Advanced Plus Security Victor M - Aging PC Security Config

Last updated
Dec 30, 2023
How it's used?
For home and private use
Operating system
Windows 11
On-device encryption
N/A
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
N/A - Linux / Mac / Other operating system
Network firewall
Enabled
About WiFi router
Ubiquiti EdgeRouter X firewall with application layer Deep Packet Inspection
Real-time security
Xcitium OpenEDR (Comodo) with Auto-Containment, Malwarebyte Anti-Exploit
Firewall security
Other - Internet Security (3rd-party)
About custom security
WDAC (Windows Defender Application Control) blocks most LoL.bins. Based off MS signed base policy.
CIS custom rules for my red team (APT)
hardenwindows11forsecurity.com hardening - disables unneeded services and network protocols and old security protocols
Least privilege config for Standard User which I use every day
- banned Terminal/Powershell (non-admin acc doesn't need powershell)
- banned mmc.exe (blocks all group policy, local policy modifications)
- banned regedit, reg, regedt32 (did you know a standard acc has unlimited access to this tool ?)
Manual MS Update Catalog downloads of new updates on Patch Tuesdays ( alarm on my cell )
PIN sign on ONLY ( removed password authentication provider ). non-local logon cannot access PIN sign on.
Disabled WiFi Direct Adapter (allows peer to peer mode DIRECT access w/o router, bypasses firewall)
MS Security Baseline 23H2
NIST Windows 11 STIG
Periodic malware scanners
KVRT
Malware sample testing
I do not participate in malware testing
Environment for malware testing
N/A
Browser(s) and extensions
Edge with uBlock Origin
Secure DNS
Quad9
Desktop VPN
NordVPN
Password manager
paper note book
File and Photo backup
Manual copy to USB stick
System recovery
Macrium Reflect drive image, as many versions as external hdd can hold
Risk factors
    • Browsing to popular websites
    • Downloading software and files from reputable sites
Computer specs
Core i5 circa 2013, 8GB ram, 256GB ssd
What I'm looking for?

Looking for medium feedback.

Victor M

Level 8
Thread author
Verified
Well-known
Oct 3, 2022
363
Hello Everyone,

Tbis is my Xmas rework of my aging PC.

Main components:
- hardenwindows11forsecurity.com hardening - disables unneeded services and network protocols and old security protocols
- Comodo Internet Security beta 2024 with Auto Containment (which I hope is as effective as Xcitium version)
- WDAC block rules for LoL.bins and blocks any foreign unsigned exe's ( 2nd layer to CIS )
- ReviOS os minimization. Minimization is a security approach - strips away unneeded technologies.

Standard account is further hardened removing Powershell, regedit and mmc access. (Least Privilege Principle) I don't care if there are built in security to these apps. They aren't, in MS terms, a security barrier. And the hardenwindows11 site further disables the Secondary Logon service and makes UAC default deny for standard accounts. So any attacker that lands onto the machine will land into this account, because I use it all the time, and should be contained inside. Granted my red team uses network + memory attacks mostly, but precautions precautions precautions.

Maybe I'll get another license for CyberLock for this machine. ( just as another layer )

ReviOS really sped up this old 3rd gen i5. No malfunction of Windows that I have discovered so far. The only thing I don't like is that it took away Virtualization-based Security. My cpu does support it. And the documentation says there is a Revision Tool that can re-enable things but I can't find a compiled exe, only source code. Maybe there was a checkbox that I could have unchecked. I will have another go at this.

EDIT. I reset Windows and had another go at configuring ReviOS. Nope, didn't miss any checkboxes. I miss that comfy feeling that "hardware virtualization" gives me.
 
Last edited:

Victor M

Level 8
Thread author
Verified
Well-known
Oct 3, 2022
363
Re-installed machine a couple of days ago keeping the configuration except:

Changed Comodo Internet Security 2024 Beta back to Xcitium OpenEDR (Comodo). Because I prefer to get Alerts from the web console. and I can view them from another machine. And OpenEDR gives me the Investigations capability, allowing me to search the logs, and see the process tree. Seeing the process tree allows me to determine if the exe was launched normally, interactively by me or via some exploited service. Eg. SvcHost should not be the parent of Powershell.

ReviOS is gone. It did give noticeable performance boost to my aging 3rd gen Core i5, but I missed MS Defender core isolation. ReviOS took away MS Defender entirely. And the machine is capable of running regular Win 11 just fine. Startup is now slower, but so what - Protection trumps convenience.

Upgraded Malwarebytes Anti-Exploit to the latest version. It was unable to keep the old configuration files which I had backed up, so had to re-do adding new shields. Added more shields for the Windows exe's allowed by Comodo's 'System' firewall rule. Can't seem to get rid of that 'Systems' rule - it keeps adding it back in again. So according to PCI DSS, I had to protect vulnerable protocols, and MBAE is my answer to that requirement. That 'Systems' firewall rule allows a whole bunch of Windows exe's - crsss, logonui, smss, services, spoolsv ... . It certainly adds to the attack surface. I will complain to Xcitium - those exe's definitely Do Not Need to talk thru the firewall.
 
Last edited:

Victor M

Level 8
Thread author
Verified
Well-known
Oct 3, 2022
363
Since ReviOS is an app that does it's work on top of Windows, instead of an Windows ISO modification tool, I decided to implement it's work manually by Googling each item that is listed in it's change log. The result was good. It resulted in some improvement in loading speed. But there were some items in their change log that I could not replicate because I couldn't find how to do them via Google.

Another reason why I decided to do it manually rather than using the ReviOS App is because it requires one to be online while it runs and it also requires one to disable Windows Defender and uninstall Comodo CIS. That combination, I cannot allow. Because I am preparing my Offline Golden Image. I cannot allow any possibility of an attacker inserting his wares at the configuration stage. Because this is the drive image that I will revert to when all mitigations fail. This is not being obsessive, because administrative defenses must be followed, just as technical defenses must be turned on at all times. And the preparation of the golden image is an administrative procedural piece of the whole security plan. Everything ties together, and there must be no flaw. This was a hard learnt lesson.
 
Last edited:
  • Like
Reactions: gonza

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top