Advanced Plus Security WhiteMouse's Security Config 2023

Last updated
Jan 1, 2023
How it's used?
For home and private use
Operating system
macOS 15 Sequoia
On-device encryption
BitLocker Device Encryption for Windows
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
User Access Control
Always notify
Smart App Control
Off
Network firewall
Enabled
Real-time security
Microsoft Defender
Firewall security
Microsoft Defender Firewall
About custom security
  • Security Baseline for Windows 11 22H2, Microsoft Edge and Microsoft Office.
  • Custom WDAC policy: Default Windows + Microsoft recommended block rules + Whitelist all files in Program Files by digital signature or hash + HVCI strict mode.
  • Microsoft Edge: Super Duper Secure mode on for all sites.
Periodic malware scanners
None
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Microsoft Edge: Adblock Plus, Bitwarden
Desktop VPN
Mullvad VPN
Password manager
Bitwarden
Maintenance tools
Storage Sense
File and Photo backup
Onedrive
System recovery
Macrium Reflect
Risk factors
    • Browsing the Internet without an ad-blocker
    • Browsing to unknown / untrusted / shady sites
    • Working from home
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Downloading software and files from reputable sites
    • Gaming
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Streaming audio/video content from shady sites
Notable changes
2023/1/1: Replace IVPN with Mullvad VPN
2022/12/31: Added Bitwarden extension
2022/12/21: Added Adbock Plus extension
What I'm looking for?

Not looking for any feedback.

WhiteMouse said:
I got my signed WDAC policies up and running without issue. Feel free to ask anything.
Click to expand...
is there a way to install specific program (ie. k-lite codecs it's dropping some files to sys32 directory) without deploying Allow* policy temporarily (disabling WDAC). Modifying supp policy not works because it's somehow blocks random temp/? system32/? directory access and lots of I don't even aware🤔😉
 
Last edited:
  • Like
Reactions: Jack
kylprq said:
is there a way to install specific program (ie. k-lite codecs it's dropping some files to sys32 directory) without deploying Allow* policy temporarily (disabling WDAC). Modifying supp policy not works because it's somehow blocks random temp/? system32/? directory access and lots of I don't even aware🤔😉
Click to expand...
This is one thing that I still haven't had an answer for it yet. Many applications updater love to drop an Unsigned file to temp folder, there's not much thing I can do about it. I think the most secure way to install those programs is to deploy base policy with ISG (rule 14) - and hope that it doesn't block any files during install, install the program then revert back to the old base policy.
 
  • +Reputation
Reactions: kylprq
WhiteMouse said:
This is one thing that I still haven't had an answer for it yet. Many applications updater love to drop an Unsigned file to temp folder, there's not much thing I can do about it. I think the most secure way to install those programs is to deploy base policy with ISG (rule 14) - and hope that it doesn't block any files during install, install the program then revert back to the old base policy.
Click to expand...
in the future I'm planning to add temp/ ProgramFiles*/ ProgramData and system32/ as FilePath rules to unsigned supp policy for test purposes(I'm aware it's posseses risk but CS-CFW will handle the rest 👩🏼‍🦲🤷🏽‍♀️)
 
  • Like
Reactions: Nevi and Jack

You may also like...