SECURITY: Complete SecurityNightmares's Security Config 2021

Last updated
Feb 26, 2021
About
My primary device
Additional PC users
Not shared with other users
Operating system
Windows 10
OS license
Pro
Login security
    • Passwordless (PIN, Biometric, Face)
    • Hardware security key
Primary sign-in
Microsoft account
Primary account rights
Administrator permissions
Other accounts rights
N/A - Single user account
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Network firewall
Personal router w/ firewall & filtering
Real-time protection
Microsoft Defender with ConfigureDefender
SRP with Hard_Configurator
FirewallHardening
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
RTP settings:
  • ConfigureDefender on high mode +
    • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
    • Block executable files from running unless they meet a prevalence, age, or trusted list criteria +
    • Block process creations originating from PSExec and WMI commands
    • Cloud Check Time Limit = 60s
  • FirewallHardening with recommend H_C +
  • Hard_Configurator on recommend mode
  • Microsoft Defender runs in a sandbox (AppContainer)
System settings:
  • Adobe Reader Touch, Bandizip, Edge & WordPad hardened with Anti-Exploit settings
  • Data Execution Prevention (DEP) configured to "AlwaysOn"
  • Everything is encrypted with Bitlocker (via TPM)
  • Windows Explorer:
    • Hidden files and folders - Show hidden files: activated
    • Hide extensions for known file types: deactivated
    • Use Share Wizard: deactivated
  • Windows Security -> Device Security -> Core Isolation (HVCI) enabled
  • Windows Updates -> Settings -> Downloads from other PCs deactivated
  • removed the following optional Windows features:
    • Internet Explorer 11
    • Internet Printing Service (under Print and Document Services)
    • Maths recognition
    • Microsoft Remote Help
    • OpenSSH Client
    • SMB Direct
    • Windows Fax and Scan
    • Windows Hello Face Recognition
    • Windows Media Player
    • Windows PowerShell Integrated Scripting Environment
    • Working folder client
Group Policy settings:
  • (Bitlocker) Allow safe start for integrity check: activated
  • (Bitlocker) block new DMA devices if PC is locked: activated
  • (Bitlocker) encryption strength: 256bit
  • (Bitlocker) Request additional authentication at start-up: TPM + "TPM is required"
  • (Search) Allow cloud search: deactivated
  • (Search) Allow Cortana on lock screen: deactivated
  • (Search) Allow Cortana Page on Windows Welcome Page for AAD Account: deactivated
  • (Search) Allow Cortana: deactivated
  • (Search) Allow Search and Cortana to use location data: deactivated
  • (Search) Do not allow web search: activated
  • (Search) Do not search the web and do not show web results in the search: activated
  • (Start menu) Do not search the internet: activated
  • (Start menu) Remove the contact bar from the taskbar: activated
  • Advertising ID: deactivated
  • Anti-Malware Early Start: activated + "Good only"
  • Desktop Gadgets: deactivated
  • Disable pop-up notifications on locked screen: activated
  • Do not suggest third-party content in Windows Spotlight: activated
  • Enumeration policy for external devices that are not kernel DMA protection compatible: activated + "block all"
  • Flash & new tab content in Edge: deactivated
  • Kernel-DMA-protection: activated
  • Windows apps can be activated with a voice command while the system is locked: deactivated
Malware research
No - malware samples are not downloaded
Periodic scanners
Microsoft Defender + Microsoft Defender Offline scan + Desinfec't
DNS
NextDNS (configured on Router + Edge with different profiles until Windows can use DoH)
VPN
None
Password manager
KeePass 2 with WindowsHello plugin
Browsers, Search and Addons
Edge with AdGuard extension, Microsoft Editor extension + Application Guard + some flags

in AdGuard browser extension only default "AdGuard base" and "TOP_EU_US_Ads_Trackers_ABP" filter is enabled
PC maintenance
Autoruns
Process Explorer
Windows Disk Clean-up / Storage Sense
Personal Files & Photos backup
Personal Backup & Windows File Version History to external USB drives + NAS
Personal backup routine
Automatic (scheduled)
Device recovery & backup
Windows System Restore
Device backup routine
Automatic (scheduled)
PC activity
  1. Browsing the Web
  2. Checking emails
  3. Shopping
  4. Financial
  5. Video games
  6. Streaming content
Computer specs
Personal changelog
2nd January 2021: first post
16th January: add finger.exe to FirewallHardening
21st January: removed Bandizip for now, add info that Edge use (own) NextDNS + add link to Edge flags in setup and remove some
25th January: enabled last missing ConfigureDefender rule
26th February: change Cloud Check Time Limit from 20s to 60s
Feedback Response

Most critical feedback

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,280
New version of my previous one. My setup focuses on a minimal attack surface.

I also rely on the following rule from the Hard_Configurator manual (SETUP OVERKILL part):
Adding more advanced features is usually not necessary and often ends with overkill, incompatibilities, and disappointment.

Other changes which aren't listed as category above are for BIOS/ uEFI:
  • Admin + User access protected with PIN
  • AMD-V / IOMMU enabled
  • Boot options: Windows Boot Manager only
  • DEP/ NX-Bit enabled
  • Secure boot enabled
  • TPM activated
  • UEFI-native boot enabled

Other system changes:
  • via https://www.nirsoft.net/utils/shell_menu_new.html Explorer "New" entries deactivated everything except: Folder, Shortcut, RTF + Txt
  • Removed "Modern Sharing" under "HKEY_Classes_ROOT\*\shellex\ContextMenuHandlers\" to get rid of "Sharing" Explorer menu.
  • added empty REG_SZ "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" under "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked" to get rid of "push to OneDrive" explorer menu
  • Explorer folder options:
    • Open File Explorer for: This PC
    • Show notifications from the synchronisation provider: deactivated
    • under data protection: all ticks removed + delete button pressed
 
Last edited:

silversurfer

Level 69
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
5,831
Great setup. A lot of time and research well spend 👍
Almost nobody uses Microsoft Defender in a sandbox, I wonder why we do not hear anything about this feature anymore and why it is still not implemented as default.
I have enabled this sandbox feature for MD/WD since the latest 3 months, it seems to be really stable, no issues so far (y)

Just check on "Process Explorer" child-process (MsMpEngCP.exe) should be visible and running as "AppContainer" (screenshot below)
1609615786101.png


Source: Windows Defender Antivirus can now run in a sandbox - Microsoft Security
 

Gandalf_The_Grey

Level 43
Verified
Trusted
Content Creator
Apr 24, 2016
3,237
If you don't get or use other archive formats than zip windows internal will do.
The only real thing I miss is that it's not possible to create password protected archives.
An alternative for Bandizip is Explzh (also keeps the MOTW) .
 

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,280
Changelog:
21st January: removed Bandizip for now, add info that Edge use (own) NextDNS + add link to Edge flags in setup and remove some

i removed the following flags:
disallow-doc-written-script-loads (break some sites in the past and isn't worth the hassle)
treat-unsafe-downloads-as-active-content (Malware use HTTPS nowadays too and files are scanned by SmartScreen & Defender anyway)
cookies-without-same-site-must-be-secure (break some sites in the past and isn't worth the hassle)

and add:
block-insecure-private-network-requests

So, my current flags are:
Code:
block-insecure-private-network-requests (enabled)
edge-experimental-tracking-prevention-features (enabled)
enable-heavy-ad-intervention (enabled)
enable-parallel-downloading (enabled)
force-empty-CORB-and-CORS-allowlist (enabled)
strict-origin-isolation (enabled)
 

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,280
Top