Advanced Plus Security Moonhorse's Security Config 2019

[Moonhorse]

24.4.2019 several config changes
New products highlighted

Realtime protection:
-Windows defender ( controlled folder protection enabled)
-Configure defender ( high settings)
-Runbysmartscreen
-Documents anti-exploit
-appcheck antiransomware free

i wanted to have anti-exploit for chrome and documents are only protected so i went with appcheck, wich is very lite, around 4mb idle usage. Free doesnt protect office

on-demand scanners

-Malwarebytes free
-Adwcleaner
-Zemana free 3.0
-Roguekiller

Google chrome:

• Nano adblocker
• Nano defender
• Blocksi (block unrated, block all ''sketchy domains'')
• Https everywhere ( encrypt all sites (Ease) ) Thought first this is completely useless to have, but since i use it with TOR, i have found it needed
• Netcraft
• Bitwarden

Chrome flags enabled:

• block downloads over insecure connections
• Anonymize WebRTC
• Disable smooth scrolling
• Enable GPU appcontainer lockdown
• Enable appcontainer lockdown
• TLS 1.3 downgrade hardening
• NoState Prefetch
• Parallel downloading
• Mark non-secure origins as non-secure
• PDF Isolation
• Enable lazy image loading
• Enable lazy frame loading

DNS: Cleanbrowsing ( has servers on eu ) Neustar has in USA

System cleanup tools : Privazer

 

[Moonhorse]

I have updated my config ( who would have believed?) once again, due i wanted to test @imuade s recommendations over comodo firewall

I have swapped from windows defender + cf combo to Comodo antivirus
Pictures added on config, hips enabled and container configurated to default block

 

[Moonhorse]

30.4.2019 ...literally wanted to swap back to windows defender because of edge browser + application guard, since im planning to use microsoft edge + windows defender after may update

Realtime protection:
- windows defender
- hard_configurator on recommended settings
- configure defender on high settings
- controlled folder access enabled
- application guard applied to microsoft edge canary

Browsers and Extensions:
Microsoft edge canary;
- Smartadblocker
- Noscript
- Https everywhere (ease)
- Bitwarden

Web Privacy
Chrome flags enabled:

• block downloads over insecure connections
• Anonymize WebRTC
• Disable smooth scrolling
• Enable GPU appcontainer lockdown
• Enable appcontainer lockdown
• TLS 1.3 downgrade hardening
• NoState Prefetch
• Parallel downloading
• Mark non-secure origins as non-secure
• PDF Isolation

Search engine swapped to duckduckgo, due it wont sencore searches like google does

Something notable:
- lazy image
- lazy frame
://flags caused some sites to be completely un-usable

Edit 1: did change from edge canary to edge developer, due no need to whitelist with H_C like in canary

 

[Moonhorse]

15.5.2019

Im back to comodo antivirus; block mode

Notable changes:
Microsoft edge developer as mainbrowser. My extension list is huge but has everything covered

Comodo antivirus in block mode ( after first boot WD was on, should i disable it manually? )

DNS changed to Verisign DNS

 

[oldschool]

Microsoft edge developer as mainbrowser. My extension list is huge but has everything covered

O-v-e-r-k-i-l-l! You have Smartscreen and can trim the rest for privacy according to your wishes.

 

[Moonhorse]

O-v-e-r-k-i-l-l! You have Smartscreen and can trim the rest for privacy according to your wishes.

so ublock origin + bitwarden and forget the privacy paranoia?

Well blocksi is nice and doesnt take resources at all

 

[Moonhorse]

Alright sorry for spam, i kinda rushed ( as always)

I moved back to chrome, due some ://flags

I moved to ublock origin in medium mode as @oldschool suggested on forums / this thread . The computer is family pc, but im whitelisting important sites manually

I have added pictures of blocksi + comodo rules

I have updated chrome ::/flags

 

[oldschool]

so ublock origin + bitwarden and forget the privacy paranoia?

I was thinking something like: Your choice of adblocker + privacy ext.(like Trace) + Bitwarden

You can replace HTTPS Everywhere with browser settings @ Javascript: BLOCKED, ALLOW only HTTPS://* (compliments of @Windows_Security!)

Less extensions = less attack surface.

 

[Moonhorse]

22.5.2019

Updated to windows 1903, without issues

To avoid any antivirus issues im staying with windows defender, but decided to add configuredefender on high settings

- tampering protection enabled ( new feature) aswell controlled folder access is enabled.
- Appcheck anti-ransomware free as filler ( i like the gui and it has anti-exploit)
- documents anti-exploit by andy, since appcheck requires pro version for office

Using system built-in tools for defragling and manually clearing chrome histories etc for now
I know my extension list is still the same, but i think thats fine as i need them and in overall they cover everything

 

[Moonhorse]

24.5.2019
Since i prefer default allow solution, and kaspersky cloud has done well on hub.. ill just start using it as alone

I have reduced my chrome extensions a bit

 

[Moonhorse]

25.5.2019

- Added comodo firewall ( cruelsisters settings)

Aswell previous extensions i used to google chrome:
- trace
- Https everywhere

- Comodo secure dns; provided by neustar

- Bleachbit, since it will not touch registry

 

[Moonhorse]

26.6.2019

Did some config changes

tldr;

+Kaspersky Free antivirus
+Appcheck anti-ransomware free
+Documents antiexploit by andys, because appcheck dont protect office
+Run by smartscreen - from andy

+ edge canary as mainbrowser
- ublock origin
- bitwarden

+ updated ''password'' as sign-in protection
+ did remove chrome::/flags that didnt exist on canary anymore

 

[LDogg]

As always, good choices on changes for your setup!

~LDogg

 

[Moonhorse]

Did complete swap on my config . 12.7.2019

Realtime protection:
- AVG antivirus free; heurestic on high, pup defense mode enabled
- Comodo firewall; cruelsister settings


Mozilla firefox;
- Ublock origin
- Netcraft
- Bitwarden password manager
- Https Everywhere (strict mode)

About:config;
- media.peerconnection.enabled = FALSE
- security.tls.version.min = 3
- privacy.resistFingerprinting = TRUE
- Network.trr.mode = 2 , because of cloudflare DNS

and CCleaner as system utility

 

[Moonhorse]

I lasted a day with buggy comodo firewall , so i reverted back to config wich really works
small tldr;

Realtime protection:
- Kaspersky Free Antivirus
- OSArmor
- Windows security settings > browsers & extensions, > exploit protection for msedge.exe= code integrity guard.

Microsoft edge developer;
- Ublock origin
- Bitwarden

chrome :/flags;
Smooth Scrolling - disabled
GPU rasterization - enabled
Enable AppContainer Lockdown - enabled
TLS 1.3 downgrade hardening - enabled
Parallel downloading - enabled
Mark non-secure origins as non-secure - mark as actively dangerous
Simplify HTTPS indicator UI - disabled
Enable GPU AppContainer Lockdown. - enabled
PDF Isolation - enabled
Enable lazy image loading - enabled
Enable lazy frame loading - enabled
Block unsafe downloads over insecure connections - enabled
Limit Media Autoplay - enabled
Microsoft Edge tracking prevention - enabled =strict

DNS = verisign
Default search engine = Bing

System utilities:
- geek uninstaller
- process explorer

sorry for spam

 

[oldschool]

sorry for spam

I'm reporting you! I hate spammers!

 

[Moonhorse]

Been over month since i got rid of kaspersky cloud av free,

Updated current setup as its 10.9.2019

Tldr; windows defender + ransomware protection from controlled folder access + sandbox enabled for WD
edge developer browser has , :/flags updated + extensions

 

[Moonhorse]

Update 25.9.2019

realtime protection:
- Kaspersky security cloud free ( default settings)
- Comodo firewall ( cs settings)

Edge canary new flags added:
- Microsoft Defender SmartScreen PUA support - enabled

- Secure DNS lookups - enabled
= dnscrypt for cloudflare DNS

I think kaspersky web-filter without extension + smartscreen of microsoft edge play together well enough i can save some browser speed/memory usage since i dont need extensions, except ublock origin + bitwarden

 

[Moonhorse]

9.10.2019

- Replaced comodo firewall with OSArmor

- Replaced edge dev with Opera dev, due not removing EV certificates highlight on address bar
+ added new :/flags

 

[Moonhorse]

10.10.2019

- removed OSA

+ added syshardener ( max settings, everything enabled )
+ added appcheck anti-ransomware free, protecting browsers + MBR