Windows_Security setup

[Windows_Security]

Comments on this webform:

1. User Acces Control.
   The really effective UAC option to block elevation of unsigned is missing
   
   
2. Recent malware attacks
   Explanation "when were you hit or scammed" assumes attack had any effect and was not blocked by security software or safe hex practices of the user. I receive malware and phishing mails from time to, but none of them had any effect on my system or data.

 

[SHvFl]

Great setup but i advice all to not try it if you don't know what you are doing.
Also @Windows_Security you must have a good memory to not have to use a password manager.

 

[Windows_Security]

One of the reason Ferguson was a great trainer at Man United was that he knew every person working around him by name and the names of their children also. Good memory is an asset for a leader. Helas I lacked the soccer skills to become a famous trainer like Sir Ferguson, so at age of 58, I have to practise a lot to fight the degradation of the memory anyway. I hate Sodoku's therefore a bit of memory training with pass phrases serves many purposes.

 

[RoboMan]

Really nice. Not what we're "used" to see around here or in most cases. I'd say maybe use a password manager, but i'm not using one either and i do not write them down anywhere. I have a pretty good memory. Thanks for sharing.

 

[shmu26]

pretty interesting, I must say. You are using some software limitation technologies that I am so familiar with.

 

[Exterminator]

Very interesting config! I also agree that it is not a config for the average user who is inexperienced.
Thanks for sharing your config

 

[ForgottenSeer 55474]

Realy nice configuration,thanks for that look under the hood

 

[aragornnnn]

Thanks for sharing this good and rarely seen setup!

 

[Windows_Security]

Thanks for all you responses @aragornnnn , @carsten ibsen , @Exterminator , @shmu26 , @RoboMan , @SHvFl


HenryPP publishes Chromium releases (scroll down on this link) which is compiled on same source as Chrome. He removes Chrome stuff (no sync without WebRTC leak of IP) and has Control Flow Guard enabled. About flags has some privacy features like #disable-hyperlink-auditing, #reduced-referrer-granularity and by starting Chromium with --disable-reading-from-canvas you will add a little canvas fingerprinting protection. When on Windows 8 or above you should also enable #enable-appcontainer and when on Windows 10 #enable-ppapi-win32k-lockdown

The benefit of using Chromium for me is that it is unsigned, so my UAC setting ValidateAdminCodeSignatures blocks elevation so the Medium Level Intergrity Level broker process of Chromium itself is kept in a Limited User policy container.

Malware has to pass AppContainer, Chrome's Sandbox, UAC limited user container and MemProtect's Protected Processes encagement. Stuff I download myself has to a pass Smartscreen, ACL, SRP and UAC. Passing a quadrupple containment/whitelist layer is not likely. So I am confidently without AV

Regards Kees

 

[jamescv7]

I like the configuration of hardening the protection.

You can have Appguard to that setup as complement since it can lock down unknown and suspicious threats reaching through critical destination on the system.

 

[Windows_Security]

I like the configuration of hardening the protection.

You can have Appguard to that setup as complement since it can lock down unknown and suspicious threats reaching through critical destination on the system.

I have discussed Appguard functionality V3 with Eiric the representative of Blue Ridge at that time. I know their are releasing V5 soon, so the product has evolved since then, but although Appguard is a great security product, it would overlap more than it would complement.

But you have a point: when someone would like to have the benefits of my setup without the hassle of tweaking and hardening the OS, the easiest way would be to buy an Appguard license. Thanks for the suggestion.

regards Kees

 

[Handsome Recluse]

People always seem to change their security configs. By the way, how did you do those Windows Tweaks and does Chromium auto-update? If it doesn't, how do you update it?
Why Disconnect?

 

[Windows_Security]

Chromium update : chrlauncher


On my Windows Pro Desktop with Group Policy, on my Asus Transformer with Windows Home through registry tweaks.

I like the graphical display of Disconnect and it blocks most trackers, but more important it needs little tweaking or micro management.

 

[Handsome Recluse]

How does MemProtect/Pumpernickel differ from something like NVT SOB?
Also, where's Kaspersky Anti-Ransomware for Business?

 

[Windows_Security]

How does MemProtect/Pumpernickel differ from something like NVT SOB?
Also, where's Kaspersky Anti-Ransomware for Business?

KAPLAB-AR Free was deinstalled when I installed MemProtect Free

PumperNickel is for managing access to disk, while SOB is for process/DLL/driver execution.

With MemProtect you can manage (or encapsulate in my case) whether a process is allowed to access other process memory using the Windows Internal Mechanism "protected process"feature. Parent Process feature of SOB is comparable with MemProtect. With MP you can not implememy a process execution whitelist as with SOB, with SOB you can protect against file based DLL injection as with MP, but MP also protects against in memory DLL injections (as with process hollowing is done for instance). With SOB you have DLL control on DLL name/location/signer/etc, with MP only on location.

 

[JM Safe]

That is a particular but solid configuration, all layers seem to be covered enough.

Thanks for sharing.

 

[XIII]

Just did a clean format and tried out the majority of this configuration. It is VERY strong. Too strong for a gamer/programmer, it would take forever to set up the right permissions for all my software. When I have the time, I'm going to try this again because it is much more efficient than installing software on your PC to do the job for you.

 

[Soulbound]

Interesting config. Out of curiosity, what is your daily use on the system with such config?

 

[Handsome Recluse]

Why did you choose to use MemProtect but not Pumpernickel then? Is there some sort of overlap with Pumpernickel that doesn't apply to MemProtect?