Advanced Security R2D2's PC Security Configuration 2022

Last updated
Nov 18, 2019
About
Personal, primary device
Additional PC users
1 additional user
Desktop OS
Windows 11
OS edition
Pro
Login security
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Local account
Primary user
Standard user - Limited permissions
Other users
Other accounts are Standard users
Security updates
Automatic - allow all types of updates
Windows UAC
Default - notify when programs attempt to make changes
Network firewall
Third-party router
Real-time protection
Kaspersky Total Security 2022 21.3.10.391, Snort IDS/IPS + pfBlockerNG on Netgear router/firewall
Software firewall
Provided by a third-party security vendor. Refer to 'Real-time protection' for details.
Custom RTP, Firewall and OS settings
KTS real time scanning at default settings
Malware testing
No malware samples
Periodic security scanners
KTS 2022
Secure DNS
NextDNS, Cloudflare & Google
VPN
ProtonVPN, PIA, Torguard
Password manager
Lastpass, Dashlane, 1Password & Bitwarden. Also lifetime subs to Sticky Password and KeepassXC as local backups
Browsers, Search and Addons
Chrome, Edge Chromium & Firefox
Maintenance and Cleaning
Manually performed every 10-14 days including a defrag
Personal Files & Photos backup
Cloud backups to: Google Drive, OneDrive, Dropbox PCloud (all using Duplicati encrypted backup), plus Mega and Sync.com native apps, Local backups to: 2 NAS systems and external USB hard disk, Reflect incremental images 3 times a day, full backup image once a week
Personal backup routine
Automatic (scheduled)
Device recovery & backup
Macrium Reflect 8
Device backup routine
Automatic (scheduled)
PC activity
  1. Working from home. 
  2. Browsing to unknown sites. 
  3. Shopping. 
  4. Banking. 
  5. Downloading software. 
  6. File sharing and torrents. 
  7. Multimedia. 
  8. Streaming. 
Personal changelog
Several changes, previous update is over 3 years old :)
Feedback Response

Most critical feedback

Gandalf_The_Grey

Level 62
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,140
Interesting config, especially in real-time protection and personal files & photos backup(y)

Now for most critical feedback:
Set UAC to always notify to prevent bypasses:

No need for a local adblocker like uBlock Origin (for cosmetic filtering) with pfBlockerNG ?

For periodic security scanners you should use something other than your realtime AV, like for example Norton Power Eraser.

You mentioned three secure DNS, which one are you currently using?
Same question for VPN.

You use or have used almost all available password managers, which one do you prefer and why?

Why do you use three browsers?
 
Last edited:

R2D2

Level 5
Thread author
Aug 7, 2017
224
Interesting config, especially in real-time protection and personal files & photos backup(y)

Now for most critical feedback:
Set UAC to always notify to prevent bypasses:

No need for a local adblocker like uBlock Origin (for cosmetic filtering) with pfBlockerNG ?

For periodic security scanners you should use something other than your realtime AV, like for example Norton Power Eraser.

You mentioned three secure DNS, which one are you currently using?
Same question for VPN.

You use or have used almost all available password managers, which one do you prefer and why?

Why do you use three browsers?
Hi,

Thanks I was hoping for some feedback from more experienced members on here. Now to your queries:
a) UAC - Point taken, it's just that I have been experimenting, rather messing with my W11 PC config and got bugged with the UAC prompt so reduced it a notch.

b) I use AdGuard on the PCs and laptop, pfBlockerNG keeps the other devices like tabs and mobile phones relatively safe

c) I used MBAM Pro as an alternative scanner till KTS bugged me several times to uninstall it and I eventually did.

d) I normally use Cloudflare, NextDNS & Google in that order in my pfSense box.

e) VPNs - I am always on VPN and select 1 VPN for day. My current fav is ProtonVPN, with Torguard & PIA following closely behind. I also forgot to mention Nord but find the others faster

f) Indeed I have used nearly all well known passwords including Roboform but discontinued their use. I have several hundred logins, scores of notes, IDs, bank credit card info and other information saved in these PMs and TBH I'd be screwed if I couldn't access my PM data for any reason. It takes the burden of having to memorise critical information off my head. Besides, there's no sayin what can happen to a company these days. Hence the other password managers are mostly "cloud" or local backups. My most used PM is Lastpass. Dashlane and 1Password ran an discount offer on Apple's store in my country which was a deal I couldn't refuse. Bitwarden, well, this is a good habit I picked from MalwareTips back in 2017(ish) and I've subscribed to them every year since. At $10/year it's a deal. Why do I prefer Lastpass? Frankly it is the PM I've used continuously for the longest time and and I find it very easy to use. Mind you I am not saying the others are bad but LP is like a favourite flavour of ice cream. :)

g) One browser Firefox is exclusively to access work related sites and the other 2 are for casual/home browsing stuff. And frankly coz I like to monkey around trying different software.
 

R2D2

Level 5
Thread author
Aug 7, 2017
224
Wouldn't it make more sense to use NextDNS and Cloudflare + Google as a fallback? I mean in NextDNS you get additional filtering and if there is a downtime you get a fallback to a stable DNS like Cloudflare or Google.
Yes that's how it is configured. The router/firewall (dual WAN with load balancing and fail over) uses NextDNS as primary (my bad I thought it was Cloudflare), with Cloudlflare and Google as 1st and 2nd level backups. The router appliance is configured for secure DNS.
 

R2D2

Level 5
Thread author
Aug 7, 2017
224
Oh, got you wrong then. My bad... :)
:D not at all. Actually I made a mistake, my pfSense is configured with nextDNS as primary and the other 2 as backups. Ideally, pfSense requires a DNS for each WAN connection and at least 1 each for both IPv4 and IPv6. My ISPs provide dual stack addresses and use both types of addressing systems.

PS - I never use my ISP DNS server because those queries are logged.