Basic Security TairikuOkami's Configuration 2020

[TairikuOkami]

Anti-malware tests regularly confirm, that ~99% of infections come via an email (65%) or via a browser (35%).
My browser uses Quad9 (DoH) and Netcfraft blocking malicious links and I open emails in a plain txt only.

Windows Firewall is set to block all traffic except allowed apps, so it is default deny without notifications.
Disabled IPv6, Telemetry, WSH, some vulnerable services, all Windows features, except NET Framework.

I turn off PC with Wise Cleaners + tweaks, to remove startup entries/policies and to restore my settings.
Anti-ransomware - backup partition - denied access to SYSTEM, Users permissions set to read only.

I use PatchMyPC/DriverEasy to keep software/drivers updated + Softpedia's Notifier for the rest.
Windows Repair Toolbox (+Malware Removal) + custom tools, take care of basic necessitates.

Browser with cache, Desktop, Downloads and Temp folders are stored in the RAMDisk, where malware tends to hide.
In case of an emergency (ransomware) I can hit Reset and Windows will boot with all those reset to the previous state.

Spoiler: browser://flags

Disabled #disable-oow-video
Disabled #heavy-ad-privacy-mitigations
Enabled #disable-yandex-extensions
Enabled #dns-httpssvc
Enabled #dns-over-https
Enabled #enable-heavy-ad-intervention
Enabled #enable-quic

EDIT: Since MS is moving Windows towards a scripted nightmare, I had no choice, but to ease down my tweaks, enable store, etc.
EDIT 2: I had to enable DNS Cache in order to use DoH, so I limited svchost.exe (+Windows apps) to connect only to MS servers IPs.

 

[oldschool]

A configuration that only @TairikuOkami can do!

 

[shmu26]

Anti-malware tests regularly confirms, that ~99% of infections come via an email (65%) or via a browser (35%).
I open emails in txt and the browser is well protected. I can not use AV/smartscreen, since they block my files.

Windows Firewall is set to block inbound/outbound, no Windows processes are allowed, only a few apps.
Removed Powershell. Disabled IPv6, WMI, WSH, almost all services, all Windows features, except NET.

I turn off PC with Wise Cleaners + tweaks, to remove startup entries/IFEO and to restore my settings.
Anti-ransomware - backup partition - denied access to SYSTEM, Users permissions set to read only.

I use PatchMyPC/DriverEasy to keep software/drivers updated + Softpedia's Notifier for the rest.
Windows Repair Toolbox (+Malware Removal) + custom tools, take care of basic necessitates.

Windows has 43 processes running and uses ~1,4 GB at startup (+6GB committed, +4GB used by RAMDisk)
There is zero disk and network activity, but I would still love to disable network store interface and base filtering.

A work of art

 

[ForgottenSeer 823865]

One of the few config setup that keep me interested to read.

 

[Vitali Ortzi]

can you reuploud your windows 10 tweaks to pastebin ?

 

[TairikuOkami]

I have switched to Microsoft Account. It will be eventually mandatory anyway, so better to get used to it and accustom my tweaks to be able to handle it.
Like Wininet\CacheTask is needed in order to change the account to MSA and I had to install bitwarden desktop to be able to copy/paste my password.
I like the idea of having 100+ password and using PIN for the login and UAC. 10 takes it well, 50 processes, 1,4GB RAM and no CPU/HDD/NET activity.

 

[Thales]

Awesome. Really a true Art!

 

[TairikuOkami]

OK, I have finally found a working system backup software due to bad Windows Updates. Creating a full system backup takes 1 min and a full restore takes 5 mins, that is acceptable. I was afraid, that it will break symlinks and such, but everything is working perfectly. Now just to reinstall for the last time.

 

[LDogg]

Good setup, thanks for sharing.

~LDogg

 

[TairikuOkami]

One more little update. Because of recent issues with Windows, I have decided to let go of my prejudice against Microsoft and I gave it a chance.
I have disabled only bare annoyances like telemetry. notifications and vulnerable processes, but MS store and Windows updates are up and running.

Since Windows Defender can not be disabled without causing a meltdown, I have replaced it with Panda. I have disabled its GUI, so it works silently.
Windows with 80 processes takes 1,8GB RAM and uses 16GB of disk space. Panda takes approximately 100MB. I already love this setup overall.

 

[TairikuOkami]

Being less paranoid, I changed DDG back to Google, it gives way better results and it tracks me over social accounts anyway (via targeted ADs).
Not to mention, that I intend to get Android phone to pair it with my Fitbit Charge, so not really a choice anyway. Currently paired with an ancient Lumia.
I have also removed Keepass in favor of Bitwarden, moved passwords there except core ones used for 2FA, they are stored in a password protected xlsx.

 

[SeriousHoax]

Footnote - I would never recommend/trust: ESET, Avast/AVG, Avira, Malwarebytes.

Why so much hate for your own country's AV, ESET?

 

[TairikuOkami]

Why so much hate for your own country's AV, ESET?

Lets just say, that I do not want to talk about politics, illegal activities and such.

 

[SeriousHoax]

Lets just say, that I do not want to talk about politics, illegal activities and such.

Oww. This seems personal. Ok then, no problem.

 

[sepik]

Hello @TairikuOkami,
Do you still use RamDisk? What is/was your RamDisk "strategy" ?

Kind regards,
-sepik

 

[TairikuOkami]

What is/was your RamDisk "strategy" ?

4GB used for Browser, Discord cache, Temp, Documents (game saves) and Desktop (used for downloads), all in order to save SSD writes as well. I usually have 2-3GB free space left, that is more or less enough. In case I need to download bigger files, I just temporarily move downloads. Of course, every time I restart, 4GB gets saved, so not saving SSD as much, but in case of emergency I can hit hard reset and nothing gets saved, it would act as reboot restore.

 

[sepik]

Hello,
I assume you also have %tmp% and %temp% variables set to redirected to your ramdrive too?
Isn't quite risky to have game saves inside the ramdisk? Even it is persistent drive?
Any probs with Windows Updates?
I've tested Softperfect Ramdisk and Primo Ramdisk.

Kind regards,
-sepik

 

[TairikuOkami]

Any probs with Windows Updates?

None. As far as I can tell, windows update unpacks onto the drive not into temp, but CU has ~800MB, so even after unpacking, that should suffice.
I had a problem installing AMD drivers though, I downloaded 1,2GB onto the desktop and it failed to install, since unpacking took another ~2GB.

Isn't quite risky to have game saves inside the ramdisk? Even it is persistent drive?

A little, but that is what backups are for. AMD asks to trust its driver, I previously set it to no and it failed saving the image once, ever since I select yes.

I assume you also have %tmp% and %temp% variables set to redirected to your ramdrive too?

Yes, I have moved them manually, just to be sure.

reg add "HKCU\Environment" /v "TEMP" /t REG_EXPAND_SZ /d "Z:\TEMP" /f
reg add "HKCU\Environment" /v "TMP" /t REG_SZ /d "Z:\TEMP" /f

 

[sepik]

Hello,
Thanks for the tips, appreciated.
But i don't want to make the "registry" tweak route, although it might work to set temp variables. SoftPerfect free "temp variable tool" do the the same.
Anyway, thanks for the tips.

Kind regards,
-sepik

 

[brambedkar59]

Nice and clean config, thanks for sharing