Latest changes
Jul 31, 2020
Daily driver
My primary device
Operating system
Windows 10 Pro
OS build or version
Windows 10 version 2004
System type
64-bit operating system; x64-based processor
Update and Security
Allow all automatic updates
User Access Control
Always notify
Firewall and Network protection
Microsoft Defender Firewall is active
User permissions
Administrator account
User account
Sign in with Microsoft
Sign-in options
  • Windows Hello PIN
  • Security Key
  • Malware exposure
    No malware samples are downloaded
    Real-time Malware protection
    Microsoft Defender
    Modified security settings
    In gpedit:
    enabled anti-malware early start,
    block untrusted fonts,
    block advertising id,
    enabled virtualization-based security for Device Guard,
    enabled Kernel-DMA-protection,
    block Remote support + Remote shell access,
    block app start with voice command,
    enable safe start for integrity checks for Bitlocker,
    block new DMA devices if PC is locked,
    request additional authentication at startup for Bitlocker,
    disable Desktop Gadgets,
    block Flash & new tab content in Edge,
    block cloud in Windows search,
    block Cortana,
    disable popup notifications on locked screen
    change the inactivity limit to 15 minutes

    other stuff:
    run "dgreadiness_v3.7.2 -Enable"
    install "Hard_Configurator_beta_setup_5.1.1.2" with all recommend settings + some own
    Chromium-Edge flags & Anti-Exploit settings (see post)
    Adobe Touch as PDF reader with Anti-Exploit settings (see post)
    internal drives encrypted with Bitlocker
    change Data Execution Prevention (DEP) to AlwaysOn / enforcing
    In Defender - Exploit protection i enable/ enforce Dynamic ASLR
    Anti-Ransomware protection enabled
    Application Guard installed
    NextDNS DoT DNS
    sandboxed Defender
    Periodic scanners
    Microsoft Defender + Microsoft Defender (internal) offline scan + Desinfec't
    Browser and Extensions
    Chromium-Edge with AdGuard extension
    Privacy tools and VPN
    beside Windows settings, 3 different Edge profiles (see my thread about)
    Password manager
    KeePass
    Search engine
    Startpage
    Maintenance tools
    Windows internal tools
    Photos and Files backup
    Windows internal backup (file version history) to NAS + Personal Backup 6
    File Backup schedule
    Once or multiple times per week
    Backup and Restore
    Windows internal system restore points
    Backup schedule
    Once or more per week
    Computer Activity
  • Playing computer games
  • Online banking
  • Browsing the web and checking emails
  • Streaming movies, TV shows and music from the Internet
  • Computer Specifications
    Asrock B450 Pro4
    AMD Ryzen 5-2600
    Radeon RX 5700
    2x 8GB DDR4 memory
    232GB Crucial SSD for Windows, 476GB SanDisk SSD for Data
    different Nitrokey's, Bluetooth USB adapter
    Your changelog
    6th June: First post
    13th June: See SECURE: Complete - security123's Security Config 2020
    3th July: See SECURITY: Complete - security123's Security Config 2020
    6th July: switch to NextDNS (DoT): SECURITY: Complete - security123's Security Config 2020
    15th July: change a small Edge setting: SECURITY: Complete - security123's Security Config 2020
    16th July: Increase KeePass security to maximum: SECURITY: Complete - security123's Security Config 2020
    30th July: make Defender more secure, harden some Hard_Configurator settings: SECURITY: Complete - security123's Security Config 2020
    31th July: enable "paranoid extensions" in Hard_Configurator: SECURITY: Complete - security123's Security Config 2020

    security123

    Level 19
    Finally i can post my config as i use the new Windows 2004er build as clean base.
    My setup is for minimum attack surface.
    Also as Firewall i use TinyWall which works together/ beside Windows Firewall enabled

    Chromium-Flags: Microsoft Edge - Chromium-Edge Flags
    Anti-Exploit settings for Edge: Guide to Tweak of built-in Exploit protection in Windows Security
    Anti-Exploit settings for Adobe Touch PDF reader: Update - Hard_Configurator - Windows Hardening Configurator


    My plans for future:
    - replace Windows Hello pin with Nitrokey FIDO2 key
    - replace Ryzen 5-2600 with Ryzen 5-4000er serie for more hardware security features
    - maybe adding Anti-Ransomware protection
    - maybe replace Personal Backup 6
     

    Spawn

    Administrator
    Verified
    Staff member
    For Backup, what are "Windows internal"?

    According to the Windows 10 support page, there are 3 different methods;
    • Cloud-based with Microsoft OneDrive
    • External or Network Drive with File History
    • Legacy (Backup and Restore (Windows 7))
    For Maintenance, what are the "internal" called, Storage Sense, Legacy Windows Disk Cleaner?

    maybe adding Anti-Ransomware protection
    You can try Controlled Folder Access for free, or buy a Microsoft 365 subscription - review benefits, annual payment is cheapest:
    There may be other Free and Paid Ransomware Tools available online.
     

    security123

    Level 19
    For Backup, what are "Windows internal"?

    According to the Windows 10 support page, there are 3 different methods;
    • Cloud-based with Microsoft OneDrive
    • External or Network Drive with File History
    • Legacy (Backup and Restore (Windows 7)
    I use File History to Network Drive

    For Maintenance, what are the "internal" called, Storage Sense, Legacy Windows Disk Cleaner?
    Yes. Also "sfc" and "dism" command.

    You can try Controlled Folder Access for free, or buy a Microsoft 365 subscription - review benefits, annual payment is cheapest:
    Yeah i know it, but in past it create a lot of false positives on my system. Even for Windows own processes.
    With H_C from Andy a infection chance is very low. (I use SRP before too)
     

    security123

    Level 19
    On Mobile, it's all Pro-privacy.
    On Desktop, it's just Meh-privacy.

    Where do you draw the line between being Pro-privacy and then using proprietary Windows 10 software?
    Windows 10 does a great step forward for privacy with e.g. App permission management like Android/ iOS.
    Windows 10 has great security features which protect user privacy in the end. Also you can configure Windows to not sending personal (meta-)data.

    But yes, smartphones are best choice for both security and privacy
     

    oldschool

    Level 52
    Verified
    Today i change Edge settings to not removing any more Cookies & Site Data on browser exit.
    2 reasons:

    - i don't like the ~2 seconds longer exit time
    - i remove site data manually anyway which i don't need (after closing site) so doing it automatically is redundant
    I've already done the same and I use Shft+Ctrl+delete when I want the shotgun approach. (y)
     
    Last edited:
    Top