Basic Security ParaXY's Windows 10 desktop Config

[Deleted member 178]

Wonder why Microsoft keeps it present? Must be a threat from XP users "You can take away our OS, but not our Protocol. Long live XP!!"

Legacy stuff...

 

[ParaXY]

After some more research I have modifed my Windows Features to look as follows:



Hopefully that'll help secure things. I hope uninstalling IE11 won't cause too many issues!

On another note, I have enabled "Secure Sign In" for the image. This enables "Ctrl + Alt + Del" and prevents fake login screens.

Thought I'd mention it as it's easy to enable and has good security benefits!

 

[JM Safe]

Why Adblock Plus if you already have uBlock Origin?

Good config, but I would move MalwareBytes to "on-demand scanners" field.

Thanks for sharing.

 

[ParaXY]

Why Adblock Plus if you already have uBlock Origin?

Good config, but I would move MalwareBytes to "on-demand scanners" field.

Thanks for sharing.

I've always had Adblock Plus but saw uBlock Origin mentioned somewhere so though I'd give it a try.

I wanted to avoid installing Malwarebytes if I can. The secure build I am setting up is going to (hopefully) be a third party free zone I do like Malwarebytes but we'll see!

 

[Deleted member 178]

I've always had Adblock Plus but saw uBlock Origin mentioned somewhere so though I'd give it a try.

uBO is better

I wanted to avoid installing Malwarebytes if I can. The secure build I am setting up is going to (hopefully) be a third party free zone I do like Malwarebytes but we'll see!

MBAM suxx lately, i don't consider it as a top notch solution anymore, not saying it was never great against worms & viruses.

 

[ParaXY]

uBO is better


Malwarebytes Anti-Malware suxx lately, i don't consider it as a top notch solution anymore, not saying it was never great against worms & viruses.

Thanks for the comment! I have diabled Adblock Plus and only have uBlock enabled now.

I hear what you saying re Malwarebytes Anti-Malware. Theres two things that have put me off Malwarebytes Anti-Malware for my new locked down/secure build:

1) There ongoing subscription fee to use their product (ie: no one off upfront payment option)
2) I can't help but feel that the new(er) versions of Malwarebytes Anti-Malware feels a bit slow/bloated

So I've stopped using it.

For on demand AV scaning I use Emsisoft Emergency Kit but is there something similar for scanning for malware (ie: it doesn't have to be installed)? Maybe for ransomware too?

What I currently do is run no real time AV/malware scanning and then once a month I run Emsisoft Emergency Kit across all my drives for virii.

 

[Deleted member 178]

For on demand AV scaning I use Emsisoft Emergency Kit but is there something similar for scanning for malware (ie: it doesn't have to be installed)? Maybe for ransomware too?

If you want to stay in the "simple" detection & cleaning apps, in addition of EEK , you have Zemana AM or HitmanPro free (but no removal).

What I currently do is run no real time AV/malware scanning and then once a month I run Emsisoft Emergency Kit across all my drives for virii.

That is enough. I would use Windows Defender, cost nothing, kernel integrated, system aware, etc.. only cons are the occasional slowdowns.

 

[ParaXY]

Can Zemana AM and/or HitmanPro free run in a portable like mode like EEK? I just want something I can run maybe once a month to check I haven't had something sneak onto my machine...

Sorry, I am now running Defender but wasn't up until a week or so ago.

 

[Deleted Member 3a5v73x]

Here is a Zemana's Portable download link Clean your computer in minutes with Zemana AntiMalware, no matter how badly infected!

 

[ParaXY]

Here is a Zemana's Portable download link Clean your computer in minutes with Zemana AntiMalware, no matter how badly infected!

Thanks!

I just ran a scan and the results were interesting:

Fake shortcut, really?? Not sure why it doesn't like my home page either!

Interesting that it doesn't allow you to select whan you want to scan like Malwarebytes.

 

[ParaXY]

During my research into studying Malware I came across a website called VirusShare:

VirusShare.com

I signed up for this website and was granted access to it so I proceeded to download some samples. The one I downloaded was massive...16GB! I viewed the file in an isoloted VM but the contents of the file were not what I was expecting at all. I was expecting many executables etc that when run would cause all sorts of destructions (malware, ransomeware and so on) but the files in the zip file looked as follows:

Without trying to sound too stupid and like a noob, what does one do with these files? I haven't executed any of them, I have only viewed the contents of the zip file at this stage in an isolated VM.

 

[ParaXY]

In my quest for a secure Windows 10 desktop I discovered Device and Credential Guard today. Since I will be running the Enterprise version of Windows 10 these features are available. I've gone through the hardware requirements and I seem to have everything I need to use these features EXCEPT for a TPM chip but I think this is optional (although recommended).

The only issue I see with wanting to use Device/Credential Guard is that you need to enable Hyper-V for this to work....and I use VMware Workstation Pro...and you can't run Hyper-V and VMware Workstation side by side.

So I face a dilemha: Carry on with VMware Workstation Pro and pretend I never came across Device/Credential Guard OR....stop using VMware Workstation Pro so I can enable Hyper-V and have Device/Credential Guard.

Argh. What a choice!

So I wanted to ask, does anyone have any experience with Device/Credential Guard? Is it worth considering for my setup? I *only* run 3 VMs in VMware Workstation but one is used daily for work. I know how to use Hyper-V but far prefer VMware Workstation but having a secure desktop is calling (I do know how to convert VMs to work with Hyper-V)

This secure desktop is turning into quite a build so far with me considering the following to lock things down:

• Device Guard
• Credential Guard
• AppLocker
• Bitlocker
• Windows FIrewall with custom out/incoming rules
• Windows Hello (camera is on order!)
  
• Using Group Policy to restrict USB devices

Thanks!

 

[Deleted member 178]

Very few have Win10 Ent (including me ^^), and most who have it , surely never bother use the native security as you and me would do.

 

[oliverjia]

I used to have Windows 10 LTSB 2016 v1607 x64, but I switched to v1703 x64 a few days ago, mainly because of the security improvement introduced in this new Windows 10 version.

 

[ParaXY]

Very few have Windows 10 Ent (including me ^^), and most who have it , surely never bother use the native security as you and me would do.

For what it's worth Education has most of the features as Enterprise but I hear what you're saying. I'm surprised that most wouldn't be interested in the native security features of Windows as, if you build a solid foundation then you'll have a secure setup.

I used to have Windows 10 LTSB 2016 v1607 x64, but I switched to v1703 x64 a few days ago, mainly because of the security improvement introduced in this new Windows 10 version.

It's funny you should mention this. I have been thinking about this quite a bit. What security improvements are there with 1703 over 1607?

The biggest issue I have with 1703 is that I'll have to spend ages trying to get rid of Cortana and all those silly default built in modern apps!

Edit:

So I have done a lot of thinking about this and although I really REALLY like the idea of LTSB, the thing that worries me about it is that it won't be updated until 2019 with any new features.

So I did a clean install of Windows 10 15063.11 (supposedly the RTM version) and out the box the defaults are awful. I ran TCPView and the amount of connections going out of the test VM were terrible. But I liked the new features like svchost.exe having multiple processes on machines with more than 3.5GB of RAM, better Hello recognition etc etc. Things I wouldn't have had with LTSB. The new Windows Defender Security Centre is nice.

So I thought I'd share a screenshot of TCPView on Windows 10 Creators Update in my test VM with ALL the default firewall rules removed and only running my custom rules. I also uninstalled the modern apps I could.

So heres what the Start Menu looks like after customisation:

And here's TCPView and my custom outgoing firewall rules:

Ignore the IE11 rule, this needs to be deleted and was for testing purposes only.

So by heavily modifying the firewall rules, Windows 10 Creators Update is very quiet now and not chatty at all with cloud servers! Even after watching it for an hour.

As you can see I have a firewall rule for svchost.exe. This is needed for Defender and Windows Updates. I was considering using a netsh batch file to toggle this on and off but it would be a pain and I wouldn't get timely AV updates then.

So it looks like I'll ditch WIndows 10 Enterprise LTSB for Windows 10 Enterprise Creators Update and then lock it down so there aren't any/many modern apps and block Cortana from running/connecting to the internet. Having the Edge browser on the machine doesn't worry me.

With this quick test with the Creators Update I haven't even tried AppLocker again. I can't test Device/Credential Guard unfortunately in a VM so this will have to wait until I rebuild my machine to see how it works and if it is practical to use.

 

[oliverjia]

It's funny you should mention this. I have been thinking about this quite a bit. What security improvements are there with 1703 over 1607?

I am not quite sure yet, but one thing for sure is the sandbox in Edge is improved significantly. I would assume there are other improvements in Appcontainer and exploit mitigation.
I currently use Google Chrome as my main browser, but may use also Edge as a secondary browser, especially now it appears uBlock Origin work fine on Edge.

 

[ParaXY]

I am not quite sure yet, but one thing for sure is the sandbox in Edge is improved significantly. I would assume there are other improvements in Appcontainer and exploit mitigation.
I currently use Google Chrome as my main browser, but may use also Edge as a secondary browser, especially now it appears uBlock Origin work fine on Edge.

Thanks but I'll be giving the Edge browser a miss! I use Firefox primarily and then Chrome as a secondary browser. It's been ages since I've read up about some of the changes in Firefox but the following look like I'll be using them:

• Using 64bit Firefox instead of 32bit
  
• Enabling multiprocess

I'm quite keen to check out Device and Credential Guard when I rebuild my machine when the Creators Update is officially RTMd. I hope there is someone on this forum who uses it and can comment on it! I'm hoping theres a way to run VMware Workstation side by side with the Hyper-V role enabled...

 

[ParaXY]

Good enough security config.

Only good enough?

Today my Logitech BRIO camera arrived. This camera is compatible with Windows 10 Hello.

I have to say, this feature is mind blowingly awesome!! I'm still running build 14393 and it seems pretty accurate to me but apparently 15063 is even more accurate.

Even though my account I use with Hello is password protected it still forced me to set a PIN which was something I wanted to avoid.

So far it has unlocked my machine with glasses on or off, with headphones on and even in the dark (all lights off)!!

 

[Deleted member 178]

Only good enough?

Today my Logitech BRIO camera arrived. This camera is compatible with Windows 10 Hello.

I have to say, this feature is mind blowingly awesome!! I'm still running build 14393 and it seems pretty accurate to me but apparently 15063 is even more accurate.

Even though my account I use with Hello is password protected it still forced me to set a PIN which was something I wanted to avoid.

So far it has unlocked my machine with glasses on or off, with headphones on and even in the dark (all lights off)!!

PIN are better than password, it can't be used remotely.

 

[ParaXY]

Hi All

About a week ago I finally rebuilt my PC with Windows 10 Enterprise 64bit Creators Update (1703). So far it's working pretty awesome but before I post any of the specifics of the config there are two things I am battling with or wanting to understand that I am hoping someone can help me with:

1) How can I block the Edge browser from running using AppLocker? I've tried blocking it using an Executable Rule and also tried a "Packaged app rule" but when I click the Edge icon I can still launch/run the browser.

2) I know AppLocker secures things pretty well if you set the rules up correctly but I know I am still vulnerable to malware macros running in Word/Excel docs. How does one protect yourself from these nasties? Stupid question but if a macro was allowed to run that was in a Word/Excel doc what executables etc does the macro use to do its malicious activity? In AppLocker I have blocked many system executables from running for my non-admin account (such as powershell) so I was wondering if there was anything further I need to do to protect myself from malicious macros?