- Mar 14, 2017
- 273
Hi All
I've been lucky enough to obtain a copy of Windows 10 Enterprise LTSB which I plan on using to rebuild my desktop. Currently I use Windows 10 Education but I like the idea that LTSB doesn't have the bloat that the CBB branch has. LTSB doesn't have the Edge browser, Cortana and those silly "modern" apps. This suits me perfectly as I don't need/want/use any of those items. I'm aware that with LTSB you don't get any new features and I'm ok with that. In the upcoming Creators Updates about the only thing I was vaguely interested in was the new registry editor!
So in my quest to build a secure and practical Windows 10 desktop WITHOUT any third party apps, I will be taking the following steps and using the following products to achieve my goal(s):
1) Install Windows 10 Enterprise LTSB and setting the telemtry value to "security" to minimise this type of traffic *See below for more
2) Disable or turn off all privacy settings
3) Turn UAC up all the way
4) I'll have two user accounts on the machine: admin and non-admin. I'll be using the non-admin account on a day to day basis and where needed I'll use the admin account for changes etc
5) Delete ALL the default Windows firewall rules and block ALL incoming and outgoing traffic except for the exceptions I set. For incoming I will only allow ICMPv4/6 for troubleshooting and for outgoing I have some rules to allow DHCP/DNS/HTTP(S) and a few others for internal use like RDP to servers. I also allow NTP and let svchost.exe have port 80/443 acccess for Windows Updates to work. I block IE11 from outgoing traffic as I use Firefox/Chrome/Chromium
6) Enable AppLocker. On the current test build I only have Windows and Office installed so I am using Publisher rules to only allow MS signed executables to run for non-admin users. The admin account can run anything/everything. As I install more software I will need to add more Publisher rules. Non-admin users can't run Windows Installers or run scripts. I'm currently allowing everyone to run Packaged apps but need to change that (or lock it down). I also use dll protection. I have Flash blocked. For executables that aren't digitally signed I'd have to use path based rules as hash rules sound like a pain to maintain
7) I'll be using Windows Defender for AV (and have the VirusTotal program installed for uploading suspicious files for scanning)
8) I have a lifetime license for Sandboxie but am unsure if I need to use this now that I will have AppLocker
9) All local drives are Bitlocker encrypted and use a Smart Card to unlock them (I also login to Windows using this same Smart Card)
* As of yesterday I started using Pi Hole and this seems to block all (or most I guess) of the Telemetry traffic
So I was hoping someone could have a look at my setup and comment or make suggestions as to what I could do to improve things or tell me if I have done something wrong. My goal is to NOT use any third party products. Not because I can't buy products to secure my machine but because I am a minimalist and like things to be snappy and perform well. I also don't like subscription based software.
Currently I have everything setup in a test VM (and have created an unattended customised ISO) that I am using to test things before doing the rebuild of my desktop but what I would like to do at the end of configuring everything is to run some test malware/ransomeware on the test VM to see how it copes. Just typing that last sentence sent shivers down my spine but without doing this I have *no* idea if this setup is any good in the real world. I have never tested (or delibrately) run malware/ransomware on any machine so this would be a first for me ;-)
Anyways, thanks for reading and look forward to some comments/suggestions! If you need more specifc info please ask.
I've been lucky enough to obtain a copy of Windows 10 Enterprise LTSB which I plan on using to rebuild my desktop. Currently I use Windows 10 Education but I like the idea that LTSB doesn't have the bloat that the CBB branch has. LTSB doesn't have the Edge browser, Cortana and those silly "modern" apps. This suits me perfectly as I don't need/want/use any of those items. I'm aware that with LTSB you don't get any new features and I'm ok with that. In the upcoming Creators Updates about the only thing I was vaguely interested in was the new registry editor!
So in my quest to build a secure and practical Windows 10 desktop WITHOUT any third party apps, I will be taking the following steps and using the following products to achieve my goal(s):
1) Install Windows 10 Enterprise LTSB and setting the telemtry value to "security" to minimise this type of traffic *See below for more
2) Disable or turn off all privacy settings
3) Turn UAC up all the way
4) I'll have two user accounts on the machine: admin and non-admin. I'll be using the non-admin account on a day to day basis and where needed I'll use the admin account for changes etc
5) Delete ALL the default Windows firewall rules and block ALL incoming and outgoing traffic except for the exceptions I set. For incoming I will only allow ICMPv4/6 for troubleshooting and for outgoing I have some rules to allow DHCP/DNS/HTTP(S) and a few others for internal use like RDP to servers. I also allow NTP and let svchost.exe have port 80/443 acccess for Windows Updates to work. I block IE11 from outgoing traffic as I use Firefox/Chrome/Chromium
6) Enable AppLocker. On the current test build I only have Windows and Office installed so I am using Publisher rules to only allow MS signed executables to run for non-admin users. The admin account can run anything/everything. As I install more software I will need to add more Publisher rules. Non-admin users can't run Windows Installers or run scripts. I'm currently allowing everyone to run Packaged apps but need to change that (or lock it down). I also use dll protection. I have Flash blocked. For executables that aren't digitally signed I'd have to use path based rules as hash rules sound like a pain to maintain
7) I'll be using Windows Defender for AV (and have the VirusTotal program installed for uploading suspicious files for scanning)
8) I have a lifetime license for Sandboxie but am unsure if I need to use this now that I will have AppLocker
9) All local drives are Bitlocker encrypted and use a Smart Card to unlock them (I also login to Windows using this same Smart Card)
* As of yesterday I started using Pi Hole and this seems to block all (or most I guess) of the Telemetry traffic
So I was hoping someone could have a look at my setup and comment or make suggestions as to what I could do to improve things or tell me if I have done something wrong. My goal is to NOT use any third party products. Not because I can't buy products to secure my machine but because I am a minimalist and like things to be snappy and perform well. I also don't like subscription based software.
Currently I have everything setup in a test VM (and have created an unattended customised ISO) that I am using to test things before doing the rebuild of my desktop but what I would like to do at the end of configuring everything is to run some test malware/ransomeware on the test VM to see how it copes. Just typing that last sentence sent shivers down my spine but without doing this I have *no* idea if this setup is any good in the real world. I have never tested (or delibrately) run malware/ransomware on any machine so this would be a first for me ;-)
Anyways, thanks for reading and look forward to some comments/suggestions! If you need more specifc info please ask.
