Advice Request Windows 10 64 bits Home security setup, suggestions for a simple setup.

[Lenny_Fox]

My youngest brother got my gaming desktop. In STOPtober I a gave quit with gaming and using a nearly 10 year old laptop on Linux (Manjaro) whit such low system specs it is impossible to play games.

I used to have two accounts on my gaming desktop. An Admin account which I used solely for gaming and a basic user account which I used for all other stuff. When I gave my brother my desktop I deleted the basic user account. I had not realized that he would use it for all other stuff, like surfing. He was tricked into "you are infected scam" and got a ransomware infection when following the repair instructions. Luckily he only uses it for school, surfing and gaming, so nothing is lost by reinstalling Windows again.

I have used Hard_Configurator to setup software restrictions policies and set Windows Defender to highest (including protected folders and enabled all Attack Surface Reduction Rules and network protection). I installed Chrome and set javascript to block with an allow rule for HTTPS://*. So with WD Network protection and Chrome Safe Browsing he now already has two URL-filers. I have setup his DNS to QUAD9 DNS in his wireless adaptor,.

Question to all:
I like to keep the security as simple as above (I added a few SRP allow rules for his games to update). So I only want to add two extensions maximum with additional URL filtering.

At the moment I am considering AVAST or AVIRA for malware blacklist with build in adblocking. Because he was a victim of a support scam I am inclined to reserve the second spot for NetCraft, but I am open to suggestions for the two Chrome extension spots.

Question to Dutch members and/or F-secure users
I could also install the Ziggo rebranded F-secure free antivirus. Is it any good (sometimes free rebranded versions of paid programs are older versions)? IS F-secure better than WD? On default settings WD seems to beat F-secure in tests, so with the tweaked Configure_Defender settings, I really have doubts on the added value of using Ziggo's F-secure free version. But I am interested to hear real user experience.

Thanks Lenny

 

[ForgottenSeer 823865]

Your mistake was to let him on an admin account. Admin account must be Local Account and only for diagnosis, OS updates, software installation, and other various maintenance tasks. not for gaming, not for surfing, nothing else.

I have used Hard_Configurator to setup software restrictions policies and set Windows Defender to highest (including protected folders and enabled all Attack Surface Reduction Rules and network protection). I installed Chrome and set javascript to block with an allow rule for HTTPS://*. So with WD Network protection and Chrome Safe Browsing he now already has two URL-filers. I have setup his DNS to QUAD9 DNS in his wireless adaptor,.

That is enough already. Learn to use H_C the best you can.

I like to keep the security as simple as above (I added a few SRP allow rules for his games to update). So I only want to add two extensions maximum with additional URL filtering.

I use Netcraft and Malwarebytes.

keep it simple; learn to maximize the effectiveness of what you have.

 

[Lenny_Fox]

Your mistake was to let him on an admin account. Admin account must be Local Account and only for diagnosis, OS updates, software installation, and other various maintenance tasks. not for gaming, not for surfing, nothing else.

Yes, that is clear to me now :emoji_sob: only three weeks to brick the PC with ransomware

Thanks I have installed Avast + Netcraft for the moment (knowing Chrome's Safe browsing, M$ WD-networking and Quad9 also filter out bad
stuff).

keep it simple; learn to maximize the effectiveness of what you have.

Be humble (use what is already there) is one of the design principles of Google. I learned that at my Bachelor, so trying to use what the OS already provides. Thanks for the confirmation.

 

[Lenny_Fox]

Your mistake was to let him on an admin account. Admin account must be Local Account and only for diagnosis, OS updates, software installation, and other various maintenance tasks. not for gaming, not for surfing, nothing else.


That is enough already. Learn to use H_C the best you can.


I use Netcraft and Malwarebytes.

keep it simple; learn to maximize the effectiveness of what you have.

 

[Lenny_Fox]

Because I used the Windows 10 lisence on the sticker of my brother's PC, I noticed that my old Lenovo laptop also had a sicker at the bottom/back of the laptop. Since I only had repalced the harddisk and added a 2 GB Ram module, I tried to install (as dual boot) on my old Laptop.

I plugged in a network cable and entered the license key when starting the install procedure, everything went fine. The sticker at the back of the laptop was windows 7 (ultimate), but Windows 10 installer accepted it without a peep. That surprised me. Are Windows 7 lisences also valid for Windows 10?

 

[ForgottenSeer 823865]

I plugged in a network cable and entered the license key when starting the install procedure, everything went fine. The sticker at the back of the laptop was windows 7 (ultimate), but Windows 10 installer accepted it without a peep. That surprised me. Are Windows 7 lisences also valid for Windows 10?

It is not that they are valid, they are converted to a Win10 license (if i'm not wrong.). and if you had legit Win7 Ultimate , you may get a Win10 Pro license. (not sure 100% , but i remembered read it somewhere)

 

[Lenny_Fox]

@Umbra Yes it is a Windows 10 Pro now.

 

[Venustus]

Activating Windows 10 using a Windows 7 Product Key . . . - Windows 10 Discussion

Activating Windows 10 using a Windows 7 Product Key . . . - posted in Windows 10 Discussion: I know that at one time it was possible to do this when you were doing a clean install (and, of course, doing this legally by only having used that Windows 7 product key for a single installation of...

www.bleepingcomputer.com

 

[ForgottenSeer 823865]

@Umbra Yes it is a Windows 10 Pro now.

Which is good, you should have access to Group Policy.

 

[Local Host]

It is not that they are valid, they are converted to a Windows 10 license (if i'm not wrong.). and if you had legit Windows 7 Ultimate , you may get a Windows 10 Pro license. (not sure 100% , but i remembered read it somewhere)

No the key remains available for Windows 7, Windows 10 is digitally signed on that PC.

 

[Lenny_Fox]

Yes I played with gpedit.msc a little: enabled Software Restricton Policies and browsed through other settings and disabled some remote stuff and autoplay and execution of removable disks. I think I won't be tweaking it a lot more.

 

[Lenny_Fox]

Coming back to the original question I had in regard to browser extensions. After having (re)searched a few interesting threads related to browser extensions, I opted for Chrome with Avast Online Security and Privacy Possum and Edge with Netcraft as backup browser (in case Avast Online Security or Privacy Possum might break a website).

Thanks to all participated in this thread

P.S. Quad9, WD Network Protection, Chrome safe browsing (with flags #disallow-unsafe-http-downloads and #enable-safe-browsing-ap-download-verdicts) and Avast Online Security did well in some filed tests I did with links from malware and phishing (blacklist) websites.

 

[Andy Ful]

Yes I played with gpedit.msc a little: enabled Software Restricton Policies and browsed through other settings and disabled some remote stuff and autoplay and execution of removable disks. I think I won't be tweaking it a lot more.

From your first post, it follows that you have used H_C to configure SRP. If so, then do not use GPO (via gpedit.msc) to configure SRP and be cautious when using GPO to disable remote features. The H_C settings block most remote features (Remote Desktop & Remote Assistance, Remote Registry, and Remote Shell), probably more than you blocked with GPO.
H_C uses Windows Policies directly via Windows Registry and these policies can be modified silently by GPO settings.
Disabling autoplay is not necessary, because it will not run anything without user consent (AutoRun feature is disabled by default on Windows Vista SP2 and above).
Disabling execution from removable disks is not necessary when using SRP Security Level set to Disallowed.
If you use Avast, then WD Network Protection does not work.
You can use Avast with Hardened Mode Aggressive and apply the special H_C profile for Avast, which allows EXE files (they are protected already by Avast Hardened Mode Aggressive).

 

[Venustus]

H_C profile for Avast,

Where can I get that from?

 

[oldschool]

Where can I get that from?

You can access the profile list via Load Profile button here:

 

[Venustus]

You can access the profile list via Load Profile button here:

View attachment 227958

Much appreciated!

 

[oldschool]

Much appreciated!

You are most welcome. H_C is the best thing since sliced bread, toasted!

 

[Gangelo]

You are most welcome. H_C is the best thing since sliced bread, toasted!

If you also take into account the Configure Defender and Firewall Hardening modules plus the Tools it is like sliced bread, toasted with cheese and smoked ham. Yum!

 

[Lenny_Fox]

From your first post, it follows that you have used H_C to configure SRP. If so, then do not use GPO (via gpedit.msc) to configure SRP and be cautious when using GPO to disable remote features. The H_C settings block most remote features (Remote Desktop & Remote Assistance, Remote Registry, and Remote Shell), probably more than you blocked with GPO.
H_C uses Windows Policies directly via Windows Registry and these policies can be modified silently by GPO settings.
Disabling autoplay is not necessary, because it will not run anything without user consent (AutoRun feature is disabled by default on Windows Vista SP2 and above).
Disabling execution from removable disks is not necessary when using SRP Security Level set to Disallowed.
If you use Avast, then WD Network Protection does not work.
You can use Avast with Hardened Mode Aggressive and apply the special H_C profile for Avast, which allows EXE files (they are protected already by Avast Hardened Mode Aggressive).

Sorry, about the confusion created,

The first post refers to my brother's gaming desktop which I had to re-install Windows 10 after he was tricked in downloading malware with a "Your PC is infected scam". I have not installed Avast antivirus, just the browser extension in Chrome.

The windows 10 Pro is my dual boot on my old Linux laptop. When I had re-installed Windows 10 on my brother's desktop using a USB-stick, I just wondered whether the Windows 7 license from the sticker on the bottom/back of the 9 year old laptop worked. So now I have Linux Manjaro and Windows 10 Pro on my laptop (updating from Linux kernel 4 to 5 on Manjaro was easier than updating from 1809 to 1903 on Windows 10)

PS, I have changed the default deny with allow rules I had created in H_C for my brother to the easier to use Windows_Security profile which comes with Hard_Configurator. It is simular to the Avast H_C profile only inteded to use with Windows Defender and blocking elevation of unsigned programs (am I right)? For my brother the confusing "A referral returned from the server" message is an advantage, because he will think the program does not work on his machine. I guess the chances in running into such an error is very small because he can't download programs from insecure websites anymore and WD smartscreen will probably block unsigned programs also

My Brother's (Windows 10 Home) protection against internet based malware is:

1. URL filtering with: Quad9, WD Network protection, Chrome safe browsing, Avast extension
2. Chrome browser hardened with site settings and flag to block stuff from HTTP websites (see picture below).
3. H_C with "Windows_10_MT_Windows_Security_hardening.hdc" profile
4. C_D with maxed out security settings for Windows Defender

__________________ this screenprint is made on my laptop (Edge-chromium), not my brothers desktop (Chrome) _________________

 

[Andy Ful]

Sorry, about the confusion created,

The first post refers to my brother's gaming desktop which I had to re-install Windows 10 after he was tricked in downloading malware with a "Your PC is infected scam". I have not installed Avast antivirus, just the browser extension in Chrome.

The windows 10 Pro is my dual boot on my old Linux laptop. When I had re-installed Windows 10 on my brother's desktop using a USB-stick, I just wondered whether the Windows 7 license from the sticker on the bottom/back of the 9 year old laptop worked. So now I have Linux Manjaro and Windows 10 Pro on my laptop (updating from Linux kernel 4 to 5 on Manjaro was easier than updating from 1809 to 1903 on Windows 10)

PS, I have changed the default deny with allow rules I had created in H_C for my brother to the easier to use Windows_Security profile which comes with Hard_Configurator. It is simular to the Avast H_C profile only inteded to use with Windows Defender and blocking elevation of unsigned programs (am I right)? For my brother the confusing "A referral returned from the server" message is an advantage, because he will think the program does not work on his machine. I guess the chances in running into such an error is very small because he can't download programs from insecure websites anymore and WD smartscreen will probably block unsigned programs also

My Brother's (Windows 10 Home) protection against internet based malware is:

1. URL filtering with: Quad9, WD Network protection, Chrome safe browsing, Avast extension
2. Chrome browser hardened with site settings and flag to block stuff from HTTP websites (see picture below).
3. H_C with "Windows_10_MT_Windows_Security_hardening.hdc" profile
4. C_D with maxed out security settings for Windows Defender

__________________ this screenprint is made on my laptop (Edge-chromium), not my brothers desktop (Chrome) _________________
View attachment 227974

Understand. This setup is OK, but still has some restrictions which will require your attention:

1. Unsigned applications will not update when installed in Program Files and Program Files (x86). To update them, the setting <Validate Admin C.S.> has to be turn off temporarily.
2. Your brother will not be able to bypass SmartScreen when running applications downloaded from the Internet (except if he will unblock the executable via file Properties).
3. When using "Allow EXE and TMP" in H_C, it is good to apply also the FirewallHardening.
4. Do not install 3rd party unpackers or install Bandizip.

Edit.
In this setup, it is recommendable to replace all unsigned applications installed in "Program Files ...", by signed ones. Then, the setup will be mostly set and forget in daily work.
Unsigned applications installed in UserSpace usually do not require Admin rights to install/update, so they will not require replacing.