Advanced Security Morro Security Config 2024

Last updated
Feb 26, 2024
How it's used?
For home and private use
Operating system
Windows 11
On-device encryption
BitLocker Device Encryption for Windows
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
    • Basic account password (insecure)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
On
Network firewall
Disabled
Real-time security
Microsoft Defender
Firewall security
Microsoft Defender Firewall
About custom security
Periodic malware scanners
* On demand scanners: MS Safety Scanner - Norton Power Eraser - EEK.
Malware sample testing
I do not participate in malware testing
Environment for malware testing
N/A
Browser(s) and extensions
Brave - Main
Waterfox: Secondary

- uBlock Origin in Medium Mode
- SafeToOpen Online Security
- Bitwarden
- Popup Blocker (Strict)
- Dark Reader

Exploit settings:

Block low integrity images - ON
Block remote images - ON
Block untrusted fonts - ON
Control flow guard (CFG) - ON
Data execution prevention (DEP) - ON + Enable thunk emulation - CHECKED
Disable extension points - ON
Force randomization for images (Mandatory ASLR) - ON + Do not allow stripped images - CHECKED
Randomize memory allocations (Bottom-up ASLR) - ON
Validate exception chains (SEHOP) - ON
Validate handle usage - ON
Validate heap integrity - ON
Validate image dependency integrity - ON

about:config tweaks (Some were already set.)

- network.dns.echconfig.enabled = true
- network.dns.use_https_rr_as_altsvc = true
- pdfjs.enableScripting = false
- browser.send_pings = false (Was already set to false?)
- plugin.scan.plid.all = false
- browser.urlbar.speculativeConnect.enabled = false
- dom.event.clipboardevents.enabled = false
- dom.webnotifications.enabled = false
- browser.urlbar.groupLabels.enabled = false
- media.navigator.enabled = false
- media.peerconnection.enabled = false
- network.prefetch-next = false
- beacon.enabled = false
- network.IDN_show_punycode = true
- geo.enabled = false
- browser.cache.offline.enable = false
- browser.newtabpage.activity-stream.feeds.telemetry = false
- browser.ping-centre.telemetry = false
- browser.tabs.crashReporting.sendReport = false
- toolkit.telemetry.enabled = false
- toolkit.telemetry.server (URL removed)
- toolkit.telemetry.unified = false
- extensions.pocket.enabled = false
- security.ssl.require_safe_negotiation = true
Secure DNS
Cloudflare WARP.
Desktop VPN
None
Password manager
Brave: Bitwarden
Waterfox: Bitwarden
Maintenance tools
* Windows own tools.
* Wise Diskcleaner.
* WingetUI
File and Photo backup
OneDrive.
Active subscriptions
    • None
System recovery
* Aomei Backupper Pro.
* External Hard Drive.
Risk factors
    • Browsing to popular websites
    • Opening email attachments
    • Downloading software and files from reputable sites
    • Gaming
Computer specs
* Operating System: Windows 11 Pro
* Motherboard: B560 ATX Wi-Fi / 1200 Socket (ATX)
* Processor: Intel i9 11900K - 8 cores - 16 threads - 3,5 GHz (Turbo 5,3 GHz)
* CPU Cooler: Master Liquid 240mm RGB(Active.) Air Cooling. (Passive.)
* SSD: 1TB M2.0 NVMe (Read: 3500MB/s, Write: 2700MB/s)
* External 5 TB WD Elements 25A3 USB Device
* RAM: RGB 32GB DDR4-3200 MHz (2x 16GB)
* Graphics card: Nvidia RTX 4060 8GB
* AOC Q27G2S - QHD IPS 165Hz Gaming Monitor - 27 Inch
* Outer casing: Sharkoon REV100
* Power: 750Watt - 80Plus GOLD
* Lan: Realtek 2.5 Gbps
* Sound: Realtek ALC892
* USB: 11 ports (Of different kinds.)
What I'm looking for?

Looking for medium feedback.

Morro

Level 16
Thread author
Verified
Top Poster
Well-known
Jul 8, 2012
791
I switched browsers from MS Edge to Google Chrome, reason for that is that I was finally sick and tired that Edge somehow lost all my bookmarks and that some how the synched bookmarks where from over two months ago? :(

For the rest not much has changed, most has staid the same as by the end of last years Security Config. Only the Browser and the daily scan from MS Defender has changed as far as I remember at the moment. ( If I remember something else I will let you all know. :D )
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
If you are running Windows 11 22H2 with a clean install or performed a reset Simple Windows Hardening doesn't work completely because of issues with SRP:
The current build of Windows 11 ver. 22H2 (clean installation) is not fully compatible with SWH. The SRP settings in SWH will work well if Windows has been upgraded from Windows 10 or updated from version 21H2 (or from the prior version). Unfortunately, SRP does not currently work on clean installations of Windows 11 ver. 22H2. See my post:
Question - Simple Windows Hardening

Do you use an adblocker?
Highly recommended:
 

Morro

Level 16
Thread author
Verified
Top Poster
Well-known
Jul 8, 2012
791
Network router Firewall: OFF 🤔

No add-ons in browsers?

VPN? Secure DNS?

Thanks for sharing :)

See I knew I had forgotten something. :)

* As for the Network router Firewall: OFF... well the router I have is from my IP Provider ZIggo is an old one, and it has no FIrewall. And they told me that it is still working perfectly so I am not getting a new one that does have a Firewall?

* I do not use a VPN, but I do use NextDNS through YogaDNS. Guess I should add that to the Custom security section.

* Add-ons in Chrome...

- AdGuard-adblocker
- Bitwarden
- Bookmark Backup ( Because of what happened in Edge. )
- Dark Reader
- Enhancer for Youtube
- Popup my Bookmarks. ( I find it a very handy add-on. )
- Reddit Enhancement Suite
- Video Downloader by ODM. ( I find it a very handy add-on. )


@Gandalf_The_Grey

* Yeah I do use Adguard adblocker in Google Chrome and in NextDNS I use OISD and AdGuard Mobile Ads filter. ( For my Samsung? )

* I updated to Windows 11 through Windows 10 update function, so would that be okay then for Simple Windows Hardening?
 

Morro

Level 16
Thread author
Verified
Top Poster
Well-known
Jul 8, 2012
791
I can finally use BitDefender Total Security, and I switched one of my on-demand scanners to Sophos Scan And Clean, which seems to be pretty nice.

Also now that I have the Firewall from BitDefender, can I keep the settings from Firewall Hardening?
 

Morro

Level 16
Thread author
Verified
Top Poster
Well-known
Jul 8, 2012
791
Despite comfortable with Chrome nowadays I decided to give Firefox a go as the main browser for a while, who knows I might start liking it. I had to look at some one elses Firefox configuration to set mine, so thanks for mentioning those settings in your own security config Kongo. :) ( I used what I understood, and left those out that I did not know if I needed them. )

All the plugins and settings are mentioned in the setup on the top. Also a few days ago I started trying out a different filter list in NextDNS. I was using OISD+Adguard DNS Filter but I am trying out HaGeZi - Multi ULTIMATE now the past few days. I only had one website that would not load at first, but after putting it in the Allowed list from NextDNS it loaded as always. Looks like a really good list, we will see overtime.

I also switched out Bleachbit for Wise Diskcleaner.

Also a question, since I use NextDNS systemwide I assume I do not have to set NextDNS in Firefox?
 

Morro

Level 16
Thread author
Verified
Top Poster
Well-known
Jul 8, 2012
791
Okay, for a few personal reasons I decided to remove BitDefender Total Security. Not because I think it is bad, no way that I will say that. I just have a few personal
reasons for it, reasons I will not Discuss. :)

So I installed the new version from Kaspersky Free, no longer called Security Cloud Free apparently, and finally it can be set to Dark theme. I combined it with Portmaster Firewall, now that it finally can be set to use NextDNS. ( It was the only thing holding me back from using it before. :) ) I am curious to see how Portmaster is for me. Also I replaced the BitDefender Tracking protecting extension with Kaspersky Protection.
 

Morro

Level 16
Thread author
Verified
Top Poster
Well-known
Jul 8, 2012
791
I am done with third party Anti Virus software, they are either full with stuff that I no longer want to see in an AV, or cause slowdowns... and even paid AV seem to come with build in nags to buy extra stuff and other nagging things. :rolleyes:

So I am using Microsoft Defender now that I setup with the Recommended settings from Defender UI, which I have used in the past so I knew I would like it. And I also installed "Run by smartscreen" from Andy Ful. I was thinking about Hard configurator ( The new Beta version. ) and use from it what I want, but I am no expert so I have no idea if anything in Hard Configurator would conflict with Portmaster Firewall. I doubt it, but still if any one knows let me know here please.

I am curious if a noob like me can still improve things a bit more about my Desktops security.
 

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
I am done with third party Anti Virus software, they are either full with stuff that I no longer want to see in an AV, or cause slowdowns... and even paid AV seem to come with build in nags to buy extra stuff and other nagging things. :rolleyes:

So I am using Microsoft Defender now that I setup with the Recommended settings from Defender UI, which I have used in the past so I knew I would like it. And I also installed "Run by smartscreen" from Andy Ful. I was thinking about Hard configurator ( The new Beta version. ) and use from it what I want, but I am no expert so I have no idea if anything in Hard Configurator would conflict with Portmaster Firewall. I doubt it, but still if any one knows let me know here please.

I am curious if a noob like me can still improve things a bit more about my Desktops security.
This is exactly why im using default defender nowadays, less is better and less hassle ( just my opinion nowadays after being paranoid about my security)

Sure those tools to configure defender or harden windows are neat, but do you really need them? maybe not...
 

Morro

Level 16
Thread author
Verified
Top Poster
Well-known
Jul 8, 2012
791
Yeah maybe not, I mean I already use Defender UI which is very similar to configure defender, and I already use Firewall Hardening and Run by Smartscreen from Andy Ful.
 

Morro

Level 16
Thread author
Verified
Top Poster
Well-known
Jul 8, 2012
791
* Removed Kaspersky extension from browser.
* Removed Sophos on demand scanner.

* Replaced Sophos on demand scanner with Kaspersky Virus Removal Tool.
* Changed search engine from DDG to Qwant. (I like it better than DDG.)
 

Morro

Level 16
Thread author
Verified
Top Poster
Well-known
Jul 8, 2012
791
* I just had to change my block list in NextDNS from HaGeZi Multi Ultimate to HaGeZi Multi Pro.

I started noticing that for instance certain buttons on websites no longer worked, and after changing to HaGeZi Multi Pro they did, problem solved. :)
 

Morro

Level 16
Thread author
Verified
Top Poster
Well-known
Jul 8, 2012
791
Removed DefenderUI and made these changes.

* Hard_Configurator v6.1.1.1 with H_C recommended settings
* Firewall Hardening with recommended settings plus lolbins
* Simple Windows Hardening is set by Hard_Configurator v6.1.1.1
* Configure Defender set to HIGH mode.

I had to Whitelist Steam due to SRP, but that was easy.
 

Morro

Level 16
Thread author
Verified
Top Poster
Well-known
Jul 8, 2012
791
Right now, I wish I had the nerve to hit myself, because of how dumb it was of me with changing DNS server last week.

In another thread I made last week, I mentioned I thought that NextDNS and Portmaster work somewhat a like, and that it explained why I had many red blocked entries in Portmaster for NextDNS. Well this afternoon I discovered by chance why that was happening. When I first added the NextDNS setting in Portmaster, I had copied the line needed from a guide, and I simply pasted it into Portmaster. And then I later discovered the blocked entries for NextDNS, and after a short while switched to CLoudflare with malware blocking.

And now I get to the dumb part from me... when I copy/pasted the setting, I did not change the NextDNS ID in that line to my own ID. It was still containing the demo ID, so yeah, of course it would cause problems I guess. :oops: Now that I changed the ID to mine, it is working as intended, so sorry, but I have obviously switched back to NextDNS as my DNS service.
 

Morro

Level 16
Thread author
Verified
Top Poster
Well-known
Jul 8, 2012
791
Changed from Configure Defender to DefenderUI Pro. First activated the Recommended settings, and then
under "Defender Guard - DefenderUI Pro Settings" activated the fourth setting "Dynamic Security Postures".

It is really nice that DefenderUI Pro contains a Lite version of Voodoo Shield. :)
 

Attachments

  • DefenderUIPro settings.jpg
    DefenderUIPro settings.jpg
    72 KB · Views: 80

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top