SECURITY: Complete Protomartyr's ThinkPad Security Config 2021

Last updated
Jan 9, 2021
About
My primary device
Additional PC users
Not shared with other users
Operating system
Windows 10
OS license
Home
Login security
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Local account
Primary account rights
Administrator permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Real-time protection
Microsoft Defender
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Malware research
No - malware samples are not downloaded
Periodic scanners
Farbar Recovery Scan Tool (FRST)
HitmanPro Free
Malwarebytes Premium (all real-time protection modules turned off)
DNS
Quad9
VPN
N/A
Password manager
LastPass
Authy (two-factor authentication)
Browsers, Search and Addons
Chrome:
Edge:
PC maintenance
Personal Files & Photos backup
SyncToy with External HDD
Personal backup routine
Device recovery & backup
Device backup routine
Manual (maintained by self)
PC activity
  1. Browsing the Web
  2. Checking emails
  3. Shopping
  4. Financial
  5. Installing new software
  6. Visiting unknown sites
  7. File sharing
  8. Working from home
  9. Collaboration
  10. Video games
  11. Photo and video
  12. Streaming content
Computer specs
ThinkPad S1 Yoga
Intel Core i5-4200U
Intel HD Graphics
8GB RAM
128 GB SSD (System)
256 GB SSD (Documents & Media)
Personal changelog
Jan 5 2021 - Removed Hard_Configurator
Jan 5 2021 - Added Simple Windows Hardening
Jan 5 2021 - Added ConfigureDefender standalone (set to 'high')
Jan 5 2021 - Added Farbar Recovery Scan Tool (FRST)
Jan 9 2021- Enabled auto lock of computer through registry
Feedback Response

General feedback

Protomartyr

Level 7
Verified
Sep 23, 2019
325
This is my current security config for my ThinkPad Yoga.

Minor notes:
  • I'm now using Quad9 DNS as Cloudfare DNS (Malware Blocking) was blocking a site that I frequently use.
  • Bitdefender TrafficLight isn't really needed on Edge since it has SmartScreen built in. TrafficLight is only there because I find the site reputation feature handy.
Besides those 2 minor changes everything is the same compared to my previous 2020 configuration.
 

Gandalf_The_Grey

Level 43
Verified
Trusted
Content Creator
Apr 24, 2016
3,238
This is my current security config for my ThinkPad Yoga.

Minor notes:
  • I'm now using Quad9 DNS as Cloudfare DNS (Malware Blocking) was blocking a site that I frequently use.
  • Bitdefender TrafficLight isn't really needed on Edge since it has SmartScreen built in. TrafficLight is only there because I find the site reputation feature handy.
Besides those 2 minor changes everything is the same compared to my previous 2020 configuration.
The phishing malware blocking part of Quad9 seems to be much better than Cloudflare, so good switch.
Like I said in @ErzCrz 's config:
A plus for using an extension is that Edge sometimes partly downloads a file before blocking it (can still be found in cache) while in this case Bitdefender TrafficLight fully blocks the download.
 

Gandalf_The_Grey

Level 43
Verified
Trusted
Content Creator
Apr 24, 2016
3,238

Protomartyr

Level 7
Verified
Sep 23, 2019
325
I use the free version of LastPass but forgot to include it in the post. Fixed (y)

Also noticed I forgot to add two-factor authentication to the post. Not sure where to add 2FA, so I stuck it under the VPN and Privacy section. I use Authy for 2FA. Not the most "secure" solution as it syncs online but it is very convenient as you can use multiple devices. I only use it for 2 non-critical accounts.

@Gandalf_The_Grey pretty much stated the reason why I keep Microsoft Defender Browser Protection on Chrome.

Bitdefender TrafficLight on Edge (when SmartScreen is built in) and MDBP on Chrome (when Google Safe Browsing is available) might seem like overkill. But I am a big fan of both services/companies so I don't mind having the extensions installed to help out with telemetry.
 

Protomartyr

Level 7
Verified
Sep 23, 2019
325
Removed:
- Hard_Configurator

Added:
- Simple Windows Hardening
- ConfigureDefender standalone (set to 'high')
- Farbar Recovery Scan Tool (FRST)

Decided to make things simple and switch from H_C to SWH. My studies at the Malware Removal Training Program at Bleeping Computer is progressing and so I will be using more tools and making use of scripts. My H_C setup was too locked down and I didn't feel like troubleshooting.

I'm satisfied with how easy and streamlined SWH is! I was using ConfigureDefender with H_C, so after uninstalling H_C I downloaded the ConfigureDefender standalone version. I changed protection levels to 'high' so I can avoid troubleshooting issues.

I've been using FRST in VMs so far, but finally decided to make use of it on my actual system.
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
Hi,:)

If you want to use scripts with SWH, then two options from the Settings menu has to be Allowed:
  • Admin Windows Script Host
  • Admin PowerShell Scripts
Also, the PowerShell Execution Policy has to be set to RemoteSinged or Unrestricted. This is not the SWH restriction, but Windows by default uses the Restricted setting which prevents users from running PowerShell scripts manually. You can still prevent accidentally running PowerShell scripts by the user when using
Settings >> Protected Script Extensions:

1610204820188.png


This will add some script extensions (PS1, PS2, etc.) to SRP protected extensions.
Furthermore, you have to whitelist your trusted scripts in UserSpace to avoid SRP restrictions and Constrained Language Mode. You can use a whitelisted folder for your scripts.

If you use scripts occasionally, then you can keep the standard SWH settings and temporarily turn OFF the SWH protection to run scripts.(y)

Post edited: added info about adding PowerShell script extensions to SRP.
 
Last edited:

Protomartyr

Level 7
Verified
Sep 23, 2019
325
Added:
- Enabled auto lock of computer through registry

Seems like the registry edit I used to have in my previous configuration is working again!

Quote from my previous config thread:
I'm usually pretty good at making sure I lock my laptop when I leave to do something but I've been forgetting lately. Decided to set my computer to auto-lock after being idle for 10 minutes. You can do this on Windows 10 Pro edition but not on the Home edition since there's no access to the Local Security Policy feature. To get around this, I just had to add a new DWORD value named InactivityTimeoutSecs and set it to 600 seconds. Got the job done! (y)

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value Name: InactivityTimeoutSecs
Value Type: DWORD (32-bit) Value
Data (Decimal): # of seconds *

* = accepted value range to auto lock is 1-599940 seconds; 0 = disables auto lock
 
Top