SECURITY: Complete security123's Security Config 2020

Last updated
Dec 22, 2020
About
My primary device
Operating system
Windows 10
Login security
    • Hardware security key
Primary sign-in
Microsoft account
Primary account rights
Administrator permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Real-time protection
Microsoft Defender
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
In gpedit:
enabled anti-malware early start,
block untrusted fonts,
block advertising id,
enabled virtualization-based security for Device Guard,
enabled Kernel-DMA-protection,
block Remote support + Remote shell access,
block app start with voice command,
enable safe start for integrity checks for Bitlocker,
block new DMA devices if PC is locked,
request additional authentication at startup for Bitlocker,
disable Desktop Gadgets,
block Flash & new tab content in Edge,
block cloud in Windows search,
block Cortana,
disable popup notifications on locked screen
change the inactivity limit to 15 minutes

other stuff:
run "dgreadiness_v3.7.2 -Enable"
install "Hard_Configurator 5.1.1.2" with all recommend settings + some own
Chromium-Edge flags & Anti-Exploit settings (see post)
Adobe Touch as PDF reader with Anti-Exploit settings (see post)
internal drives encrypted with Bitlocker
change Data Execution Prevention (DEP) to AlwaysOn / enforcing
In Defender - Exploit protection i enable/ enforce Dynamic ASLR
Anti-Ransomware protection enabled
Application Guard installed
NextDNS DoT DNS
sandboxed Defender
block msbuild.exe & CVTres.exe in Firewall
Malware research
No - malware samples are not downloaded
Periodic scanners
Microsoft Defender + Microsoft Defender (internal) offline scan + Desinfec't
Browsers, Search and Addons
Chromium-Edge with AdGuard extension
PC maintenance
Windows internal tools
Personal Files & Photos backup
Windows internal backup (file version history) to NAS + Personal Backup 6
Personal backup routine
Manual (maintained by self)
Device recovery & backup
Windows internal system restore points
Device backup routine
Manual (maintained by self)
PC activity
  1. Browsing the Web
  2. Financial
  3. Video games
  4. Streaming content
Computer specs
Personal changelog
6th June: First post
13th June: See SECURE: Complete - security123's Security Config 2020
3th July: See SECURITY: Complete - security123's Security Config 2020
6th July: switch to NextDNS (DoT): SECURITY: Complete - security123's Security Config 2020
15th July: change a small Edge setting: SECURITY: Complete - security123's Security Config 2020
16th July: Increase KeePass security to maximum: SECURITY: Complete - security123's Security Config 2020
30th July: make Defender more secure, harden some Hard_Configurator settings: SECURITY: Complete - security123's Security Config 2020
31th July: enable "paranoid extensions" in Hard_Configurator: SECURITY: Complete - security123's Security Config 2020
8th August: disable HVCI do to problems with Defender network protection: SECURITY: Complete - security123's Security Config 2020
23th August: removed TinyWall: SECURITY: Complete - security123's Security Config 2020
8th October: remove last AdGuard filter list, thanks to native DoH support in Edge
20th October: update to Windows 20H2
26th October: add LOLBins Firewall rules from Andy's tool
31th October: revert blocking LOLBins
3rd December: remove Windows Sandbox
22th December: re-build Edge Anti-Exploit settings

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,281
Finally i can post my config as i use the new Windows 2004er build as clean base.
My setup is for minimum attack surface.
Also as Firewall i use TinyWall which works together/ beside Windows Firewall enabled

Chromium-Flags: Microsoft Edge - Chromium-Edge Flags
Anti-Exploit settings for Edge: Guide to Tweak of built-in Exploit protection in Windows Security
Anti-Exploit settings for Adobe Touch PDF reader: Update - Hard_Configurator - Windows Hardening Configurator


My plans for future:
- replace Windows Hello pin with Nitrokey FIDO2 key -> not possible for home user
- maybe adding Anti-Ransomware protection -> done
- replace Ryzen 5-2600 with Ryzen 5-4000er serie for more hardware security features
- maybe replace Personal Backup 6
 
Last edited:

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
20,865
For Backup, what are "Windows internal"?

According to the Windows 10 support page, there are 3 different methods;
  • Cloud-based with Microsoft OneDrive
  • External or Network Drive with File History
  • Legacy (Backup and Restore (Windows 7))
For Maintenance, what are the "internal" called, Storage Sense, Legacy Windows Disk Cleaner?

maybe adding Anti-Ransomware protection
You can try Controlled Folder Access for free, or buy a Microsoft 365 subscription - review benefits, annual payment is cheapest:
There may be other Free and Paid Ransomware Tools available online.
 

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,281
For Backup, what are "Windows internal"?

According to the Windows 10 support page, there are 3 different methods;
  • Cloud-based with Microsoft OneDrive
  • External or Network Drive with File History
  • Legacy (Backup and Restore (Windows 7)
I use File History to Network Drive

For Maintenance, what are the "internal" called, Storage Sense, Legacy Windows Disk Cleaner?
Yes. Also "sfc" and "dism" command.

You can try Controlled Folder Access for free, or buy a Microsoft 365 subscription - review benefits, annual payment is cheapest:
Yeah i know it, but in past it create a lot of false positives on my system. Even for Windows own processes.
With H_C from Andy a infection chance is very low. (I use SRP before too)
 

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,281
On Mobile, it's all Pro-privacy.
On Desktop, it's just Meh-privacy.

Where do you draw the line between being Pro-privacy and then using proprietary Windows 10 software?
Windows 10 does a great step forward for privacy with e.g. App permission management like Android/ iOS.
Windows 10 has great security features which protect user privacy in the end. Also you can configure Windows to not sending personal (meta-)data.

But yes, smartphones are best choice for both security and privacy
 

oldschool

Level 59
Verified
Mar 29, 2018
4,812
Today i change Edge settings to not removing any more Cookies & Site Data on browser exit.
2 reasons:

- i don't like the ~2 seconds longer exit time
- i remove site data manually anyway which i don't need (after closing site) so doing it automatically is redundant
I've already done the same and I use Shft+Ctrl+delete when I want the shotgun approach. (y)
 
Last edited:
Top