Metanis
Well-Known Member
- Reaction score
- 810
- Location
- Medford, WI, USA
I always worry about destructive ransomware. Even the best of us can perform one bad mouse click.
So I recently performed a self-audit of where my own internal machines and network stand. Here in my home/office I run three Win10Pro, one Win7Sp1Pro, one Win8.1Pro, and one Server 2012 machine. I maintain a 10-user license for Norton Security although I don't bother installing it on every machine.
I've reviewed a few articles lately and even posts here on Technibble which indicate that Windows Security on Win10 has improved significantly. In addition, Microsoft has implemented a number of security features. So I embarked on a quest to improve the security of my own systems.
After upgrading my three Win10 machines to version 1809 I opened the Windows Security tab in the Settings App. There are now a number of different security settings which can be implemented. I made sure that every setting and option was installed and selected.
There are a number of new things in the Windows Security area that deserve a look. For example, under “App & Browser Control” I made sure that every Exploit Protection option was enabled. Then I installed the Windows Defender Application Guard which allows Edge to be run in a virtualized sandbox.
Under Virus and Threat Protection I found an option called Ransomware protection. In there I enabled Controlled Folder Access which actually caused me to uninstall my Norton Security. Microsoft requires it’s own Windows Defender application to run in order to use Controlled Folder Access. And I certainly don’t want two AV process running at the same time.
Next I had to “white list” my most frequent programs. The GUI method to do this is painful but since you are locking down your User folders it requires explicit control over which apps are allowed access. I thought to myself it would be very painful to do this in a business environment with dozens of machines to touch. If I were doing this for real at a business I’d be using Group Policy for sure!
They may be a few years late to the party but you can actually implement a rather safe environment using Win10 Professional. I performed the same steps on my wife’s Win10Pro machine and so far she hasn’t squawked once about being denied access to anything!
Controlled Folder Access is the next best thing to actually running User-level accounts rather than Admin!
Meanwhile, my machines not running Win10 are still on Norton, CryptoPrevent, and defaulting to User mode rather than Admin.
Every machine uses Chrome (with uBlock Origin) as the default browser. And my internal server DNS points to CloudFlare’s public DNS service for Internet name resolution.
I feel a slight bit more secure from the random drive-by malignancy after reviewing and implementing these changes.
So I recently performed a self-audit of where my own internal machines and network stand. Here in my home/office I run three Win10Pro, one Win7Sp1Pro, one Win8.1Pro, and one Server 2012 machine. I maintain a 10-user license for Norton Security although I don't bother installing it on every machine.
I've reviewed a few articles lately and even posts here on Technibble which indicate that Windows Security on Win10 has improved significantly. In addition, Microsoft has implemented a number of security features. So I embarked on a quest to improve the security of my own systems.
After upgrading my three Win10 machines to version 1809 I opened the Windows Security tab in the Settings App. There are now a number of different security settings which can be implemented. I made sure that every setting and option was installed and selected.
There are a number of new things in the Windows Security area that deserve a look. For example, under “App & Browser Control” I made sure that every Exploit Protection option was enabled. Then I installed the Windows Defender Application Guard which allows Edge to be run in a virtualized sandbox.
Under Virus and Threat Protection I found an option called Ransomware protection. In there I enabled Controlled Folder Access which actually caused me to uninstall my Norton Security. Microsoft requires it’s own Windows Defender application to run in order to use Controlled Folder Access. And I certainly don’t want two AV process running at the same time.
Next I had to “white list” my most frequent programs. The GUI method to do this is painful but since you are locking down your User folders it requires explicit control over which apps are allowed access. I thought to myself it would be very painful to do this in a business environment with dozens of machines to touch. If I were doing this for real at a business I’d be using Group Policy for sure!
They may be a few years late to the party but you can actually implement a rather safe environment using Win10 Professional. I performed the same steps on my wife’s Win10Pro machine and so far she hasn’t squawked once about being denied access to anything!
Controlled Folder Access is the next best thing to actually running User-level accounts rather than Admin!
Meanwhile, my machines not running Win10 are still on Norton, CryptoPrevent, and defaulting to User mode rather than Admin.
Every machine uses Chrome (with uBlock Origin) as the default browser. And my internal server DNS points to CloudFlare’s public DNS service for Internet name resolution.
I feel a slight bit more secure from the random drive-by malignancy after reviewing and implementing these changes.
