Latest Changes
May 6, 2019
Operating System
  • Windows 10
  • Windows Edition
    Pro
    Version or Build no.
    Latest
    System type
    64-bit operating system; x64-based processor
    Security Updates
    Automatic Updates (recommended)
    User Access Control
    Always Notify
    Network Security (Firewall)
    Windows Defender Firewall
    Device Security
  • Windows Defender SmartScreen (Windows 10)
  • User Account
    Administrator
    Sign-in Accounts
    Malware Testing
    I do not participate in downloading malware samples
    Real-time Web & Malware Protection
    1. On Pro desktop using Group Policy to manage Software Restriction rules and registry startup entries, but on other machines using Hard Configuration to enforce a basic user deny execution and protect registry startup entries.
    2. Windows Defender Antivirus maxed out with ConfigureDefender, protected folders enabled and some custom WD-exploit protection (only allowing vulnarable Microsoft software such as Outlook or MsEdge to load signed Microsoft DLL's).
    3. NVT OS_Armor (hardening CMD and Powershell, and a DEFAULT DENY custom rules to block ALL software from user space when NOT SIGNED BY TRUSTED vendors (as an extra security layer on top of SRP basic user and UAC block unsigned) and limit Outlook to only start Edge, Word, Powerpoint, Excell) and limit Edge to launch only WD and itself.
    RTP - Custom security settings
  • Major changes for Increased security
  • RTP - Details of Custom security settings
    Syshardener
    UAC: Only elevate executables which are signed and validated (when unsigend tries to elevate a non-informative stupid Windows message appears "A referral was returned from the server.". Maybe something gets lost in transaltion but it makes no sense to me).

    Software Restriction Policies
    Basic User default (DENY) level in User Folders plus most risky commands (when clicked show "This app has been blocked by your system administrator.")

    NTFS Access Control Lists
    All Startup, Public, Shared, Internet Facing and Data Folders (Docments, Mail, Music, Pictures, Videos) added a DENY "Traverse Folder/Execute file" for EVERYONE (when clicked show a "Windows can not access the specified device, path or file. You may not have the appropriate permissions to access the item.").

    OS-Armor rules custom block rules
    ;
    ; ALL process execution blocked outside C:\ by default rule
    ; ALL unsigned processes blocked in C:\root by default rule
    ; Outlook (and other Office) exploit protection enabled by default rule
    ;
    [%PROCESSFILEPATH%: C:\Users\*]
    [%PROCESSFILEPATH%: C:\ProgramData\*]

    [%PROCESSFILEPATH%: *] [%PARENTPROCESS%: *\msedge.exe]


    OS Armor custom exception rules
    ;
    ; Allow Microsoft programs to update from user space and largest disk partition
    ;
    [%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Microsoft*]
    [%PROCESSFILEPATH%: C:\ProgramData\*] [%FILESIGNER%: Microsoft*]
    [%PROCESSFILEPATH%: P:\*] [%FILESIGNER%: Microsoft*]
    ;
    ; Allow installed programs to update from TEMP folder
    ;
    [%PROCESSFILEPATH%: C:\Users\kees-\AppData\Local\Temp\*] [%FILESIGNER%: Advanced Micro Devices, Inc.]
    [%PROCESSFILEPATH%: C:\Users\kees-\AppData\Local\Temp\*] [%FILESIGNER%: Brother Industries, Ltd.]
    [%PROCESSFILEPATH%: C:\Users\kees-\AppData\Local\Temp\*] [%FILESIGNER%: LG Electronics Inc.]
    [%PROCESSFILEPATH%: C:\Users\kees-\AppData\Local\Temp\*] [%FILESIGNER%: Samsung Electronics Co., Ltd.]
    [%PROCESSFILEPATH%: C:\Users\kees-\AppData\Local\Temp\*] [%FILESIGNER%: 2BrightSparks Pte. Ltd.]
    [%PROCESSFILEPATH%: C:\Users\kees-\AppData\Local\Temp\*] [%FILESIGNER%: NoVirusThanks Company Srl]
    ;
    ; Allow Edge-chromium to call (a) itself, (b) its updater and (c) Windows Defender antivirus to check downloads
    ;
    [%PARENTPROCESS%: *\msedge.exe] [%PROCESSFILEPATH%: C:\Program Files (x86)\Microsoft\*\Application\*]
    [%PARENTPROCESS%: *\msedge.exe] [%PROCESSFILEPATH%: C:\Program Files (x86)\Microsoft\EdgeUpdate\*]
    [%PARENTPROCESS%: *\msedge.exe] [%PROCESSFILEPATH%: C:\ProgramData\Microsoft\Windows Defender\Platform\*]

    Windows Defender Exploit Protection
    Enabled code integrity guard (only allow DLL's to load signed by Microsoft) for Outlook (and other Office), msEdge and (don't try this at home) Windows Explorer, RunDLL32 and disabled mshta and rdpshell.

    Chrome flags
    -
    Extension Content Verification (Enforce strict)
    - Enable AppContainer Lockdown (enabled)
    - Enable GPU AppContainer Lockdown (enabled)
    - PDF Isolation (enabled)
    Virus and Malware Removal Tools
    Microsoft Malicious Software Removal Tool and Windows Defender
    Sysinternals ProcessExplorer and Autoruns64
    Browsers and Extensions
    Microsoft Edge-chromium with TWO user profiles
    PROFILESURFINGBUYING
    - Sync OFF- Sync OFF
    - Paswords ON (No finanical risk for SS&S, so ON)- Paswords OFF (I am using memory for BB&B login)
    - Payment info OFF- Payment info OFF
    - Adresses and more OFF- Adresses and more OFF
    APPEARANCEHome button = Startpage.comHome button = DuckDuckGo
    Show favorites barShow favorites bar
    ON STARTUPNew Tab Page (using extension Blank New Tab)New Tab Page (using extension Blank New Tab)
    PRIVACY & SERVICESSend DO NOT TRACKSend DO NOT TRACK
    Allow sites to check if you have payment saved: OFFAllow sites to check if you have payment saved: OFF
    Send data about how you use browser: OFFSend data about how you use browser: OFF
    Send data about sites you visit to Microsoft: OFFSend data about sites you visit to Microsoft: OFF
    Use a webservice to help resolve navigation errors: OFFUse a webservice to help resolve navigation errors: OFF
    Microsoft Defender SmartScreen: ONMicrosoft Defender SmartScreen: ON
    Address bar: show search & site suggestions: OFFAddress bar: show search & site suggestions: OFF
    Address bar: Search Engine used : StartpageAddress bar: Search Engine used : DuckDuckGo
    SITE PERMISSIONSCookies: Block third-party cookiesCookies: Keep local data only until you quit browser
    Javascript: ALLOWED (see web privacy)Javascript: BLOCKED, ALLOW only HTTPS://*
    Images: ALLOWUnsandboxed plugin access: BLOCK
    All other site permissions on BLOCKAll other site permissions on DEFAULT
    DOWNLOADAsk where to save each file before downloading: OFFAsk where to save each file before downloading: ON
    LANGUAGESEnglish (United States)Dutch
    EnglishEnglish (United States)
    SYSTEMContinue running background when Edge is closed: OFFContinue running background when Edge is closed: ON
    Use hardware acceleration: ONUse hardware acceleration: ON
    ExtensionsBlank New Tab PageBlank New Tab Page
    Auto History WipeAuto History Wipe
    uBlock Origin [see web privacy]Bitdefender Traffic light
    Privacy-focused Apps and Extensions
    Conigured uBlock in LAZY-MEDIUM mode
    This uBlock0 tweak combines uBlock's MEDIUM mode (blocking third-party frames & scripts) with the idea used by many members to use Chrome's internal script site permissions to only allow scripts on some Top Level Domains.

    My Filters: (block third-party requests on unsecure HTTP websites, 95% of malware is hosted on HTTP websites)
    HTTP://*^$third-party

    My rules (block third-party stuff system wide and add NOOP exception for some Top Level Domains: COM, NET, ORG and NL)
    * * 3p block
    com * 3p noop
    net * 3p noop
    nl * 3p noop
    org * 3p noop

    Filterlists
    - My Filters
    - Malvertising filter by Disconnect
    Password Managers
  • Memory
  • Web Search
  • Startpage
  • System Utilities
    SSLEye - Man in the Middle check
    Data Backup
    SyncBackFree for adhoc documents and mail (on SSD) backup to 250 GB Seagate HD and 1 TB Western Digital disk.. 1TB disk is protected by WD protected folders. 250 GB disk is protected by ACL-permissions. Only backup_user1 has full control to this quick backup disk (started by runs as other user).

    NAS for Nightly backups from 1TB WD digital. NAS is connected to router-2 which is normally used for guests on 2.4Ghz network. Router-1 (only running 5 GHz) from my ISP blocks the Mac Address of Router-1 from 2100 to 0900. So Router 2 has no internet access from the nine-to-nine. Router-2 also uses parental control scheduling, IP-filtering and Mac-Address filtering to only allow Desktop and Laptop to connect. Only Desktop-user and Laptop-user have write/delete access to NAS. (enforced by WD-backup software).
    Frequency of Data backups
    Daily
    System Backup
    Windows Image Backup
    Frequency of System backups
    Occasionally
    Computer Activity
  • Online banking
  • Browsing web and email
  • Watch movies and other entertainment content on the Internet
  • Office and work related tasks
  • Computer Specifications
    Nexus Silent PC Case with silent PSU
    CPU - Intel i7 920 @2.67 GHz
    GPU - AMD HD 5570 silent
    RAM - DDR3 1333 6GB
    STORAGE: SSD 250 GB (Samsung 860). 1 TB HDD (Western Digital), 250 GB HDD (Seagate)

    blackice

    Level 12
    Verified
    This setup can be comfortably used by some SysAdmin in Enterprise environments.

    I will second @harlan4096 opinion on system imaging solution, no matter will you ever need it. Microsoft may deliver some broken update and all your work was in vain.
    I recently tried to restore a Windows image and it failed spectacularly. I switched imaging to Macrium. Using Windows file backup for easy access backup.
     

    Windows_Security

    Level 23
    Verified
    Trusted
    Content Creator
    As posted before Windows image backup never failed on any Windows OS I used (what ever version)

    I downgraded form windows 10 to Windows 7 when I installed an SSD on my PC, which did not respond to F8. Even after using the get the classic F8 registry hack. It turned out my USB3 was the problem. On my old desktop I had two USB3 ports which needed a driver to work with the MoBo. After swapping my keyboard into a USB2 port, Windows would respond to pressing F8.

    I ' upgraded to Windows10' again this january because I had given my Windows7 desktop to an older family member who could not get used to Windows 10.
     
    Last edited:

    blackice

    Level 12
    Verified
    As posted before Windows image backup never failed on any Windows OS I used (what ever version).

    I downgraded form windows 10 to Windows 7 when I installed an SSD on my PC, which did not respond to F8. Even after using the get the classic F8 registry hack. It turned out my USB3 was the problem. On my old desktop I had two USB3 ports which needed a driver to work with the MoBo. After swapping my keyboard into a USB2 port, Windows would respond to pressing F8.

    I ' upgraded to Windows10' again this january because I had given my Windows7 desktop to an older family member who could not get used to Windows 10.
    I guess if it ain’t broke, don’t fix it. I wouldn’t if I hadn’t had problems. I’ve never gotten Windows to re-image properly. File backups seem to work fine. For some reason Windows always decides I’ve tried to image dissimilar hardware, even when no firmware updates have happened. Oh well, Macrium’s scheduled backups work better for me than Win did anyway.
     

    Windows_Security

    Level 23
    Verified
    Trusted
    Content Creator
    I guess if it ain’t broke, don’t fix it.
    Agree, good advice (y).

    In the past I was playing with malware and security programs, I managed to trash my system more often with security programs than by malware circumventing my security setup. :giggle:

    Since I stopped throwsing rocks at my own Windows, I have not needed image recovery anymore.