Advanced Security oldschool's 2023 surfing laptop configuration

Last updated
Mar 21, 2023
How it's used?
For home and private use
OS (desktop)
Windows 11
Other operating system
Home
On-device encryption
None
User sign-in
    • Biometrics, Windows Hello PIN, Apple TouchID
OS update
Allow security updates
User Access Control
Always notify
Smart App Control
On
WiFi network firewall
Router firewall is On
Malware protection
Microsoft Defender | Block all unknown executables | Enabled file hash computation | Platform & signature updates @ Beta channel
ASR rules:

  • Block JS/VBS from launching downloaded executable content
  • Block execution of potentially obfuscated scripts
  • Block credential stealing from the Windows local security authority subsystem (lasass.exe)
  • Block executable content from email client and webmail
  • Block process creations originating from PSExe and WMI commands
  • Use advanced protection from ransomware
  • Block persistence through WMI event subscription
Controlled Folder Access
added folders:
  • C:\Program Data\Microsoft\Windows\Start Menu
  • C:\Users\oldshool\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
  • C:\Users\oldschool\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
Firewall protection
Microsoft Defender Firewall for Windows 11 / 10
About custom security
Smart App Control enabled manually with no issues.
Custom exploit protection | All system settings ON
RunBySmartscreen
Periodic malware scanners
EEK | KVRT
Malware samples
I do not participate in malware testing.
Default browser & extensions
Chrome | ĀµBO @ Medium mode | Emsisoft Browser Security | search.disroot.org | Chrome flags
Other browsers & extensions
Firefox Strict Tracking Protection & Total Cookie Protection | ĀµBO | Emsisoft Browser Security | search.disroot.org
Edge ĀµBO | Strict tracking protection | search.disroot.org | Edge settings | Edge flags
Secure DNS
NextDNS
VPN
None
Password manager
Security keys
None
Maintenance tools
Windows built-in
Personal backup
Copy/Paste
How often I backup?
Manually
Emergency recovery
Wiindows built-in | Aomei Backupper Pro Lifetime
Risk factors
    • Browsing to popular websites
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Downloading software and files from reputable sites
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Streaming audio/video content from shady sites
Computer specs
Lenovo L340 Intel(R) Core(TM) i3-8145U CPU @ 2.10GHz 2.30 GHz 8.00 GB RAM 1TB HDD
Notable changes
22-12-5 Reverted to MS Defender.
23-1-21 Refreshed Windows with SAC in evaluation mode.
23-2-2 Clean Windows installation
23-2-18 SAC user-enabled on
27-2-23 Added Chrome for the lack of 'feature' bloat.
28-2-23 Changed default browser to Chrome
21-3-23 Changed Quad9 to NextDNS
What I'm looking for?

Looking for minimum feedback.

Max90

Level 8
Nov 9, 2022
380
@oldschool you knew I would be tempted to try JShelter when you asked me šŸ˜‰ so I installed and tried to figure out of what it does. Using recommended with network boundery shield and fingerprint detector ON are the settings advised by the author(s) of this project. I tried three websites Ikea.com Youtube and CNN and the FingerPrint Detector warining did reflect the degree of fingerprinting of these websites (I had read it somewhere, don't have the link anymore, but the warning level fitted what I thought I had read about those websites).

1679215420914.png
 
Last edited:

oldschool

Level 74
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
6,395

oldschool

Level 74
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
6,395
you knew I would be tempted to try JShelter when you asked me šŸ˜‰ so I installed and tried to figure out of what it does. Using recommended with network boundery shield and fingerprint detector ON are the settings advised by the author(s) of this project...

Because the wrapping comes with the cost of performance loss, I tried to lower the settings a little (disabling or lowering settings of tracking mechanisms not commonly used). ... I am happy to report that the warning levels still worked OK. I posted a screen shot of these (compatible mode) settings and the results of the webpages with lowered protection levels.
I created a custom Relaxed Level courtesy of @Kees1958, I believe. I just started using it today:
1679175005183.png1679175091425.png
 

Max90

Level 8
Nov 9, 2022
380
@oldschool thanks for your feedback, I changed my mode to litlle lies mode using some oy your settings. I tried how good the FingerPrintDetector is with Javascript Shield OFF and it seems to work OK, without the feedback of the wrappers. Therefore I am running it with JavaShield OFF and a custom level protection called "Little lies mode" for websites with medium risk of fingerprinting and i Use "Recommended mode" for high risk of fingerprinting. This seems (for me) the best balance for no website breakage with protection.

I had a look on JShelter related threads on MT and on Github and can't really understand why Kees1958 was so critical against the authors. For what I understand of the issues on github, they implemented most of critic (only not data base with video cards like Trace and paid version of Cydec Anti_Fingerprinting). The authors even started an evaluation of their protection mechanisms after his critism (see spolier), so I don't understand why Kees1958 stayed so critical in his responses on github and MT.

1679216309229.png

 
Last edited:

Jan Willy

Level 9
Verified
Well-known
Jul 5, 2019
446
to me I don;t understand why Kees1958 stayed so critical in his responses on github and MT
If I remenber well, Kees 1958 critised the faked elements in the fingerprint spoofing. Nevertheless he used this extension. View Update - JShelter - JavaScript Restrictor
My concern is that JShelter isn't developed anymore.
 
Last edited:

Max90

Level 8
Nov 9, 2022
380
@Jan Willy You are correct the EU funding stopped, so probably the development also :( I looked on GitHub, but it seems asleep now (to say it nicely), it uses WebRequest API, so as far as I understand it works okay as long as MV2 is supported.

@oldschool I have blocked access to Motion and Light Sensors in Edge (an option in site permission in all Chomium browsers). And when a website tries to access this API you get a sign in the address bar. I did some testing and it seems that websites trying to fingerprint visitors use this option most of the time (8 out of 10 times when JShelter FingerPrint protector judged that this website tried to track me with fingerprinting, Edge also showed the "this site has been blocked using motion sensors"). So I thank you for attending me on this extension, but I think I will go for the 80% percent next best solution, by using indicator of build-in Edge, because JShelter uses quite some CPU (see spoiler). Nevertheless I learned a lot from using JShelter, so an explicit thank you (y)

1679239918540.png
 
Last edited:

blackice

Level 37
Verified
Top Poster
Well-known
Apr 1, 2019
2,690
Some Google services may need whitelisting. Don't know about Chrome updates but I'll keep my eye on this. Here's the link for the No Google fitler list GitHub - nickspaargaren/no-google: Completely block Google and its services He maintains this and has links to other maintainers for:
View attachment 273714
You can leverage these massive corporations without them controlling you. Joining the privacy panic is mind control as well (I know you to be a very reasonable person, just a minor post whiskey point).
 
  • Applause
  • HaHa
Reactions: oldschool and Max90

Max90

Level 8
Nov 9, 2022
380
Switched from Quad9 to NextDNS due to it possibly causing slowdown.
Have a look at browserleaks, IP address, DNS leaktest. Resoving from the Netherlands shows some strange Quad9 behavior. It's IPv6 servers are located in France, while its Ipv4 servers are located in the Netherlands. I had some issues with NextDNS (servers in Netherlands sometime felt back to servers in Germany). So I deciced to disable IPv6 in my router and switched to Quad9 (NextDns has one server, Quad has six or seven).

Although IPv6 has some advantages over IPv4 (no NAT, build-in IPSsec and QoS), when you don't have devices requiring IPv6, IPv4 still functions great. In act it is better to use IPv4 only, when you use a VPN for privacy, since most VPN services leak your IPv6 device address.
 
  • Thanks
Reactions: oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top