Basic Security Windows_Security desktop security 2019

Last updated
May 6, 2019
Windows Edition
Pro
Security updates
Allow security updates and latest features
User Access Control
Always notify
Real-time security
  1. On Pro desktop using Group Policy to manage Software Restriction rules and registry startup entries, but on other machines using Hard Configuration to enforce a basic user deny execution and protect registry startup entries.
  2. Windows Defender Antivirus maxed out with ConfigureDefender, protected folders enabled and some custom WD-exploit protection (only allowing vulnarable Microsoft software such as Outlook or MsEdge to load signed Microsoft DLL's).
  3. NVT OS_Armor (hardening CMD and Powershell, and a DEFAULT DENY custom rules to block ALL software from user space when NOT SIGNED BY TRUSTED vendors (as an extra security layer on top of SRP basic user and UAC block unsigned) and limit Outlook to only start Edge, Word, Powerpoint, Excell) and limit Edge to launch only WD and itself.
Firewall security
Microsoft Defender Firewall
About custom security
Syshardener
UAC: Only elevate executables which are signed and validated (when unsigend tries to elevate a non-informative stupid Windows message appears "A referral was returned from the server.". Maybe something gets lost in transaltion but it makes no sense to me).

Software Restriction Policies
Basic User default (DENY) level in User Folders plus most risky commands (when clicked show "This app has been blocked by your system administrator.")

NTFS Access Control Lists
All Startup, Public, Shared, Internet Facing and Data Folders (Docments, Mail, Music, Pictures, Videos) added a DENY "Traverse Folder/Execute file" for EVERYONE (when clicked show a "Windows can not access the specified device, path or file. You may not have the appropriate permissions to access the item.").

OS-Armor rules custom block rules
;
; ALL process execution blocked outside C:\ by default rule
; ALL unsigned processes blocked in C:\root by default rule
; Outlook (and other Office) exploit protection enabled by default rule
;
[%PROCESSFILEPATH%: C:\Users\*]
[%PROCESSFILEPATH%: C:\ProgramData\*]

[%PROCESSFILEPATH%: *] [%PARENTPROCESS%: *\msedge.exe]


OS Armor custom exception rules
;
; Allow Microsoft programs to update from user space and largest disk partition
;
[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Microsoft*]
[%PROCESSFILEPATH%: C:\ProgramData\*] [%FILESIGNER%: Microsoft*]
[%PROCESSFILEPATH%: P:\*] [%FILESIGNER%: Microsoft*]
;
; Allow installed programs to update from TEMP folder
;
[%PROCESSFILEPATH%: C:\Users\kees-\AppData\Local\Temp\*] [%FILESIGNER%: Advanced Micro Devices, Inc.]
[%PROCESSFILEPATH%: C:\Users\kees-\AppData\Local\Temp\*] [%FILESIGNER%: Brother Industries, Ltd.]
[%PROCESSFILEPATH%: C:\Users\kees-\AppData\Local\Temp\*] [%FILESIGNER%: LG Electronics Inc.]
[%PROCESSFILEPATH%: C:\Users\kees-\AppData\Local\Temp\*] [%FILESIGNER%: Samsung Electronics Co., Ltd.]
[%PROCESSFILEPATH%: C:\Users\kees-\AppData\Local\Temp\*] [%FILESIGNER%: 2BrightSparks Pte. Ltd.]
[%PROCESSFILEPATH%: C:\Users\kees-\AppData\Local\Temp\*] [%FILESIGNER%: NoVirusThanks Company Srl]
;
; Allow Edge-chromium to call (a) itself, (b) its updater and (c) Windows Defender antivirus to check downloads
;
[%PARENTPROCESS%: *\msedge.exe] [%PROCESSFILEPATH%: C:\Program Files (x86)\Microsoft\*\Application\*]
[%PARENTPROCESS%: *\msedge.exe] [%PROCESSFILEPATH%: C:\Program Files (x86)\Microsoft\EdgeUpdate\*]
[%PARENTPROCESS%: *\msedge.exe] [%PROCESSFILEPATH%: C:\ProgramData\Microsoft\Windows Defender\Platform\*]

Windows Defender Exploit Protection
Enabled code integrity guard (only allow DLL's to load signed by Microsoft) for Outlook (and other Office), msEdge and (don't try this at home) Windows Explorer, RunDLL32 and disabled mshta and rdpshell.

Chrome flags
-
Extension Content Verification (Enforce strict)
- Enable AppContainer Lockdown (enabled)
- Enable GPU AppContainer Lockdown (enabled)
- PDF Isolation (enabled)
Periodic malware scanners
Microsoft Malicious Software Removal Tool and Windows Defender
Sysinternals ProcessExplorer and Autoruns64
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Microsoft Edge-chromium with TWO user profiles
PROFILESURFINGBUYING
- Sync OFF- Sync OFF
- Paswords ON (No finanical risk for SS&S, so ON)- Paswords OFF (I am using memory for BB&B login)
- Payment info OFF- Payment info OFF
- Adresses and more OFF- Adresses and more OFF
APPEARANCEHome button = Startpage.comHome button = DuckDuckGo
Show favorites barShow favorites bar
ON STARTUPNew Tab Page (using extension Blank New Tab)New Tab Page (using extension Blank New Tab)
PRIVACY & SERVICESSend DO NOT TRACKSend DO NOT TRACK
Allow sites to check if you have payment saved: OFFAllow sites to check if you have payment saved: OFF
Send data about how you use browser: OFFSend data about how you use browser: OFF
Send data about sites you visit to Microsoft: OFFSend data about sites you visit to Microsoft: OFF
Use a webservice to help resolve navigation errors: OFFUse a webservice to help resolve navigation errors: OFF
Microsoft Defender SmartScreen: ONMicrosoft Defender SmartScreen: ON
Address bar: show search & site suggestions: OFFAddress bar: show search & site suggestions: OFF
Address bar: Search Engine used : StartpageAddress bar: Search Engine used : DuckDuckGo
SITE PERMISSIONSCookies: Block third-party cookiesCookies: Keep local data only until you quit browser
Javascript: ALLOWED (see web privacy)Javascript: BLOCKED, ALLOW only HTTPS://*
Images: ALLOWUnsandboxed plugin access: BLOCK
All other site permissions on BLOCKAll other site permissions on DEFAULT
DOWNLOADAsk where to save each file before downloading: OFFAsk where to save each file before downloading: ON
LANGUAGESEnglish (United States)Dutch
EnglishEnglish (United States)
SYSTEMContinue running background when Edge is closed: OFFContinue running background when Edge is closed: ON
Use hardware acceleration: ONUse hardware acceleration: ON
ExtensionsBlank New Tab PageBlank New Tab Page
Auto History WipeAuto History Wipe
uBlock Origin [see web privacy]Bitdefender Traffic light
Maintenance tools
SSLEye - Man in the Middle check
File and Photo backup
SyncBackFree for adhoc documents and mail (on SSD) backup to 250 GB Seagate HD and 1 TB Western Digital disk.. 1TB disk is protected by WD protected folders. 250 GB disk is protected by ACL-permissions. Only backup_user1 has full control to this quick backup disk (started by runs as other user).

NAS for Nightly backups from 1TB WD digital. NAS is connected to router-2 which is normally used for guests on 2.4Ghz network. Router-1 (only running 5 GHz) from my ISP blocks the Mac Address of Router-1 from 2100 to 0900. So Router 2 has no internet access from the nine-to-nine. Router-2 also uses parental control scheduling, IP-filtering and Mac-Address filtering to only allow Desktop and Laptop to connect. Only Desktop-user and Laptop-user have write/delete access to NAS. (enforced by WD-backup software).
System recovery
Windows Image Backup
Risk factors
    • Logging into my bank account
    • Browsing to popular websites
    • Streaming audio/video content from shady sites
    • Working from home
Computer specs
Nexus Silent PC Case with silent PSU
CPU - Intel i7 920 @2.67 GHz
GPU - AMD HD 5570 silent
RAM - DDR3 1333 6GB
STORAGE: SSD 250 GB (Samsung 860). 1 TB HDD (Western Digital), 250 GB HDD (Seagate)

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
This setup can be comfortably used by some SysAdmin in Enterprise environments.

I will second @harlan4096 opinion on system imaging solution, no matter will you ever need it. Microsoft may deliver some broken update and all your work was in vain.

I recently tried to restore a Windows image and it failed spectacularly. I switched imaging to Macrium. Using Windows file backup for easy access backup.
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
As posted before Windows image backup never failed on any Windows OS I used (what ever version)

I downgraded form windows 10 to Windows 7 when I installed an SSD on my PC, which did not respond to F8. Even after using the get the classic F8 registry hack. It turned out my USB3 was the problem. On my old desktop I had two USB3 ports which needed a driver to work with the MoBo. After swapping my keyboard into a USB2 port, Windows would respond to pressing F8.

I ' upgraded to Windows10' again this january because I had given my Windows7 desktop to an older family member who could not get used to Windows 10.
 
Last edited:

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
As posted before Windows image backup never failed on any Windows OS I used (what ever version).

I downgraded form windows 10 to Windows 7 when I installed an SSD on my PC, which did not respond to F8. Even after using the get the classic F8 registry hack. It turned out my USB3 was the problem. On my old desktop I had two USB3 ports which needed a driver to work with the MoBo. After swapping my keyboard into a USB2 port, Windows would respond to pressing F8.

I ' upgraded to Windows10' again this january because I had given my Windows7 desktop to an older family member who could not get used to Windows 10.

I guess if it ain’t broke, don’t fix it. I wouldn’t if I hadn’t had problems. I’ve never gotten Windows to re-image properly. File backups seem to work fine. For some reason Windows always decides I’ve tried to image dissimilar hardware, even when no firmware updates have happened. Oh well, Macrium’s scheduled backups work better for me than Win did anyway.
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
I guess if it ain’t broke, don’t fix it.

Agree, good advice (y).

In the past I was playing with malware and security programs, I managed to trash my system more often with security programs than by malware circumventing my security setup. :giggle:

Since I stopped throwsing rocks at my own Windows, I have not needed image recovery anymore.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top