Advanced Plus Security security123's Security Config 2020

  • Thread starter ForgottenSeer 85179
  • Start date
Last updated
Dec 22, 2020
How it's used?
For home and private use
Operating system
Windows 10
Log-in security
Security updates
Allow security updates and latest features
User Access Control
Always notify
Real-time security
Microsoft Defender
Firewall security
Microsoft Defender Firewall
About custom security
In gpedit:
enabled anti-malware early start,
block untrusted fonts,
block advertising id,
enabled virtualization-based security for Device Guard,
enabled Kernel-DMA-protection,
block Remote support + Remote shell access,
block app start with voice command,
enable safe start for integrity checks for Bitlocker,
block new DMA devices if PC is locked,
request additional authentication at startup for Bitlocker,
disable Desktop Gadgets,
block Flash & new tab content in Edge,
block cloud in Windows search,
block Cortana,
disable popup notifications on locked screen
change the inactivity limit to 15 minutes

other stuff:
run "dgreadiness_v3.7.2 -Enable"
install "Hard_Configurator 5.1.1.2" with all recommend settings + some own
Chromium-Edge flags & Anti-Exploit settings (see post)
Adobe Touch as PDF reader with Anti-Exploit settings (see post)
internal drives encrypted with Bitlocker
change Data Execution Prevention (DEP) to AlwaysOn / enforcing
In Defender - Exploit protection i enable/ enforce Dynamic ASLR
Anti-Ransomware protection enabled
Application Guard installed
NextDNS DoT DNS
sandboxed Defender
block msbuild.exe & CVTres.exe in Firewall
Periodic malware scanners
Microsoft Defender + Microsoft Defender (internal) offline scan + Desinfec't
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Chromium-Edge with AdGuard extension
Maintenance tools
Windows internal tools
File and Photo backup
Windows internal backup (file version history) to NAS + Personal Backup 6
System recovery
Windows internal system restore points
Risk factors
    • Browsing to popular websites
    • Logging into my bank account
    • Gaming
    • Streaming audio/video content from shady sites
Computer specs
see System Specs - security123's PC | MalwareTips Community
Notable changes
6th June: First post
13th June: See SECURE: Complete - security123's Security Config 2020
3th July: See SECURITY: Complete - security123's Security Config 2020
6th July: switch to NextDNS (DoT): SECURITY: Complete - security123's Security Config 2020
15th July: change a small Edge setting: SECURITY: Complete - security123's Security Config 2020
16th July: Increase KeePass security to maximum: SECURITY: Complete - security123's Security Config 2020
30th July: make Defender more secure, harden some Hard_Configurator settings: SECURITY: Complete - security123's Security Config 2020
31th July: enable "paranoid extensions" in Hard_Configurator: SECURITY: Complete - security123's Security Config 2020
8th August: disable HVCI do to problems with Defender network protection: SECURITY: Complete - security123's Security Config 2020
23th August: removed TinyWall: SECURITY: Complete - security123's Security Config 2020
8th October: remove last AdGuard filter list, thanks to native DoH support in Edge
20th October: update to Windows 20H2
26th October: add LOLBins Firewall rules from Andy's tool
31th October: revert blocking LOLBins
3rd December: remove Windows Sandbox
22th December: re-build Edge Anti-Exploit settings
F

ForgottenSeer 85179

Thread author
silversurfer said:
Here looks like that "msbuild.exe" is already included in Firewall-Hardening by @Andy Ful , but probably you haven't added all "LOLBins" ?

View attachment 250750
Click to expand...
You're right. But because of problems with that configuration i don't block LOLbins: SECURITY: Complete - security123's Security Config 2020 | MalwareTips Community
So that's the reason why i manually add msbuild ;)


Marana said:
@security123 - just out of curiosity, I wonder if you have a special reason for still blocking untrusted fonts?

(I guess that you must have noticed that MS has dropped untrusted fonts blocking out of its Security Baseline already a few years ago, so I think that you have some special reason...)
Click to expand...
Thanks for reminding! Will revert it

FireHammer said:
Just a little pip from me, I like you having AdGuard installed, I think it is an important part of having a "safe" PC or Ublock-Origin.
Click to expand...
I don't use nor need AdGuard extension for security and that's the reason why my AdGuard doesn't block any malware.
In my setup it's only for annoying YouTube ads (using only default AdGuard Anti-Ad list) and Kees' list which is as ABP list more effective then HOSTS like for NextDNS.
 
  • Like
  • Thanks
Reactions: Nevi, silversurfer, FireHammer and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,514
security123 said:
added msbuild.exe & CVTres.exe to Andy's Firewall tool, thanks to McMcbrad:
Malware analysis - Fileless Tesla Abuses .Net Framework Processes | MalwareTips Community
Click to expand...
The already running malware can inject code to any system executable - it can be cvtres.exe or many others, so adding it to FirewallHardening can prevent one malware but not others. Furthermore, It is not necessary because these LOLBins are run via PowerShell scripts (or by command-lines) that are already blocked by H_C (or SWH). Of course, if it does not cause problems then adding it will not hurt, too.
The attack via Windows Sandbox can be easily prevented by adding WSB extension to protected file extensions in SRP. (y)
 
Last edited:
  • Like
  • Thanks
  • Applause
Reactions: Protomartyr, Nevi, ForgottenSeer 85179 and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,514
Marana said:
@security123 - just out of curiosity, I wonder if you have a special reason for still blocking untrusted fonts?

(I guess that you must have noticed that MS has dropped untrusted fonts blocking out of its Security Baseline already a few years ago, so I think that you have some special reason...)
Click to expand...
(y) (y)
There is no need to block Untrusted Fonts in Windows 10. The font rendering is made in AppContainer. For now, this protection was not bypassed.
Dropping the "Untrusted Font Blocking" setting - Microsoft Tech Community
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: Protomartyr, Jan Willy, ForgottenSeer 85179 and 5 others
F

ForgottenSeer 89360

Thread author
Andy Ful said:
The already running malware can inject code to any system executable - it can be cvtres.exe or many others, so adding it to FirewallHardening can prevent one malware but not others. Furthermore, It is not necessary because these LOLBins are run via PowerShell scripts (or by command-lines) that are already blocked by H_C (or SWH). Of course, if it does not cause problems then adding it will not hurt, too.
The attack via Windows Sandbox can be easily prevented by adding WSB extension to protected file extensions in SRP. (y)
Click to expand...
Better they stay blocked (if system is not hardened), as attackers are copycats. They now saw msbuild.exe and cvtres.exe and I discovered already plenty of maldocs exploiting that. Apparently they've found a new vulnerability. Eventually they will move on or it will be patched, but for now this is the wave and any measures to reduce the risk won't hurt. I don't think that a process converting C++ res files to objects needs to access the network anyway. Unless it has implemented a cloud malware scanner :D

blog.talosintelligence.com

Building a bypass with MSBuild

By Vanja Svajcer. NEWS SUMMARY * Living-off-the-land binaries (LoLBins) continue to pose a risk to security defenders. * We analyze the usage of the Microsoft Build Engine by attackers and red team personnel. * These threats demonstrate techniques T1127 (Trusted Developer Utilities) and...
blog.talosintelligence.com blog.talosintelligence.com
 
Last edited by a moderator:
  • Like
Reactions: harlan4096, Protomartyr, Andy Ful and 4 others
You must log in or register to reply here.

Similar threads

RRlight
    • Like
Advanced Security RRlight gaming laptop config 2024
Replies
4
Views
218
PC Setup Configuration Help & Showcase
RRlight
RRlight
Brownie2019
    • +Reputation
On Sale! G Data Internet Security 3 User / 1 Yr / 11,90 €
Replies
0
Views
371
Discounts and Deals
Brownie2019
Brownie2019
Brownie2019
    • Like
On Sale! Bitdefender Total Security 2023 | 5 devices | 1 Year EUR29.23
Replies
1
Views
621
Discounts and Deals
SumTingWong
SumTingWong

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top