SECURITY: Complete security123's Security Config 2020

Last updated
Dec 22, 2020
About
My primary device
Operating system
Windows 10
Login security
    • Hardware security key
Primary sign-in
Microsoft account
Primary account rights
Administrator permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Real-time protection
Microsoft Defender
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
In gpedit:
enabled anti-malware early start,
block untrusted fonts,
block advertising id,
enabled virtualization-based security for Device Guard,
enabled Kernel-DMA-protection,
block Remote support + Remote shell access,
block app start with voice command,
enable safe start for integrity checks for Bitlocker,
block new DMA devices if PC is locked,
request additional authentication at startup for Bitlocker,
disable Desktop Gadgets,
block Flash & new tab content in Edge,
block cloud in Windows search,
block Cortana,
disable popup notifications on locked screen
change the inactivity limit to 15 minutes

other stuff:
run "dgreadiness_v3.7.2 -Enable"
install "Hard_Configurator 5.1.1.2" with all recommend settings + some own
Chromium-Edge flags & Anti-Exploit settings (see post)
Adobe Touch as PDF reader with Anti-Exploit settings (see post)
internal drives encrypted with Bitlocker
change Data Execution Prevention (DEP) to AlwaysOn / enforcing
In Defender - Exploit protection i enable/ enforce Dynamic ASLR
Anti-Ransomware protection enabled
Application Guard installed
NextDNS DoT DNS
sandboxed Defender
block msbuild.exe & CVTres.exe in Firewall
Malware research
No - malware samples are not downloaded
Periodic scanners
Microsoft Defender + Microsoft Defender (internal) offline scan + Desinfec't
Browsers, Search and Addons
Chromium-Edge with AdGuard extension
PC maintenance
Windows internal tools
Personal Files & Photos backup
Windows internal backup (file version history) to NAS + Personal Backup 6
Personal backup routine
Manual (maintained by self)
Device recovery & backup
Windows internal system restore points
Device backup routine
Manual (maintained by self)
PC activity
  1. Browsing the Web
  2. Financial
  3. Video games
  4. Streaming content
Computer specs
Personal changelog
6th June: First post
13th June: See SECURE: Complete - security123's Security Config 2020
3th July: See SECURITY: Complete - security123's Security Config 2020
6th July: switch to NextDNS (DoT): SECURITY: Complete - security123's Security Config 2020
15th July: change a small Edge setting: SECURITY: Complete - security123's Security Config 2020
16th July: Increase KeePass security to maximum: SECURITY: Complete - security123's Security Config 2020
30th July: make Defender more secure, harden some Hard_Configurator settings: SECURITY: Complete - security123's Security Config 2020
31th July: enable "paranoid extensions" in Hard_Configurator: SECURITY: Complete - security123's Security Config 2020
8th August: disable HVCI do to problems with Defender network protection: SECURITY: Complete - security123's Security Config 2020
23th August: removed TinyWall: SECURITY: Complete - security123's Security Config 2020
8th October: remove last AdGuard filter list, thanks to native DoH support in Edge
20th October: update to Windows 20H2
26th October: add LOLBins Firewall rules from Andy's tool
31th October: revert blocking LOLBins
3rd December: remove Windows Sandbox
22th December: re-build Edge Anti-Exploit settings

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,285
Thanks to new Edge 86 which adds DoH (even in GUI!), i removed Anti-Facebook list from AdGuard extension as my NextDNS config block it completely now :)
So now i only have "AdGuard Basis-Filter" list enabled in AdGuard to get rid of annoying YouTube ads for example.
If i wouldn't care about that, AdGuard were only useful for removing URL tracking parameter which is still use.
 

ErzCrz

Level 8
Verified
Aug 19, 2019
385
Thanks to new Edge 86 which adds DoH (even in GUI!), i removed Anti-Facebook list from AdGuard extension as my NextDNS config block it completely now :)
So now i only have "AdGuard Basis-Filter" list enabled in AdGuard to get rid of annoying YouTube ads for example.
If i wouldn't care about that, AdGuard were only useful for removing URL tracking parameter which is still use.
Good to know about DoH, Edge should really take you to a What's new page after it updates. Still not moved to adguard myself, got a mental block about it I guess lol.
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,647
@Andy Ful also use it this way.
Yes. Blocking Internet access to LOLBins usually does not produce issues (although some Windows telemetry performed via rundll32.exe and compattelrunner.exe can be blocked). Anyway, some applications can use (very rarely) LOLBins to call out/update, so it is reasonable from time to time to look at the Log for other blocked entries. (y)
 
Last edited:

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,647

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,647
What info did you need?
I am not sure. There can be several possible scenarios.
  1. There was an accidental time correlation between blocking lsass.exe by the firewall and Microsoft Store issue (less probable because you would recognize it). Did such a problem happen before?
  2. There is some application that is triggered when you try using Microsoft Store, and this application uses lsass.exe for something. If lsass.exe cannot make the outbound connection, then access to Microsoft Store is blocked.
  3. One of us uses a special system configuration. It would be helpful to see what setting can be the source of the different behavior of Microsoft Store on our computers.
You can make PM to not bloat this thread. Thank you. :)(y)
 

silversurfer

Level 69
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
5,856
Here looks like that "msbuild.exe" is already included in Firewall-Hardening by @Andy Ful , but probably you haven't added all "LOLBins" ?

msbuild.png
 
Top