • Avast tweaked to @Evjl's Rain Settings but left rootkit scans on boot activated (THANKS @Evjl's Rain)
  • Upgraded Aomei Backupper standard to pro (free license giveaway on MT - THANKS!)
Added:
  • NVT Syshardener @ default tweaks + a few more
  • Added @Evjl's Rain host file to silence avast
  • Macrium Reflect Free
everything running super smooth!

avast.png
 

mkoundo

Level 8
Thread author
Verified
Well-known
Jul 21, 2017
358
hey all, question regarding hard_configurator [@Andy Ful avast hardened profile] and avast free [@Evjl's Rain Settings].
gfONjZL.png
Untitled.png

So since HC is blocking those extensions, do I still need them in avast.

It probably makes no difference but anyway,
thanks
 
F

ForgottenSeer 823865

About bitlocker, i dont see the point of encrypting the system partition, it will cause huge issues in case of upgrading or other conditions.

What i recommend is moving your sensitive datas, those you want protect with bitlocker, to a non-system partition, and then bitlock this non-system partition. Then you system partition is safe and free to be modified while the non-system partition will be secured and never modified by an upgrade of the OS.

it is what i do. the only con, is if you have some cloud program requiring access to that partition they wont be able to reach it until it is unlocked. (which may also be a good thing lol)
 

mkoundo

Level 8
Thread author
Verified
Well-known
Jul 21, 2017
358
Hi Umbra, thanks for the info. (y)(y)

About bitlocker, i dont see the point of encrypting the system partition, it will cause huge issues in case of upgrading or other conditions.

What i recommend is moving your sensitive datas, those you want protect with bitlocker, to a non-system partition, and then bitlock this non-system partition. Then you system partition is safe and free to be modified while the non-system partition will be secured and never modified by an upgrade of the OS.

it is what i do. the only con, is if you have some cloud program requiring access to that partition they wont be able to reach it until it is unlocked. (which may also be a good thing lol)
 

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
708
About bitlocker, i dont see the point of encrypting the system partition, it will cause huge issues in case of upgrading or other conditions.

What i recommend is moving your sensitive datas, those you want protect with bitlocker, to a non-system partition, and then bitlock this non-system partition. Then you system partition is safe and free to be modified while the non-system partition will be secured and never modified by an upgrade of the OS.

it is what i do. the only con, is if you have some cloud program requiring access to that partition they wont be able to reach it until it is unlocked. (which may also be a good thing lol)

Even if it is a laptop and easily accessible (but I am the only one who use it) by others? Because that is the issue in my case.
I work with money and always wanted to avoid evil maid attack scenario.
 
F

ForgottenSeer 823865

Even if it is a laptop and easily accessible (but I am the only one who use it) by others? Because that is the issue in my case.
I work with money and always wanted to avoid evil maid attack scenario.
i also works with money, so:

1- when i leave my laptops, they are locked in my closet and the way i store them; i will know if someone has moved them. Old tricks always work.
2- i use an MS account.
3- i use a Pin.
4- i use biometrics (if available).
5- if point 1 seems to have been compromised, i check any sign in events during my absence on the logs.
6- I do serious banking in a dedicated VM, so i encrypt the VM , not my real system ;)

So good luck to any Evil Maid LOL
 

mkoundo

Level 8
Thread author
Verified
Well-known
Jul 21, 2017
358
All my financial records are encrypted with gpg. so for me bitlocker was a second layer (+ deleted files are bitlockered so can't be recovered).

2- i use an MS account.

pardon my ignorance, but is this more secure than a local account?

6- I do serious banking in a dedicated VM, so i encrypt the VM , not my real system

I'd be really interested to learn how exactly you do that.

thanks
 
  • Like
Reactions: Nevi and Venustus
F

ForgottenSeer 823865

pardon my ignorance, but is this more secure than a local account?
yep, with a Local account, an attacker can remove/change the password protection.
With an MS account, your password is linked to an online account and the password can only be changed , not removed, for this the attacker need to login to your MS account (not easy to bypass ) where you smartly enabled 2FA (extremely difficult to bypass).
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
Added:
  • Hard_Configurator [with @Andy Ful avast hardened profile & Firewall hardening]
It is a nice setup, but some precautions are needed.
This H_C setup assumes that all protection for EXE files is done by Avast!
It is suited for Avast set to Hardened Mode Aggressive, which checks any EXE file against Avast Whitelist Database in the cloud.
If you use another Avast setup, then you have to be cautious when running EXE files, especially from USB drives, flash drives, or EXE files in archives. The EXE files downloaded directly from the Internet should be protected by Avast CyberCapture feature (turned ON by default).
You can set the H_C <Run As SmartScreen> = Standard User, and then use "Run By SmartScreen" option in the right-click Explorer context menu to run (on demand) application installers or application updaters.(y)
 

mkoundo

Level 8
Thread author
Verified
Well-known
Jul 21, 2017
358
Hi Andy,

thanks for the advice. I can confirm that i have avast hardened mode aggressive and cybercapture turned on.

I'm still going through the examples in part 3 with simple test files to more fully appreciate the fundamentals of H_C. So far my computer has been running as expected.

Kudos on an excellent program. (y) (y) (y)

p.s. the current H_C configuration disables microsoft office macros. What should I do to temporarily enable macros to run in my spreadsheets?

thanks again

It is a nice setup, but some precautions are needed.
This H_C setup assumes that all protection for EXE files is done by Avast!
It is suited for Avast set to Hardened Mode Aggressive, which checks any EXE file against Avast Whitelist Database in the cloud.
If you use another Avast setup, then you have to be cautious when running EXE files, especially from USB drives, flash drives, or EXE files in archives. The EXE files downloaded directly from the Internet should be protected by Avast CyberCapture feature (turned ON by default).
You can set the H_C <Run As SmartScreen> = Standard User, and then use "Run By SmartScreen" option in the right-click Explorer context menu to run (on demand) application installers or application updaters.(y)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top