SECURITY: Complete oldschool's 2020 laptop setup

Last updated
Dec 12, 2020
About
Personal, primary device
Desktop OS
Windows 10
Login security
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Local account
Primary user
Standard user - Limited permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Real-time protection
AVG Internet Security v. 20.10.3157
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Default settings + Hardened Mode
Malware testing
No malware samples
Periodic security scanners
Hitman Pro (paid)
Browsers, Search and Addons
Brave/Brave Nightly --> Brave Shields + ClearURLs + LocalCDN
Edge Chromium --> Strict Tracking Protection + ClearURLs + LocalCDN
Maintenance and Cleaning
Windows built-in
Personal Files & Photos backup
Copy/Paste --> Free Agent drive
Personal backup routine
Device recovery & backup
Aomei Backupper Pro --> image monthly or as needed
System protection --> restore points as needed @ app or data changes
Device backup routine
PC activity
  1. Browsing the web. 
  2. Browsing to unknown sites. 
  3. Working from home. 
  4. Multimedia. 
  5. Streaming. 
Computer specs
Lenovo L340 i3 8145U CPU @ 2.10 GHz 2.300 GHz 8GB DDR4 RAM 1 TB HDD
Personal changelog
5/3/20 --> Removed Bitdefender and back to Windows Defender --> Updated RunBySmartscreen
May 2020 ---> various small changes
3 June, 2020 --> updated to W10 2004
7 June 2020 --> rolled back to 1909
23 August 2020 --> Added LocalCDN to browsers
27 August 2020 --> Removed µBO in Edge
31 August 2020 --> Removed Bitdefender Free
--------------------> Reverted to Windows Defender
--------------------> Removed Trafficlight and added Malwarbytes Browser Guard
7 September 2020 --> Removed Malwarebytes Browser Guard
Later in September --> Enabled Google SafeBrowsing in Brave

SeriousHoax

Level 36
Verified
Mar 16, 2019
2,589
Have you find
I will try this challenge. I have WD+ Configure Defender. I'll uninstall SpyShelter Premium and join your club! I feel so brave!
Here's your certificate. Now you're officially brave 😎
brave.png
 

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,035
oldschool,
The RunBySmartScreen tool can be used to open any new/untrusted file, so the user cannot be fooled by a spoofed file extension. If he/she thinks that the file is a photo, then it will not be opened (via RunBySmartScreen) when it is a script with a photo icon. But, I am not sure if it is a common way of using RunBySmartScreen. What do you think?
 

oldschool

Level 60
Verified
Mar 29, 2018
4,905
oldschool,
The RunBySmartScreen tool can be used to open any new/untrusted file, so the user cannot be fooled by a spoofed file extension. If he/she thinks that the file is a photo, then it will not be opened (via RunBySmartScreen) when it is a script with a photo icon. But, I am not sure if it is a common way of using RunBySmartScreen. What do you think?

I'm not sure if it's a common way to use it either. I've only used it for installers myself so far.
 

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,035
I'm not sure if it's a common way to use it either. I've only used it for installers myself so far.
Ha, ha. It seems, that most users apply only one half of RunBySmartScreen. :)
RunBySmartScreen works like on-demand "SRP + Forced SmartScreen" (although it does not use SRP). So, when the user opens a file by pressing Enter or the left-mouse--click, the file is opened normally. When he/she uses the right-mouse-click and chooses RunBySmartScreen, the file opening is restricted and the alert is displayed (for unsafe files). In this way, the user can apply two security setups by simply choosing between normal file opening and opening it via the right-mouse-click RunBySmartScreen entry.
If you open in MS Office or Adobe Reader a document from a flash drive, then it will not be opened in Protected view. If you will do it via RunBySmartScreen, then the MOTW is added and MS Office or Adobe Reader will open the document in Protected view (as if it was downloaded by the web browser).

MT members usually pay attention to file extensions and do not open files with unsafe or unknown extensions. So, they can use only one half of RunBySmartScreen.:)(y)
 
Last edited:

oldschool

Level 60
Verified
Mar 29, 2018
4,905
Exploit Protection settings for browsers (thanks to @Umbra). These haven't broken anything yet, e.g. extensions crashing.

- for Brave, Edge and Firefox:

Block low integrity images - ON
Block remote images - ON
Block untrusted fonts - ON
Control flow guard (CFG) - ON
Data execution prevention (DEP) - ON + Enable thunk emulation - CHECKED
Disable extension points - ON
Force randomization for images (Mandatory ASLR) - ON + Do not allow stripped images - CHECKED
Randomize memory allocations (Bottom-up ASLR) - ON
Validate exception chains (SEHOP) - ON
Validate handle usage - ON
Validate heap integrity - ON
Validate image dependency integrity - ON

ADD for Edge Chromium only:

Code integrity guard - ON (with or without Also allow images signed by M$ Store CHECKED)
 
Last edited:

Parsh

Level 25
Verified
Trusted
Malware Hunter
Dec 27, 2016
1,483
Exploit Protection settings for browsers (thanks to @Umbra). These have broken anything yet, e.g. extensions crashing.

- for Brave, Edge and Firefox:
Block low integrity images - ON
Block remote images - ON
Block untrusted fonts - ON
Control flow guard (CFG) - ON
Data execution prevention (DEP) - ON + Enable thunk emulation - CHECKED
Disable extension points - ON
Force randomization for images (Mandatory ASLR) - ON + Do not allow stripped images - CHECKED
Randomize memory allocations (Bottom-up ASLR) - ON
Validate exception chains (SEHOP) - ON
Validate handle usage - ON
Validate heap integrity - ON
Validate image dependency integrity - ON

ADD for Edge Chromium only:
Code integrity guard - ON (with or without Also allow images signed by M$ Store CHECKED)
Exactly mine :) These settings were the most practical without breaking the chromium browser. Helpful to an extent to avoid common exploit techniques.
I just could not enable 'Code Integrity Guard' as it messed up ESET's protection.
A chrome-specific DLL eplgChrome.dll and the Safe Banking monitoring DLL are signed by ESET itself. Hence blocked, raising multiple error dialog boxes everytime.
 
Top