Advanced Security oldschool's surfing laptop configuration

Last updated
Jun 20, 2024
How it's used?
For home and private use
Operating system
Windows 11
Other operating system
Windows Pro
On-device encryption
N/A
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
On
Network firewall
Enabled
About WiFi router
Provided by ISP
Real-time security
Windows Security | Configured via GPO
Firewall security
Microsoft Defender Firewall
About custom security
MS Defender - Block all unknown executables | ASR rules | Platform & Engine Beta channel updates
Smart App Control
Exploit Protection settings
Firewall Hardening
RunBySmartscreen
Windows Spy Blocker
Periodic malware scanners
KVRT
Malware sample testing
I do not participate in malware testing
Environment for malware testing
N/A
Browser(s) and extensions
Firefox I µBO | Brave Search
Brave | Brave Search | My settings
Edge | Privacy Badger | JShelter | Brave Search
Secure DNS
Quad9 DNS
Desktop VPN
None
Password manager
Maintenance tools
Windows built-in
File and Photo backup
Copy/Paste
Subscriptions
    • None
System recovery
Wiindows built-in | Aomei Backupper Pro Lifetime
Risk factors
    • Browsing to popular websites
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Downloading software and files from reputable sites
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
Lenovo L340 Intel(R) Core(TM) i3-8145U CPU @ 2.10GHz 2.30 GHz 8.00 GB RAM 1TB HDD
Notable changes
22-12-5 Reverted to MS Defender.
23-1-21 Refreshed Windows with SAC in evaluation mode.
23-2-2 Clean Windows installation
23-2-18 SAC user-enabled on
27-2-23 Added Chrome for the lack of 'feature' bloat.
28-2-23 Changed default browser to Chrome
24.2.24 Refreshed Windows and re-enabled Smart App Control
7.5.24 Performed a repair installation via Windows Update. Nice & easy!
What I'm looking for?

Looking for minimum feedback.

oldschool

Level 83
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,206
Adding to the above post, here are my LibreWolf filter lists.
1693676427284.png1693676486702.png
 

brambedkar59

Level 30
Verified
Top Poster
Well-known
Apr 16, 2017
1,915
Upgraded to Windows Pro via Ghacks deal $39.95 US. Good for 3 devices. It's worth it to simplify dealing with MS bloatware.
I upgraded to pro last year just so that I can use Gpedit, worth the cheap license key. Tried cmd hack (for using GPedit on home version) earlier but it stopped working for me for some reason.
 

oldschool

Level 83
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,206
Replaced Librewolf with Firefox after fixing streaming video issue by adjusting Exploit Protection. The new settings for FF are:
Code:
Block untrusted fonts - ON
Control flow guard (CFG) - ON
Data execution prevention (DEP) - ON + Enable thunk emulation - CHECKED
Disable extension points - ON
Force randomization for images (Mandatory ASLR) - ON + Do not allow stripped images - CHECKED
Randomize memory allocations (Bottom-up ASLR) - ON
Validate exception chains (SEHOP) - ON
Validate handle usage - ON
Validate heap integrity - ON
 
F

ForgottenSeer 103564

Removed SRP as policies don't appear to work properly in 22H2. Nothing was blocked at all. @Andy Ful

Cleaned up some config details. BTW, I really like Mem Reduct. Way better than CleanMem. Works like a charm with my 8GB RAM.
You are correct it appears Windows 11 22H2 put an end to Software Restriction Policies. Still supported in Windows 10 though. Looks as if they redirect windows 11 users to App Locker instead.
 

oldschool

Level 83
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,206
Last edited:

oldschool

Level 83
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,206
Is SAC worked without problems on your laptop?
Yes except for one unsigned app I need to execute via RunBySmartscreen, otherwise it's blocked periodically without it. Using RBS this way may be useful to SAC users as SS is integrated with ISG in SAC. You can read here New Update - Smart App Control - Windows 11 22H2 feature promises significant protection from malware But please know that I use very few 3rd party apps. Almost none. This is mainly a surfing laptop. Most folks can't operate like I do.

3rd party apps:

Mindfulness at the computer (not signed)
Mem Reduct (signed from Henry++ GitHub)
Nanzip (MS Store)
iTunes (MS Store)
Aomei Backupper
Epson printer softs

Edit: One thing to remember is that when SAC blocks part of an app it may well still be fully functional for all practical purposes. e.g. some Aomei dll's or even some Windows processes, in much the same way as Controlled Folder Access blocks.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top