Advanced Plus Security security123's Security Config 2020

  • Thread starter ForgottenSeer 85179
  • Start date
Last updated
Dec 22, 2020
How it's used?
For home and private use
Operating system
Windows 10
Log-in security
Security updates
Allow security updates and latest features
User Access Control
Always notify
Real-time security
Microsoft Defender
Firewall security
Microsoft Defender Firewall
About custom security
In gpedit:
enabled anti-malware early start,
block untrusted fonts,
block advertising id,
enabled virtualization-based security for Device Guard,
enabled Kernel-DMA-protection,
block Remote support + Remote shell access,
block app start with voice command,
enable safe start for integrity checks for Bitlocker,
block new DMA devices if PC is locked,
request additional authentication at startup for Bitlocker,
disable Desktop Gadgets,
block Flash & new tab content in Edge,
block cloud in Windows search,
block Cortana,
disable popup notifications on locked screen
change the inactivity limit to 15 minutes

other stuff:
run "dgreadiness_v3.7.2 -Enable"
install "Hard_Configurator 5.1.1.2" with all recommend settings + some own
Chromium-Edge flags & Anti-Exploit settings (see post)
Adobe Touch as PDF reader with Anti-Exploit settings (see post)
internal drives encrypted with Bitlocker
change Data Execution Prevention (DEP) to AlwaysOn / enforcing
In Defender - Exploit protection i enable/ enforce Dynamic ASLR
Anti-Ransomware protection enabled
Application Guard installed
NextDNS DoT DNS
sandboxed Defender
block msbuild.exe & CVTres.exe in Firewall
Periodic malware scanners
Microsoft Defender + Microsoft Defender (internal) offline scan + Desinfec't
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Chromium-Edge with AdGuard extension
Maintenance tools
Windows internal tools
File and Photo backup
Windows internal backup (file version history) to NAS + Personal Backup 6
System recovery
Windows internal system restore points
Risk factors
    • Browsing to popular websites
    • Logging into my bank account
    • Gaming
    • Streaming audio/video content from shady sites
Computer specs
Notable changes
6th June: First post
13th June: See SECURE: Complete - security123's Security Config 2020
3th July: See SECURITY: Complete - security123's Security Config 2020
6th July: switch to NextDNS (DoT): SECURITY: Complete - security123's Security Config 2020
15th July: change a small Edge setting: SECURITY: Complete - security123's Security Config 2020
16th July: Increase KeePass security to maximum: SECURITY: Complete - security123's Security Config 2020
30th July: make Defender more secure, harden some Hard_Configurator settings: SECURITY: Complete - security123's Security Config 2020
31th July: enable "paranoid extensions" in Hard_Configurator: SECURITY: Complete - security123's Security Config 2020
8th August: disable HVCI do to problems with Defender network protection: SECURITY: Complete - security123's Security Config 2020
23th August: removed TinyWall: SECURITY: Complete - security123's Security Config 2020
8th October: remove last AdGuard filter list, thanks to native DoH support in Edge
20th October: update to Windows 20H2
26th October: add LOLBins Firewall rules from Andy's tool
31th October: revert blocking LOLBins
3rd December: remove Windows Sandbox
22th December: re-build Edge Anti-Exploit settings
F

ForgottenSeer 85179

Thread author
Yesterday i made another change which i test and i don't revert it now:

Before, i was using KeePass 2 with password & key file but key file was only on another internal hard drive then the database. Not very secure
Then (some weeks now), i move the key file to secure tresor from OneDrive which need your 2FA every time you unlock it. While that's pretty secure, it was real annoying.
So now i use that awesome solution:
- database protected with password & key file - which is only saved on (normal) OneDrive which don't need every time the 2FA token
- KeePass is upgraded with WinHelloUnlock plugin so KeePass can use (locally) Windows Hello and encrypt the database password securely in Windows Password Vault

So a attacker now need:
  • Have access to the Windows Password Vault
  • Have access to the Cryptographic Key Windows used
  • Be able to Cryptographically sign the Cryptographic Key with Windows Hello
  • Have access to my OneDrive which is of course maximum secured
And the best:
i only need to enter my Windows Hello credentials and that's it. KeePass unlocked.
Of course i need internet access, as the key file is still used and required for unlocking.
 
F

ForgottenSeer 85179

Thread author
Thanks to SearchLight i enable now running Windows Defender in its own Sandbox
See Windows Defender Antivirus can now run in a sandbox - Microsoft Security

Also in ConfigureDefender i enable "LSASS" protection and also "Shell Extension Security" in Hard_Configurator.

Beside that, i own now a Nitrokey FIDO2 key but sadly only few sites (Microsoft for example) support FIDO2. Sadly also Windows itself doesn't support FIDO2 locally and only over Intune which isn't a option for us privat user's.
Also i change/ correct my config overview a little bit.
 
Last edited by a moderator:

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,005
Thanks to SearchLight i enable now running Windows Defender in its own Sandbox
See Windows Defender Antivirus can now run in a sandbox - Microsoft Security

Also in ConfigureDefender i enable "LSASS" protection and also "Shell Extension Security" in Hard_Configurator.

Beside that, i own now a Nitrokey FIDO2 key but sadly only few sites (Microsoft for example) support FIDO2. Sadly also Windows itself doesn't support FIDO2 locally and only over Intune which isn't a option for us privat user's.
Also i change/ correct my config overview a little bit.

I like the idea of WD running in sandbox. Is this capable in Win 10 Home version? I should look into enabling LSASS and Shell extension when I get a minute.
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,005
I would say yes. Just try it and verify the AppContainer process in ProcessExplorer tool

I think I manged to get it working. Antimalware Service executable Content Process MsMpengcp.exe now showing after using the coding in admin powershell. Time to look at the other two options you've done in CD.

1596137788725.png
 
F

ForgottenSeer 85179

Thread author
Today i enable another Hard_Configurator config:
In "Designated File Types" i add the "Paranoid Extensions" but remove PS1, PS2, PSC1, PSC2, PS1XML, and PS2XML extensions as it's recommend in manual if <Block PowerShell Scripts> is set to ‘ON’.

Paranoid Extensions include extended number of potentially dangerous file extensions (over 250 entries), which were abused in the wild to exploit Windows or MS Office. It can be used to protect casual users.
 
F

ForgottenSeer 85179

Thread author
Because of problems with "Memory Integrity" (called HVCI) between Defender Network Protection i disable it for now which also disable Device Guard:

(Credential Guard is still enabled)
 
F

ForgottenSeer 85179

Thread author
Yesterday I removed TinyWall as I don't use any program which need blocked network access.

I also get some problems in past with e.g. Defender updates because of silently blocked.

So now I'm using default Windows firewall with Andy's recommend firewall rules. As my setup is more then strong enough I don't need fear anything.
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,005
Yesterday I removed TinyWall as I don't use any program which need blocked network access.

I also get some problems in past with e.g. Defender updates because of silently blocked.

So now I'm using default Windows firewall with Andy's recommend firewall rules. As my setup is more then strong enough I don't need fear anything.

Great setup. I should see about implementing some of your tweaks ;)
 
F

ForgottenSeer 85179

Thread author
In Edge i set these two flags back to default:
enable-webrtc-hide-local-ips-with-mdns enable-lazy-image-loading

I don't get any improvements with restricting WebRTC.
Same for lazy image loading as i own a 250+ VDSL connection (but still use lazy frame loading)
 
F

ForgottenSeer 85179

Thread author
No change, but today i run different "Periodic scanners":

Hitman Pro:
HitmanPro.png

MalwareBytes Anti-Rootkit:
AR.png

MalwareBytes:
MB.png

EEK:
EEK.png

I also run NPE (Norton Power Eraser) and while the "suspicious" scan doesn't found anything the normal scan think that a restricted script execution (thanks to Andy!) is malicious. In my opinion a fatal false positive.
Also i try running Adwcleaner from MalwareBytes but for some reason it doesn't start.

I guess i can say that my system is clean :)
(both Autoruns & Process Explorer with enabled Virustotal scanning also reporting nothing bad)
 
F

ForgottenSeer 85179

Thread author
Have you considered using a Linux distro?
No as Linux doesn't provide me any advantage but many disadvantages.

Application guard seems to be a real resource hog(at least on my computer) have you notice this?,Good guestion is it really worth using???
It is definitely worth if you care about security and want a special isolated Edge. I use it sometimes for sites i doesn't trust, like watching ****
Sure that use some resources but nowadays PC are powerful enough. But yes, i notice it
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top