Advanced Plus Security Protomartyr's ThinkPad Security Config 2021

Last updated
Jan 9, 2021
How it's used?
For home and private use
Operating system
Windows 10
On-device encryption
Log-in security
Security updates
Allow security updates and latest features
User Access Control
Always notify
Smart App Control
Real-time security
Microsoft Defender
Firewall security
Microsoft Defender Firewall
About custom security
Periodic malware scanners
Farbar Recovery Scan Tool (FRST)
HitmanPro Free
Malwarebytes Premium (all real-time protection modules turned off)
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Chrome:
Edge:
Secure DNS
Quad9
Desktop VPN
N/A
Password manager
LastPass
Authy (two-factor authentication)
Maintenance tools
File and Photo backup
SyncToy with External HDD
System recovery
Risk factors
    • Browsing to popular websites
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Downloading software and files from reputable sites
    • Browsing to unknown / untrusted / shady sites
    • Sharing and receiving files and torrents
    • Working from home
    • Gaming
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Streaming audio/video content from shady sites
Computer specs
ThinkPad S1 Yoga
Intel Core i5-4200U
Intel HD Graphics
8GB RAM
128 GB SSD (System)
256 GB SSD (Documents & Media)
Notable changes
Jan 5 2021 - Removed Hard_Configurator
Jan 5 2021 - Added Simple Windows Hardening
Jan 5 2021 - Added ConfigureDefender standalone (set to 'high')
Jan 5 2021 - Added Farbar Recovery Scan Tool (FRST)
Jan 9 2021- Enabled auto lock of computer through registry
What I'm looking for?

Looking for medium feedback.

Protomartyr

Level 7
Thread author
Sep 23, 2019
314
This is my current security config for my ThinkPad Yoga.

Minor notes:
  • I'm now using Quad9 DNS as Cloudfare DNS (Malware Blocking) was blocking a site that I frequently use.
  • Bitdefender TrafficLight isn't really needed on Edge since it has SmartScreen built in. TrafficLight is only there because I find the site reputation feature handy.
Besides those 2 minor changes everything is the same compared to my previous 2020 configuration.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
This is my current security config for my ThinkPad Yoga.

Minor notes:
  • I'm now using Quad9 DNS as Cloudfare DNS (Malware Blocking) was blocking a site that I frequently use.
  • Bitdefender TrafficLight isn't really needed on Edge since it has SmartScreen built in. TrafficLight is only there because I find the site reputation feature handy.
Besides those 2 minor changes everything is the same compared to my previous 2020 configuration.
The phishing malware blocking part of Quad9 seems to be much better than Cloudflare, so good switch.
Like I said in @ErzCrz 's config:
A plus for using an extension is that Edge sometimes partly downloads a file before blocking it (can still be found in cache) while in this case Bitdefender TrafficLight fully blocks the download.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505

Jan Willy

Level 11
Verified
Top Poster
Well-known
Jul 5, 2019
544
Adding the Microsoft Browser Protection extension gives you the best of both worlds on Chrome.
Safe Browsing from Google and SmartScreen from Microsoft.
Sorry for the bad readabilaty of post nr. 7. Obviously you knew already the answer from Protomartyr. My advice would be: remove Microsoft Browser Protection extension.
 
Last edited:

Protomartyr

Level 7
Thread author
Sep 23, 2019
314
I use the free version of LastPass but forgot to include it in the post. Fixed (y)

Also noticed I forgot to add two-factor authentication to the post. Not sure where to add 2FA, so I stuck it under the VPN and Privacy section. I use Authy for 2FA. Not the most "secure" solution as it syncs online but it is very convenient as you can use multiple devices. I only use it for 2 non-critical accounts.

@Gandalf_The_Grey pretty much stated the reason why I keep Microsoft Defender Browser Protection on Chrome.

Bitdefender TrafficLight on Edge (when SmartScreen is built in) and MDBP on Chrome (when Google Safe Browsing is available) might seem like overkill. But I am a big fan of both services/companies so I don't mind having the extensions installed to help out with telemetry.
 

Protomartyr

Level 7
Thread author
Sep 23, 2019
314
Removed:
- Hard_Configurator

Added:
- Simple Windows Hardening
- ConfigureDefender standalone (set to 'high')
- Farbar Recovery Scan Tool (FRST)

Decided to make things simple and switch from H_C to SWH. My studies at the Malware Removal Training Program at Bleeping Computer is progressing and so I will be using more tools and making use of scripts. My H_C setup was too locked down and I didn't feel like troubleshooting.

I'm satisfied with how easy and streamlined SWH is! I was using ConfigureDefender with H_C, so after uninstalling H_C I downloaded the ConfigureDefender standalone version. I changed protection levels to 'high' so I can avoid troubleshooting issues.

I've been using FRST in VMs so far, but finally decided to make use of it on my actual system.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Hi,:)

If you want to use scripts with SWH, then two options from the Settings menu has to be Allowed:
  • Admin Windows Script Host
  • Admin PowerShell Scripts
Also, the PowerShell Execution Policy has to be set to RemoteSinged or Unrestricted. This is not the SWH restriction, but Windows by default uses the Restricted setting which prevents users from running PowerShell scripts manually. You can still prevent accidentally running PowerShell scripts by the user when using
Settings >> Protected Script Extensions:

1610204820188.png


This will add some script extensions (PS1, PS2, etc.) to SRP protected extensions.
Furthermore, you have to whitelist your trusted scripts in UserSpace to avoid SRP restrictions and Constrained Language Mode. You can use a whitelisted folder for your scripts.

If you use scripts occasionally, then you can keep the standard SWH settings and temporarily turn OFF the SWH protection to run scripts.(y)

Post edited: added info about adding PowerShell script extensions to SRP.
 
Last edited:

Protomartyr

Level 7
Thread author
Sep 23, 2019
314
Added:
- Enabled auto lock of computer through registry

Seems like the registry edit I used to have in my previous configuration is working again!

Quote from my previous config thread:
I'm usually pretty good at making sure I lock my laptop when I leave to do something but I've been forgetting lately. Decided to set my computer to auto-lock after being idle for 10 minutes. You can do this on Windows 10 Pro edition but not on the Home edition since there's no access to the Local Security Policy feature. To get around this, I just had to add a new DWORD value named InactivityTimeoutSecs and set it to 600 seconds. Got the job done! (y)

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value Name: InactivityTimeoutSecs
Value Type: DWORD (32-bit) Value
Data (Decimal): # of seconds *

* = accepted value range to auto lock is 1-599940 seconds; 0 = disables auto lock
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top