The basics of security

Topic

New Reply

ISSUE 18.33 • 2021-08-30 ON SECURITY By Susan Bradley What are the basics you need to secure your computers and devices? The needs of consumer and bus
[See the full post at: The basics of security]

Susan Bradley Patch Lady/Prudent patcher

9 users thanked author for this post.

lmacri, WSTheoacme, SueW, CW58, Bill_Bright, abbodi86, rc primak, scoobydoo, windbg

Reply | Quote

Replies

Overall, good summary information.

Some comments on the consumer side:

* An Internet security suite has a dozen or so security technologies incorporated beyond anti-virus, many of which most are not aware of. And these products are updated on at least a weekly or daily basis as threats evolve. Not clear to me Windows Defender covers all the bases.

* Microsoft cannot be trusted with security. They put features & marketing strategy ahead of security. Defaults can be insecure. You should avoid surfing when running with your administrative account.

* If you want to be super secure, not using SMS text for MFA for most accounts can be largely successful. I seem to recall NIST does not recommend cell phone text. But most web account providers wrongly suggest SMS text as the default MFA method.

* Add: Your email accounts must be super secure and must use MFA. The trick is to configure MFA with some convenience: once a device is trusted, don’t prompt again, except for certain accounts.

* Add: Your home router must be secured by changing the default password.

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

Reply | Quote

What is MFA? Multifactor authentication? HATED and not needed. I have never had any sort of infection in 22 years of using computers at home. Any website insisting on multifactor I will never visit. And I will not use it for ordinary POP email. I use POP email (6 different accounts from my ISP) and never needed ultra secrecy and never had a problem. If I wanted secure email, I would OF COURSE use a provider OUTSIDE the USA…preferably in Israel and I have several of that type of account also.

1 user thanked author for this post.

radosuaf

Reply | Quote

Two-step is also awkward to use. Unfortunately, some banks use two-step when one logs in to one’s account to manage it online, as I do regularly these days because of my age and the resurging pandemic, even when I am already fully  vaccinated.

My own bank, the largest in the USA, I believe, does it on a random basis: sometimes I am required to get an email with a code and copy it to a field in the bank’s site before my login is completed. Some other places that require two-step do this by sending me a code via a voice telephone message, others send it in an email to my cell phone. So not always, but sometimes in some important cases, I must use two-factor authentication. And every time I connect to a government site from home, I am required to enter my PIN that is also stored in the chip on my badge, that I have to have inserted in a card reader attached to my computer with a dongle. So some people can get away with never having to use two-step authentication, some, like YT, can’t.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

“We all need an operating system we can trust, a means to surf the Internet in a trustworthy fashion, and a way to save and store passwords securely .. we need an application or device to allow us to effectively and efficiently use multi-factor authentication.”

It’s easy to agree to the above, but less so on how to achieve it, so it suits the individual users.  The summary is indeed helpful, as a starting point.  At the end of the day, it’s really up to the individual users to use something they feel comfortable about using all the time.

I use Firefox 88.0.1 (pre-Proton) and feel good about it.  Playing with a userChrome.css is not for everyone (I have no problems), so that’s where I’ll remain for now (hoping Mozilla will listen to its users and develop the Proton UI accordingly).

And I use the built-in Lockwise password manager with a strong primary/master password as I would not entrust my passwords to a 3rd party application (or cloud storage).  It’s not trivial to steal such Lockwise passwords.

As to passwords, I either use GRC’s or Sordum’s password generator (typically random 22 alpha plus special characters).  I have 200 +/- passwords, so I’m all ear on security.

I have a bias towards Norton’s NAV as I have used same for the past 30 years.  I would not use Defender (or any other MS anti-virus), in addition to NAV, I use MBAE Premium plus several demand scanners like AdwCleaner, MBAR Rootkit, RogueKiller and Hitman Pro.

MFA is safer, but sending codes via text message ain’t so (and a pita when traveling).  I prefer email-based 2nd factor over text, but many web services won’t offer it.  Too bad.

The only safe way to log into a bank or similar is a gadget based login imo, like scanning a QR Code or reading numbers on the screen as a basis for generating passwords.  All my banks use such logins.

The subject is too big to to cover in a few paras .. so I only cover a bit of what I prefer/use.

Reply | Quote

In your “Recommendations for consumer and home users” you say “Also consider using a two-factor authentication platform such as Authy or Microsoft Authenticator for additional protection.”
I’ve looked through the information on the Authy website, and it looks like it would be a useful way of dealing with two-factor authentication, except that the range of sites that it can be used with is very restricted. I’ve looked through the sites it supports, and I cannot see any of the Banks which I have accounts with, indeed I can’t see any Banks at all! Surely Banks are the most important accounts to secure?

2 users thanked author for this post.

wavy, pfvincent

Reply | Quote

I believe most banks use other types of security and 2FA. They tend to use authentication methods which are as secure or better than Authy or OAUTH. Just because a site doesn’t use Authy itself, does not mean the site is using something less secure. There are multiple players in this arena.

On a different note, it was very interesting to say the least, to see how Microsoft once again with Windows 365 is trying to run everything as Local Administrator. This is a problem going waaaay back with Microsoft, and apparently even in the Cloud, the Company is genetically incapable of learning any lessons about this issue.

-- rc primak

1 user thanked author for this post.

wavy

Reply | Quote

Whilst Banks use “authentication methods which are as secure or better than Authy or OAUTH”, all the ones which I’m aware of require the use of a mobile phone.  As Susan says, this leads to the risks associated with SIM-card attacks, and also means that you need to have a mobile signal as well as an internet connection in order to log in.

1 user thanked author for this post.

rc primak

Reply | Quote

Dashlane password storage has recently switched to being an EXTENSION to a browser. Is their new iteration any more secure than just storing them in a browser?

1 user thanked author for this post.

rc primak

Reply | Quote

Great article Susan!

I do have 2 small suggestions.

1. Windows Defender is now (and has been for awhile) called Microsoft Defender. I think we need to try hard to break the habit and start calling it by its correct name, or maybe just “Defender”.
2. While I agree completely with your 4 basic steps, I feel one more step should be included. And that is; “5. Don’t be ‘click-happy’ on unsolicited links, popups, downloads, and attachment.”  Socially engineered methods of malware distribution (tricking the user to click on a malicious link) is one of the most successful methods used by the bad guys to compromise our computers and networks. If users would just pause for a second to question what they see, then maybe they won’t bypass the previous 4 steps by NOT opening the door and inviting the bad guy in.

 

Bill (AFE7Ret)
Freedom isn't free!

5 users thanked author for this post.

John18, OscarCP, windbg, NaNoNyMouse, Cybertooth

Reply | Quote

Yes, #2 is not a small suggestion.  In fact it is a critical one for all to understand.  There is no current fix for all bad links and bad downloads, even after taking all security precautions.  The best you can do is not to click much when running as an administrator. Do your web browsing as a regular user.

Microsoft has “Run as administrator”.  How about “Run as regular user”?  Or “Run as a specific user”?  Is there anyway to start a browser as a regular user when running in an administrative account?  Would that be more secure?

Windows 10 22H2 desktops & laptops on Dell, HP, ASUS; No servers, no domain.

Reply | Quote

What about LINUX ????

1 user thanked author for this post.

rc primak

Reply | Quote

That’s why we have Sandra 🙂

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

Stealing passwords stored in your browser is trivial,

My passwords stored in Microsoft Edge are securely encrypted and can’t be used or viewed without Windows Hello Face authentication. How would you go about stealing them in a trivial manner?

Microsoft Edge password manager security

Windows Hello integration in Microsoft Edge

1 user thanked author for this post.

rc primak

Reply | Quote

Never say never:  Extracting Passwords from Microsoft Edge Chromium | ElcomSoft blog

It’s harder, but an attacker could still hijack your browser session.

(if they really want you, they probably will get you)

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

rc primak

Reply | Quote

Susan Bradley wrote:

Extracting Passwords from Microsoft Edge Chromium | ElcomSoft blog

That required a known Windows password anyway, but it was published more than a year before the extra “require authentication” for saved passwords setting was made available in Edge 92.

Susan Bradley wrote:

It’s harder, but an attacker could still hijack your browser session.

… and still wouldn’t get my passwords without my face (or my PIN with my device), as Windows Hello is required.

So, definitely not trivial.

1 user thanked author for this post.

rc primak

Reply | Quote

Susan Bradley wrote:

Microsoft’s bad defaults
Recently Microsoft released a cloud computer platform called Windows 365. It allows businesses of any size to have a hosted Windows 10 (and soon Windows 11) instance in the cloud but otherwise act like a desktop operating system. I signed up for the beta and was surprised (and a bit shocked) to find it configured with what I consider to be less-than-ideal defaults. I found that Windows was deployed to the assigned end user with local administrator rights!

How would you be able to configure or update it without an administrator as the first user?

Reply | Quote

A wizard to walk you through setup.  Not a dump into Admin and then no guidance (and no license for intune built in) to better secure it.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

rc primak, OscarCP

Reply | Quote

Susan Bradley wrote:

A wizard to walk you through setup.

But then how would you manage maintenance in the future without an admin account?

Reply | Quote

Intune/Endpoint manager for overall control/pushing out updates etc.  And you don’t need an administrator account all the time, just for deploying/installing software.  So having a wizard that sets up the multiple accounts and prompts you to log in with the non admin would be WAY preferred rather than the way it is now.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

rc primak

Reply | Quote

The problem with any article focusing on the basics of security is that it will always be too short. But where to draw the line? I have a Defensive Computing website that is, both too long (no one will ever do everything on the list) and too short (things will always be missing) at the same time.

https://DefensiveComputingChecklist.com

 

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

5 users thanked author for this post.

AlexEiffel, rc primak, Perq, windbg, wdburt1

Reply | Quote

As I see it, at least, this discussion is prompted by a short list of the most basic basics. A full list of all sensible things one can do has to be quite a long one, as you have noted.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I am currently running Kaspersky Security Cloud, which I have been using for a few years now after dumping Norton.  (Long story…)

I am really wondering if I am better off using Defender or not because part of me sees Microsoft as simply a bigger target.  Thoughts?

Reply | Quote

I honestly see antivirus in general as reactionary.  Someone has to get nailed for a definition file to be built.  Thus I look for an a/v that won’t get in the way of updating or my other security functions.

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

rc primak, John18, OscarCP

Reply | Quote

The first is an up-to-date browser.

I like my firefox 68 ESR. It works best and I have not been hacked yet. The new version of Firefox breaks many of my sites. If need, I use agent switcher to mimic a new browser. Plus my windows 98 another computer can not run newer OS. i need it for programs that work only on Windows 98.

Second, and this may surprise you, don’t use a third-party antivirus product. In this era of zero-day vulnerabilities and phishing, all antivirus solutions are reactionary, not proactive.

I do not have money to spend on another antivirus. Defender works fine. On my Windows 98, Avast stopped working and kernelex has not help to run newer OS. Nothing is running

Next, I strongly recommend using a password program in lieu of storing passwords in your browser. Stealing passwords stored in your browser is trivial, and writing down passwords on paper doesn’t force you to choose good passwords.

Piece of paper is better. It is next to my computer and is save from hard drive failure. Plus have a backup paper in my fireproof box.

Last but not least, ensure that you have a good two-factor authentication process — and use it on a regular basis.

I have no cell phone. I have to find bypass method for it. Many have ways to bypass. For my bank, I have to use a excel generator to by pass it since it is mathematical base with time element added. For work, use another excel generator which is time base with a pin code. Took me 5 days to figure out the pin code to get it to work. IT would not provide it. Two-factor is too easy to bypass now. It was safe 5 years ago when computers where too slow to break the algorithm used for it.

Reply | Quote

The only thing that may be keeping you secure is that attackers are not focusing on Windows 98 as a viable target.   🙂  I have to do online functions and thus there’s no way I could use a Windows 98 computer.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

rc primak

Reply | Quote

Susan Bradley wrote:

Thus I look for an a/v that won’t get in the way of updating or my other security functions.

I use Kaspersky for years on years. Never got in a way of updating or interfere with other security software / functions.

Promoting Defender instead of 3rd party A/Vs

Remember the link for ‘Secure Browsers That Protect Your Privacy‘ in response to https://www.askwoody.com/forums/topic/tasks-for-the-weekend-august-28-2021-trying-out-new-browsers/#post-2386511 ?

It has the following advice :

Just like with Windows, it’s a good idea to avoid Microsoft products, including Internet Explorer, and their newer browser called Edge.

Reply | Quote

I have always used 3rd-party AVs: Norton, McAfee, Webroot (Win PCs), and first Webroot and now Intego in the Mac. And by “always” I mean: as long as I have had the choice of AV because I had my own computer, that is to say since October of 1998 to this day. I am not sure what might be the fundamental problem with using any of these. Some are better than others, true enough, but that is always to be expected when comparing things of the same kind.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I have to admit, I don’t understand Susan’s statement in the newsletter about using an AV program “that doesn’t interfere with Windows updates”. Over the decades, I’ve used a variety of third-party AV software, and none of it has ever interfered with Windows updates; nor have I ever heard of such a thing happening to other people.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

Seems to me that a year or two ago there were issues with some windows patches borking some computers with a 3rd party AV.

I don’t remember details (which Windows version or which 3rd party AV) because I’ve always used either Security Essentials or Defender and so didn’t pay much attention to the issue, but I’m pretty sure it happened. Seemed like there was a bunch of finger pointing between MS and the 3rd party vendor.

Reply | Quote

Oh I can list tons:

Mind you many of these were with service packs and feature releases.

Avast nailed Windows 7 many times as I recall.

Bitdefender (?) nailed Windows 8 as I recall.

https://news.softpedia.com/news/microsoft-fixes-windows-10-antivirus-black-screen-issues-532396.shtml  Nailed 10 back then

Bottom line every free a/v I would urge people to either not use it or make sure it was uninstalled and reinstalled after feature releases and service packs.

THEN layer on that many attackers use vulnerabilities in third party a/v to gain more privileges on the machine.

Because home users (especially pre targetreleaseversion) didn’t have many tools to hold back feature releases they would often see issues with third party antivirus.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

rc primak

Reply | Quote

The fact that many US banks require 2FA via text message (sms) just shows how (ignorant and) provincial they are. My travels often take me to places where I have WiFi access, but no cell signal. Even if I have a signal, I frequently use a local SIM card. And, besides, not all US cell plans allow texting abroad. So, go figure!

Fortunately, my banks use “gadget” based 2FA: during the login process, using a gadget, I scan a color-dot square (on the screen) and get a code. Or I use numbers (on the screen) to feed a gadget to get a code.

I see the “basics of security” summary as just that, a summary of reminders (to look over my security). The only issue I have is that it recommends a couple of “definitive” actions, some of which I don’t agree with.  There is no one size fits all.

1 user thanked author for this post.

rc primak

Reply | Quote

a – wondering if AskWoody would do a review of a few of the password managers available, as trusted sources for comparison reviews of these I can count on one hand and have fingers left over?

PC Magazine’s site has done some reviews, and it’s not sufficient to make me comfortable in picking any of the ones that it recommends, but my incomplete sense tells me to try BitWarden Premium (USD 10/yr), as it allows 2FA with any FIDO U2F compatible security key (one with NFC would work nicely with my mobile phone!) – thoughts?

2 – Services like Comcast’s xFi Advanced Security, in combination with Microsoft Defender – presuming I’m not going all darkweb or illegal streaming or other risky business online (downloading Windows 10 or Office 2016 patches without checking MS-DEFCON is more than enough risk for me, thank you very much!), it seems to me to be, although not perfect (since no antivirus or antithreat is perfect), adequate.

But, Windows is recommending I set up One Drive for ransomware recovery purposes.  Can someone point me to how to do this (never mind, Fred Langa did that in February, reading that now!)

Anything else that I am missing here?

Thanks!

Reply | Quote

https://www.csoonline.com/article/3198507/the-6-best-password-managers.html  Does this help?  Mind you it’s business not consumer…

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

rc primak, WSTheoacme

Reply | Quote

The overlap between the CSO Online and the PC Magazine lists is sufficient to make me feel more comfortable with those rated well by both, so yes, it does help – grazie!

1 user thanked author for this post.

rc primak

Reply | Quote

PC Magazine has disappointed me before and more than once with their recommendations, so I pay no attention to it anymore.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

WSTheoacme wrote:

review of a few of the password managers

The best password manager is one you are comfortable using, regardless of whether it’s free or you paid for it.

Roboform is popular for ease of use, but it’s not free.
KeePass is relatively complex, but powerful and free.
Bitwarden has a free and paid version.
etc.

cheers, Paul

Reply | Quote

I use Roboform’s paid product and I never see it reviewed.  It always seems to be the same password managers reviewed.

In these days of side deals with writers or publications I don’t know if the reason some password managers aren’t reviewed is because the missing managers are disliked, or simply won’t pay to play?

Reply | Quote

That one above awaiting moderation was me.  I wasn’t signed in when I replied to the email I received.

Reply | Quote

WSTheoacme wrote:

wondering if AskWoody would do a review of a few of the password managers

It is on my list, but I’m not sure we have the resources to do it. PC Magazine has done its comparative reviews of password managers for a very long time and, as a former ZDer myself, I’m sorry to say that I agree with you.

The problem is that all these programs provide basically the same function. The differences will be very nuanced. It takes time and experience to fully understand these products in that depth and thus provide you with a trusted review.

2 users thanked author for this post.

rc primak, WSTheoacme

Reply | Quote

If you noted PC Magazine has been doing these reviews for a very long time, I can’t justify asking you to allocate scarce resources to doing them here as well, and as far as the price of BitWarden Premium, it’s not so much to try it out for a year and see how well it does for me.

And when you say “the differences will be very nuanced”, that is enough for me to use those PC Magazine existing reviews for this purpose, as reading those reviews, yes, there was lots of nuance indeed (heaven knows how many review links I’ve seen today from sources I’ve never heard of, compared to those I have – yikes!)

Question withdrawn, with gratitude – thanks!

Reply | Quote

Susan Bradley wrote:

What are the basics you need to secure your computers and devices?

The same basics I’ve been using for two and a half decades.  Safe practices; delete email attachments which you are not expecting.  Never click on a link in an email supposedly from a site you regularly visit (phishing)—open the site’s login page in your browser as you normally would.  Load your browser with security add-ons/extensions/blockers.  Use reliable (not bloatware) AV/AM software.  For me that is currently Microsoft Defender and Malwarebytes Premium.

Establish and stick to a regular regimen of drive imaging for your OS, programs and data.  Use multiple copies in multiple places, especially offline HDD’s.  A file of which you don’t have at least two additional copies is a file you don’t care about.

I have had one piece of malware in all my years of PC use, in the late ’90’s, off a floppy disk for a utility which was given to me by an IT Pro.  He was quite embarrassed, but I had been using a Colorado Tape Drive, and I didn’t lose anything.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

3 users thanked author for this post.

windbg, CBA, Will Fastie

Reply | Quote

bbearren wrote:

For me that is currently Microsoft Defender and Malwarebytes Premium.

That has been my security baseline for about ten years, but recently I bumped into a problem with Malwarebytes.

First, OneDrive is essential to our ability to run AskWoody. I was experiencing severe slowdowns and after some research and experimentation (and a couple of tips from Fred Langa), I discovered that if I shut down Malwarebytes, the performance problems vanished.

Second, once Malwarebytes shut down, I discovered that Defender had been disabled. I had previously configured both so they could live in some sort of detente, but Malwarebytes disabled that, apparently on its own. Unacceptable.

Third, once I put Defender back in charge, it found a piece of hidden adware that Malwarebytes missed. The fact that it was adware made me very suspicious. The point of having Malwarebytes in the first place was to assure that this sort of thing did not creep into my system. Unacceptable.

So, performance hog, silent reconfiguration, missed (or ignored) malware. I cancelled my account and uninstalled Malwarebytes.

This plays into Susan’s point about non-interference with Windows.

3 users thanked author for this post.

rc primak, wavy, Bill_Bright

Reply | Quote

Will Fastie wrote:

That has been my security baseline for about ten years, but recently I bumped into a problem with Malwarebytes.

I assume that you were on the subscription model of Malwarebytes Premium.  I am not.  I already had a lifetime license when Malwarebytes made the switch to subscriptions, but I didn’t take the bait.

Malwarebytes continues to support the lifetime license version, and I’m currently on Malwarebytes Premium v4.4.4.  I don’t experience any performance issues, and both Malwarebytes and Microsoft Defender are fully active and functional.

I also have a Microsoft 365 account and OneDrive.  I have no issues with either.  I use Robocopy to duplicate OneDrive on my NAS, plus all the files/photos/media in OneDrive are still located on my daily driver, and in drive images.  Everything works, and the performance of my systems is excellent as far as I can tell.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

2 users thanked author for this post.

rc primak, Will Fastie

Reply | Quote

I had a similar issue a few years ago and quit Malwarebytes Premium.  About the same time I, along with many others, also had a problem with Norton 360.

(They had forced users into taking certain actions we wouldn’t, put up the red icon in the System Tray and then told us that was working as intended even if it was causing false positives.  So many of us left.  I had a year of paid service on my subscription and still uninstalled and left.)

That is when I decided to try Kaspersky Security Cloud.  I have not seen performance hits or have had problems with my system.

Reply | Quote

bbearren wrote:

The same basics I’ve been using for two and a half decades.

I ditto that .. except that I used a 120MB (!) “Mountain Tape Drive” for backup to recover a couple of times.

Reply | Quote

bbearren wrote:

I assume that you were on the subscription model of Malwarebytes Premium.

That’s right.

Reply | Quote

With my newest PC, I am back on Norton 360 and have experienced none of the problems with updates or performance that are mentioned in this thread. Together, the three Norton processes shown in Task Manager consume 0.1% of CPU time and less than 35 MB of memory, or just a little more than Task Manager itself.

That said, their current product sometimes performs a “smart scan” that claims to identify “advanced issues” with the PC as a way to upsell me to some kind of “utilities” suite. I ignore that.

On the other hand, the N360 subscription now includes a VPN, which it didn’t before, so that I don’t have to get one separately.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

Susan Bradley wrote:

THEN layer on that many attackers use vulnerabilities in third party a/v to gain more privileges on the machine.

And no hacker use vulnerabilities in Defender to gain more privileges on the machine. ?

A Windows Defender Vulnerability Lurked Undetected for 12 Years

CRITICAL VULNERABILITY IN MICROSOFT DEFENDER EXPLOITED BY HACKERS; UPDATE NOW

Windows Defender Hack: How it works and what you need to know…..

Reply | Quote

There’s no indication that the first or last of those was ever used by hackers.

1 user thanked author for this post.

rc primak

Reply | Quote

Alex5723 wrote:

And no hacker use vulnerabilities in Defender to gain more privileges on the machine. ?

Did you read your first link or are you just looking for sample-size-of-one exceptions that you think renders moot the whole point?

1. No solution is perfect.
2. That vulnerability is already patched.
3. The report (your link) clearly shows they found no evidence that vulnerability was ever discovered by the bad guys, or exploited by them.
4. The bad guys would have to already have access to that machine in order to exploit that vulnerability (a HUGE hurdle).
5. Interesting how a bug supposedly 12 years old existed in WD when WD did not come out until 2012 with the release of W8. The WD prior to that was a different program, an anti-spyware (previously named Giant Anti-spyware) program.
6. Kaspersky? Really? You trust a product (and its CEO) that has a long history of ties to the Russian government? Crazy! Warning: A Security Flaw In Kaspersky AntiVirus Lets Hackers Spy Users Online, Millions At Risk. It is pretty sad when the 3rd party security solution itself is the bad guy injecting malicious code in to our systems. 🙁
7. Last – what incentive does Kaspersky and the other 3rd party solutions have to rid the world of malware? If malware were defeated, they all would go out of business! They no longer would have their adware and spyware (including “State sponsored” spyware) hooks in our systems. And Microsoft would stop getting relentlessly blamed by the MS bashers for the security mess the bad guys put us in; the security mess the 3rd party security programs failed to prevent!

Is Microsoft Defender perfect? Of course not! No one has claimed it is. As noted above, no solution is. But it is important to remember that Microsoft is the only security solution provider that has the true incentive to keep our systems secure. Why? Because otherwise, they know there are lots of MS bashers in the IT media and Alex5723s out there ready to pounce on MS, Windows, and WD every chance they get to blame Microsoft, instead of the real offenders, for the security issues of today.

Bill (AFE7Ret)
Freedom isn't free!

1 user thanked author for this post.

wavy

Reply | Quote

Perhaps it would be interesting to mention, I think, that neither Apple’s macOS nor Linux have “native” antimalware applications, so the millions of users of these systems, such as YT, have had to make do with “3rd party” ones, since the very beginnings of Macs and Linux PCs. And we are still around and, apparently at least, being no more vexed by malware intrusions than Windows users, who have such treasures at their disposal. Go figure.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Doesn’t macOS have XProtect and MRT?

Protecting against malware in macOS

1 user thanked author for this post.

rc primak

Reply | Quote

Good point.

Now:

XProtect is buried deep and not accessible to ordinary users from the usual place in Finder/Applications or Finder/Applications/Utilities, as it is available in neither. It is one of the several protections against malware built into the OS or tightly bundled with it — including, these days, the full encryption of the OS.

As to MRT, an MS product I believe, it is usually removed by Mac users, because it overloads the CPU.

If one wishes to have antimalware one can use directly, and most likely we all do, there are only third-party applications for that, and probably everyone with a Mac uses one or more of these. (I use both Intego, recommended by Nathan Parker, for real-time as well as on-demand scanning, and Malwarebytes, free version, for on-demand scanning.)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

OscarCP wrote:

As to MRT, an MS product I believe, it is usually removed by Mac users, because it overloads the CPU.

MRT is not a Microsoft product:

Apple Malware: Uncovering the Mysterious Removal (MRT) Tool Update

2 users thanked author for this post.

rc primak, OscarCP

Reply | Quote

Quoting from the article linked in the comment above:

“For users and endpoints, given the amount of new malware that has arisen in the last year that neither XProtect nor MRT recognizes, it remains a wise choice to ensure you have a more robust security solution installed on your Mac computers.”

And so it is, and that is why I am not the only Mac user that relies exclusively on 3rd-party anti-malware software of good repute. Not to mention that XProtect is not easy to find, let alone use, by most Mac users, while the same can be said of MRT. And neither is particularly useful, or even close to it, compared to MS’ antimalware software for Windows. From a practical point of view, this is not very different from these utilities not being installed in the Macs at all. They seem almost to be a gesture made by Apple to be able to say: “See? I am giving you, my dear users, software meant to protect you against malware. So there you go.”

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I have switched from using Norton 360 Deluxe to using Windows Security with Malwarebytes premium, based on Susan’s recommendation. I think Windows Security provides deeper protection than third party tools can. It also has 100% rating from AV-Test:

https://www.av-test.org/en/antivirus/home-windows/windows-10/june-2021/microsoft-defender-4.18-211316/

I have added additional folders for Windows ransomware protection and turned on Core Isolation (after updating software and removing drivers that interfered). I also use ConfigureDefender https://github.com/AndyFul/ConfigureDefender per Susan’s recommendation in ComputerWorld to allow for Attack Surface Reduction. For Windows security, what we have is a failure to communicate

“One option is to use third-party GitHub tools such as “Configure Defender” to download a zip file, extract it and run ConfigureDefender.exe. Once it’s launched, scroll down to the Exploit Guard section. In a recent blog post, Palantir details the settings it deems helpful for protection without slowing your system:

• Block untrusted and unsigned processes that run from USB.
• Block Adobe Reader from creating child processes.
• Block executable content from email client and webmail.
• Block JavaScript or VBScript from launching downloaded executable content.
• Block persistence through WMI event subscription.
• Block credential stealing from the Windows local security authority subsystem (lsass.exe).
• Block Office applications from creating executable content.”

The Security Suites have good firewall interfaces, and automatically decide what to block outgoing and incoming.  Windows Firewall will automatically be active when not using Norton or third party firewall, however the Windows Firewall interface does not help you set up rules as needed and is not a good user interface.

Through the AskWoody Lounge, I learned about the free MalwareBytes Windows Firewall  Control interface Windows Firewall Conrol which allowed me to have good firewall control without Norton me to switch from Norton.

 

Reply | Quote

No disrespect but I follow none of those rules/recommendations and yet, after 27 years of PC use from Win95 forward, I have yet to experience a virus, hack or security exposure and I have hundreds of apps/programs installed.

While I have an use Chrome, Edge & Waterfox browsers, my primary browser is the old FF ESR 52.9.  Why?  Because it is the only way I can continue to use an addon I consider essential for the way I operate and that is TabMix Plus.  Also NoScript.

I use Comodo for Firewall and AV.  Have used it for 10-15 years.  No problems.  Definitely would not trust MS in either of these areas.

I save passwords in the browsers but also use KeePass for password storage.  I’ve never gotten motivated to try and figure out how (or if) KeePass can insert passwords at an open website request in a browser.

As for 2-factor, I use that on eBay & PayPal.  It’s too annoying and for me, unnecessary otherwise.

Having worked in the computer industry for 35 years, I am well aware of security issues and am willing to accept the risks.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Susan Bradley’s article on the basics of security was an eye opener regarding anti-virus products. Based on this I started re-evaluating my use of Norton. One of the reasons I used Norton was it also had a VPN.
Did I need a VPN?
I have followed the some of the discussion but I think the most interesting article on VPNs came from Norton itself:
“When you log onto the internet from home, you are typically doing so through your private, secured Wi-Fi. Your private Wi-Fi network should have a password, which keeps outsiders from seeing your internet activity. And you get this protection without having to take that extra step of first logging into a VPN service before accessing the web.”
A number of articles have confirmed that especially if you are using https and browsing from home, the only snoop is your ISP. As Rhett Butler so aptly put it: “Frankly, my dear, I don’t give a damn.”
In the end I decided to go with Windows Defender and to figure out a good VPN solution for my laptops for when I travel and I am not on my home network.
This morning I jumped on a chat with Norton to cancel my subscription which I have had for years. Since they had just renewed it today, I was basically using the 60 day money back guarantee to opt out. They solved my VPN dilemma for a couple of upcoming trips we have. They offered a full Norton Security subscription for $24.99 for the upcoming year (as well as removing the auto-renewal). That is cheaper than any other VPN subscription. Not bad.
This leads to a different strategy for the upcoming year.
As I was getting tired of some of the Norton popups for their products, etc. I decided to use Windows Defender on my desktops and since I now have Norton for another year, I will leave Norton on the laptops.
I have added Norton to the list of subscriptions which I always threaten with cancellation.
That being said, I am privacy conscious I use Firefox/KeePass for my account related information, constantly monitoring and deleting non-relevant cookies. I use Brave for any general browsing and delete all cookies and history on closing. I also took the step a year ago and deleted my Facebook account and do not use any social media site.
I have had a computer since the CPM lunchbox days and not once been hacked, or even had a file quarantined. But never say never. You can’t protect against all threats. Thus: the key is back up, back up and back up again. I back up to a NAS, an external disk drive, an offsite disk drive, and I use OneDrive, all in a time rotation. I have additional back up steps for my photography and my music collection. And my main desktop and main laptop mirror each other, so if one gets hacked I would just blow it away and use the other for back up.

Reply | Quote

Don’t you find the tinfoil hat confining? (just kidding)

I use Norton as well (having cancelled auto renewal myself). I have no issues with people using Defender… that’s their business. When I hear that MS took 8 months to patch a critical flaw, I am somewhat suspicious of its concern for my security.

Norton is just fine and not nearly as confining as some of the solutions being offered.

 

Reply | Quote

anonymous wrote:

I have no issues with people using Defender… that’s their business. When I hear that MS took 8 months to patch a critical flaw, I am somewhat suspicious of its concern for my security.

A flaw in Defender? When was that?

Reply | Quote

windbg wrote:

Microsoft has “Run as administrator”. How about “Run as regular user”? Or “Run as a specific user”? Is there anyway to start a browser as a regular user when running in an administrative account? Would that be more secure?

That’s where Linux always wins in a security comparison with Windows. Linux users by default are not admin users. Simple, eh?

Windows 10 Pro 22H2

Reply | Quote

Windows admin users do not really have admin rights unless you turn UAC off. Even then you are restricted in certain ways.

cheers, Paul

1 user thanked author for this post.

rc primak

Reply | Quote

Just ran the latest version of Belarc Advisor 11.0. and checked Security Benchmark Score Details score : 3.76 of 10

Windows 10 Pro 21H1.

Profile Date: Monday, September 6, 2021 10:03:33 AM
Advisor Version: 11.0
Windows Logon: USER

Personal Home Use Only

Security Benchmark Score Details

Score: 3.76 of 10
Benchmark: DISA – Windows 10, Version 1.18

Operating System Settings Section Result: 12 of 15 settings pass

pass 1. Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.
fail 2. Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest.
pass 3. Windows 10 systems must be maintained at a supported servicing level.
pass 4. Local volumes must be formatted using NTFS.
fail 5. Accounts must be configured to require password expiration.
pass 6. Internet Information System (IIS) or its subcomponents must not be installed on a workstation.
pass 7. Simple Network Management Protocol (SNMP) must not be installed on the system.
pass 8. Simple TCP/IP Services must not be installed on the system.
pass 9. The Telnet Client must not be installed on the system.
pass 10. The TFTP Client must not be installed on the system.
pass 11. The Windows PowerShell 2.0 feature must be disabled on the system.
pass 12. The Server Message Block (SMB) v1 protocol must be disabled on the system.
pass 13. The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.
pass 14. The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.
fail 15. The Secondary Logon service must be disabled on Windows 10.

Account Lockout and Password Policy Settings Section Result:  5 of  9 settings pass

pass 1. Windows 10 account lockout duration must be configured to 15 minutes or greater.
pass 2. The number of allowed bad logon attempts must be configured to 3 or less.
pass 3. The period of time before the bad logon counter is reset must be configured to 15 minutes.
fail 4. The password history must be configured to 24 passwords remembered.
pass 5. The maximum password age must be configured to 60 days or less.
fail 6. The minimum password age must be configured to at least 1 day.
fail 7. Passwords must, at a minimum, be 14 characters.
fail 8. The built-in Microsoft password complexity filter must be enabled.
pass 9. Reversible password encryption must be disabled.

User Rights Assignments Section Result: 20 of 28 settings pass

pass 1. The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts.
fail 2. The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups.
pass 3. The Act as part of the operating system user right must not be assigned to any groups or accounts.
fail 4. The Allow log on locally user right must only be assigned to the Administrators and Users groups.
fail 5. The Back up files and directories user right must only be assigned to the Administrators group.
fail 6. The Change the system time user right must only be assigned to Administrators and Local Service and NT SERVICE\autotimesvc.
pass 7. The Create a pagefile user right must only be assigned to the Administrators group.
pass 8. The Create a token object user right must not be assigned to any groups or accounts.
pass 9. The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service.
pass 10. The Create permanent shared objects user right must not be assigned to any groups or accounts.
pass 11. The Create symbolic links user right must only be assigned to the Administrators group.
pass 12. The Debug programs user right must only be assigned to the Administrators group.
fail 13. The Deny access to this computer from the network right must prevent unauthenticated access and access from highly privileged domain accounts and local accounts on domain systems.
pass 14. The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
pass 15. The Deny log on as a service user right on Windows 10 domain-joined workstations must be configured to prevent access from highly privileged domain accounts.
fail 16. The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems.
fail 17. The Deny log on through Remote Desktop Services user right must be configured to prevent unauthenticated access and access from highly privileged domain and local accounts on domain systems.
pass 18. The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts.
pass 19. The Force shutdown from a remote system user right must only be assigned to the Administrators group.
pass 20. The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.
pass 21. The Load and unload device drivers user right must only be assigned to the Administrators group.
pass 22. The Lock pages in memory user right must not be assigned to any groups or accounts.
pass 23. The Manage auditing and security log user right must only be assigned to the Administrators group.
pass 24. The Modify firmware environment values user right must only be assigned to the Administrators group.
pass 25. The Perform volume maintenance tasks user right must only be assigned to the Administrators group.
pass 26. The Profile single process user right must only be assigned to the Administrators group.
fail 27. The Restore files and directories user right must only be assigned to the Administrators group.
pass 28. The Take ownership of files or other objects user right must only be assigned to the Administrators group.

Security Options Settings Section Result: 18 of 40 settings pass

pass 1. The built-in administrator account must be disabled.
fail 2. The built-in guest account must be disabled.
pass 3. Local accounts with blank passwords must be restricted to prevent access from the network.
fail 4. The built-in administrator account must be renamed.
fail 5. The built-in guest account must be renamed.
fail 6. Audit policy using subcategories must be enabled.
pass 7. Outgoing secure channel traffic must be encrypted or signed.
pass 8. Outgoing secure channel traffic must be encrypted when possible.
pass 9. Outgoing secure channel traffic must be signed when possible.
pass 10. The computer account password must not be prevented from being reset.
pass 11. The maximum age for machine account passwords must be configured to 30 days or less.
pass 12. The system must be configured to require a strong session key.
fail 13. The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver.
fail 14. Caching of logon credentials must be limited.
fail 15. The Smart Card removal option must be configured to Force Logoff or Lock Workstation.
fail 16. The Windows SMB client must be configured to always perform SMB packet signing.
pass 17. Unencrypted passwords must not be sent to third-party SMB Servers.
fail 18. The Windows SMB server must be configured to always perform SMB packet signing.
pass 19. Anonymous enumeration of SAM accounts must not be allowed.
fail 20. Anonymous enumeration of shares must be restricted.
fail 21. The system must be configured to prevent anonymous users from having the same rights as the Everyone group.
pass 22. Anonymous access to Named Pipes and Shares must be restricted.
fail 23. Remote calls to the Security Account Manager (SAM) must be restricted to Administrators.
fail 24. NTLM must be prevented from falling back to a Null session.
fail 25. PKU2U authentication using online identities must be prevented.
fail 26. Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites.
pass 27. The system must be configured to prevent the storage of the LAN Manager hash of passwords.
fail 28. The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM.
pass 29. The system must be configured to the required LDAP client signing level.
fail 30. The system must be configured to meet the minimum session security requirement for NTLM SSP based clients.
fail 31. The system must be configured to meet the minimum session security requirement for NTLM SSP based servers.
fail 32. The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
pass 33. The default permissions of global system objects must be increased.
fail 34. User Account Control approval mode for the built-in Administrator must be enabled.
fail 35. User Account Control must, at minimum, prompt administrators for consent on the secure desktop.
fail 36. User Account Control must automatically deny elevation requests for standard users.
pass 37. User Account Control must be configured to detect application installations and prompt for elevation.
pass 38. User Account Control must only elevate UIAccess applications that are installed in secure locations.
pass 39. User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
pass 40. User Account Control must virtualize file and registry write failures to per-user locations.

Audit Policy Settings Section Result: 18 of 36 settings pass

fail 1. The system must be configured to audit Account Logon – Credential Validation failures.
fail 2. The system must be configured to audit Account Logon – Credential Validation successes.
pass 3. The system must be configured to audit Account Management – Security Group Management successes.
fail 4. The system must be configured to audit Account Management – User Account Management failures.
pass 5. The system must be configured to audit Account Management – User Account Management successes.
fail 6. The system must be configured to audit Detailed Tracking – Process Creation successes.
fail 7. The system must be configured to audit Logon/Logoff – Account Lockout failures.
pass 8. The system must be configured to audit Logon/Logoff – Logoff successes.
pass 9. The system must be configured to audit Logon/Logoff – Logon failures.
pass 10. The system must be configured to audit Logon/Logoff – Logon successes.
pass 11. The system must be configured to audit Logon/Logoff – Special Logon successes.
fail 12. Windows 10 must be configured to audit Object Access – File Share successes.
pass 13. Windows 10 must be configured to audit Object Access – Other Object Access Events successes.
pass 14. Windows 10 must be configured to audit Object Access – Other Object Access Events failures.
pass 15. The system must be configured to audit Policy Change – Audit Policy Change successes.
pass 16. The system must be configured to audit Policy Change – Authentication Policy Change successes.
fail 17. The system must be configured to audit Policy Change – Authorization Policy Change successes.
fail 18. The system must be configured to audit Privilege Use – Sensitive Privilege Use failures.
fail 19. The system must be configured to audit Privilege Use – Sensitive Privilege Use successes.
fail 20. The system must be configured to audit System – IPSec Driver failures.
pass 21. The system must be configured to audit System – Other System Events successes.
pass 22. The system must be configured to audit System – Other System Events failures.
pass 23. The system must be configured to audit System – Security State Change successes.
fail 24. The system must be configured to audit System – Security System Extension successes.
pass 25. The system must be configured to audit System – System Integrity failures.
pass 26. The system must be configured to audit System – System Integrity successes.
pass 27. Windows 10 permissions for the Application event log must prevent access by non-privileged accounts.
pass 28. Windows 10 permissions for the Security event log must prevent access by non-privileged accounts.
pass 29. Windows 10 permissions for the System event log must prevent access by non-privileged accounts.
fail 30. Windows 10 must be configured to audit Other Policy Change Events Successes.
fail 31. Windows 10 must be configured to audit Other Policy Change Events Failures.
fail 32. Windows 10 must be configured to audit other Logon/Logoff Events Successes.
fail 33. Windows 10 must be configured to audit other Logon/Logoff Events Failures.
fail 34. Windows 10 must be configured to audit Detailed File Share Failures.
fail 35. Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Successes.
fail 36. Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures.

Computer Configuration – Administrative Templates – System Settings Section Result:  0 of 14 settings pass

fail 1. Command line data must be included in process creation events.
fail 2. Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials.
fail 3. Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers.
fail 4. Group Policy objects must be reprocessed even if they have not changed.
fail 5. Downloading print driver packages over HTTP must be prevented.
fail 6. Web publishing and online ordering wizards must be prevented from downloading a list of providers.
fail 7. Printing over HTTP must be prevented.
fail 8. Systems must at least attempt device authentication using certificates.
fail 9. The network selection user interface (UI) must not be displayed on the logon screen.
fail 10. Local users on domain-joined computers must not be enumerated.
fail 11. Users must be prompted for a password on resume from sleep (on battery).
fail 12. Solicited Remote Assistance must not be allowed.
fail 13. Users must be prevented from changing installation options.
fail 14. The convenience PIN for Windows 10 must be disabled.

Computer Configuration – Administrative Templates – Network Settings Section Result:  2 of  5 settings pass

fail 1. Internet connection sharing must be disabled.
pass 2. Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
fail 3. Simultaneous connections to the Internet or a Windows domain must be limited.
fail 4. Connections to non-domain networks when connected to a domain authenticated network must be blocked.
pass 5. Wi-Fi Sense must be disabled.

Computer Configuration – Administrative Templates – Windows Components Settings Section Result:  0 of 43 settings pass

fail 1. The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
fail 2. Autoplay must be turned off for non-volume devices.
fail 3. The default autorun behavior must be configured to prevent autorun commands.
fail 4. Autoplay must be disabled for all drives.
fail 5. Enhanced anti-spoofing for facial recognition must be enabled on Window 10.
fail 6. Microsoft consumer experiences must be turned off.
fail 7. Administrator accounts must not be enumerated during elevation.
fail 8. If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.
fail 9. Windows Telemetry must not be configured to Full.
fail 10. Windows Update must not obtain updates from other PCs on the Internet.
fail 11. The Windows Defender SmartScreen for Explorer must be enabled.
fail 12. Explorer Data Execution Prevention must be enabled.
fail 13. Turning off File Explorer heap termination on corruption must be disabled.
fail 14. File Explorer shell protocol must run in protected mode.
fail 15. Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge.
fail 16. Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge.
fail 17. Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge.
fail 18. The password manager function in the Edge browser must be disabled.
fail 19. The Windows Defender SmartScreen filter for Microsoft Edge must be enabled.
fail 20. Windows 10 must be configured to disable Windows Game Recording and Broadcasting.
fail 21. Windows 10 must be configured to require a minimum pin length of six characters or greater.
fail 22. Passwords must not be saved in the Remote Desktop Client.
fail 23. Local drives must be prevented from sharing with Remote Desktop Session Hosts.
fail 24. Remote Desktop Services must always prompt a client for passwords upon connection.
fail 25. The Remote Desktop Session Host must require secure RPC communications.
fail 26. Remote Desktop Services must be configured with the client connection encryption set to the required level.
fail 27. Attachments must be prevented from being downloaded from RSS feeds.
fail 28. Basic authentication for RSS feeds over HTTP must not be used.
fail 29. Indexing of encrypted files must be turned off.
fail 30. Users must be prevented from changing installation options.
fail 31. The Windows Installer Always install with elevated privileges must be disabled.
fail 32. Automatically signing in the last interactive user after a system-initiated restart must be disabled.
fail 33. PowerShell script block logging must be enabled on Windows 10.
fail 34. The Windows Remote Management (WinRM) client must not use Basic authentication.
fail 35. The Windows Remote Management (WinRM) client must not allow unencrypted traffic.
fail 36. The Windows Remote Management (WinRM) service must not use Basic authentication.
fail 37. The Windows Remote Management (WinRM) service must not allow unencrypted traffic.
fail 38. The Windows Remote Management (WinRM) service must not store RunAs credentials.
fail 39. The Windows Remote Management (WinRM) client must not use Digest authentication.
fail 40. Windows Ink Workspace configured but disallow access above the lock.
fail 41. The Application event log size must be configured to 32768 KB or greater.
fail 42. The Security event log size must be configured to 1024000 KB or greater.
fail 43. The System event log size must be configured to 32768 KB or greater.

Computer Configuration – Administrative Templates – Other Settings Section Result:  1 of 11 settings pass
fail 1. The display of slide shows on the lock screen must be disabled.
fail 2. IPv6 source routing must be configured to highest protection.
fail 3. The system must be configured to prevent IP source routing.
fail 4. The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes.
fail 5. The system must be configured to ignore NetBIOS name release requests except from WINS servers.
pass 6. Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
fail 7. WDigest Authentication must be disabled.
fail 8. The user must be prompted for a password on resume from sleep (plugged in).
fail 9. Solicited Remote Assistance must not be allowed.
fail 10. Unauthenticated RPC clients must be restricted from connecting to the RPC server.
fail 11. The setting to allow Microsoft accounts to be optional for modern style apps must be enabled.

Security Patches Section Result:  0 of  1 settings pass

fail 1. Security Patches Up-To-Date

1 user thanked author for this post.

Perq

Reply | Quote