What is your security setup these days?

OK so about 70GB gets encrypted and you don't notice any delay, not bad. I don't need full disk encryption, but it would be nice to protect the most important data. On the other hand, it's probably only necessary if someone steals my desktop or laptop, I'm not that worried about malware, normal data protection tools are enough, so without any encryption.

Yes I remember this tool, it's nice but I don't really need it. I tried to run it via Sandboxie, but it couldn't be done probably because of the limited rights.

 

W.10 Home x64 21H1
Local Account - Standard user - Limited permissions
UAC maximum - Always notify
Quad9 DNS
Onedrive,Cortana,Advertising ID,Web Search - disabled
Usage of location data for Cortana disabled
Telemetry OFF
Removed some Windows optional features.

Microsoft Defender Firewall hardened with H_C.
Microsoft Defender hardened with Configure Defender

• Ransomware protection - disabled
• No run in a sandbox
• Core Isolation: Memory integrity - disabled
• Some softwares hardened with maximum AE protection
• All Windows Exploit Protection options - enabled

MS Edge --disable-webgl

Edge://flags:

• Block scripts loaded via document.write
• Automatic HTTPS
• Experimental Tracking Prevention Features
• Strict-Origin-Isolation
• Strict Extension Isolation (Probably not necessary with my 2 extensions.)
• Super Duper Secure Mode

Extensions:

MS Store - Decentraleyes
Chrome Store - UBO - Hard Mode

 

Comodo FW in Proactive Mode,
Hips Disabled
Silent Mode
v12.2.2.8012

WD disabled

 

Windows 10 'till '25
Hardened Microsoft Defender
VoodooShield Pro
Edge µBO Hard Mode
Quad9 DOH

 

Added Privacy Badger to Chrome. Removed Privacy Possum that was still running as active extension, despite no longer being available in Chrome Web Store.

 

I see that Decentraleyes was updated recently, on September 6, 2021. Previously it had gone a long time without updating.

 

Trying this setup on my very slow laptop(1,2ghz, 4gb, 5400rpm):

Windows 10 LTSC
Comodo Firewall+FortiClient Free AV. Both are tweaked for max performance and security.
Really light and effective setup for old and slow PC computers. Does not drain/rape your laptop battery/HDD down like WD did before this setup.
UBlock Origin and McAfee Web Boost(disable battery draining autoplay videos)

 

Besides the signature footnote below:

Windows 8.1 Pro & Home - Windows Defender
Windows 10 Home - Micro Defender + DefenderUI (Beta)

Wise Vector Stop X on both a magnificent supporting role.

Browsers - Chromium (Latest) + Chrome (Latest) (STANDARD) with only uBlockOrigin/Cookie Notice Blocker/NoScript
Non-Sandboxed = No Problem.

Dissenter Browser (Alternative)

Windows 10 Firefox Browser AND Edge

 

My current PC setup

Win 11 Pro ( IE - off, smb - off- powershell 2.0 - off)
Edge browser with some tweaks for security
MKS_VIR set to max with backup on files
MKS_VIR Secure Browser
Onedrive premium
Adguard Premium with AG DNS
WD My Cloud with WD Backup software

 

W.10 Home x64 21H1 (My daughter's pc)
Local Account - Standard user - Limited permissions
UAC maximum - Always notify
Quad9 DNS
Onedrive,Cortana,Advertising ID,Web Search - disabled
Usage of location data for Cortana disabled
Telemetry OFF
Removed some Windows optional features
Disabled many services.

Microsoft Defender Firewall hardened with H_C.
Microsoft Defender hardened with Configure Defender - High - Average CPU Load scanning (10%)

• Ransomware protection - disabled
• No run in a sandbox
• Some softwares hardened with maximum AE protection

Edge://flags:

• Block scripts loaded via document.write
• Automatic HTTPS
• Experimental Tracking Prevention Features
• Strict-Origin-Isolation
• Strict Extension Isolation

Extensions:

MS Store:

• Decentraleyes

Chrome Store:

• UBO - Hard Mode - with TLD by Kees1958
• Stream Recorder
• Video DownloadHelper
• Speed Dial [FVD]

This 11 year old pc is now very light and performant.

 

@Sampei Nihira
Concerning your LinuxLite adventure (#18):

There's not much of a security setup needed, compared to Windows.

Administrative tasks need a password.

Antivirus is not needed (there's not much Linux malware and that is mostly aimed at servers anyway).
Malicious shell-scripts downloaded from the internet first need to be made executable for them to work and then can't do anything outside the user environment without providing the root password.

Enable the firewall (if needed; I'm not familiar with LinuxLite).

The largest attack vector is of course the browser, but you already know how to harden that.

As always; have a decent backup strategy.

Last advice:
Set up a large enough /home partition during install.
Makes reinstalling much easier.

 

Oh,
And avoid installing software from sources other than the official repositories, unless necessary.

 

@Sampei Nihira

For easy and effective default-deny incoming only firewall:

1. sudo apt-get install ufw
2. sudo ufw enable

then to check its status:

3. sudo ufw status verbose

 

From the LinuxLite forum:

 

Thanks guys.
It's been a long time since I last used iptables (I don't remember at all the GUI I preferred),my daughter was in middle school,today she's 27 years old,so it's been about 17 years.
I have to resume some concepts.

A question to both of you.
Do you use a software to clean the browser?
Like CCleaner.
I would plan to use BleachBit and use it exclusively for the browser, Firefox is perfect for Linux.

 

That can more safely be done within Firefox itself.
Bleachbit can do harm to your system if used wrong, especially when running it as root.
https://forums.linuxmint.com/viewtopic.php?p=994769#p994769

The link in above quote is dead now. It's here now:
https://easylinuxtipsproject.blogspot.com/p/fatal-mistakes.html#ID4

As a matter of fact, I've setup Firefox to have it's cache on the built in "RAM drive" /dev/shm.

Code:

browser.cache.disk.enable ---> true

browser.cache.disk.capacity ---> 491520

browser.cache.disk.parent_directory ---> /dev/shm/firefox

Set the capacity lower if not enough RAM.
The cache will be gone at shutdown of course.

 

Saved this page
Thank you.
I need to check if it is suitable for my needs.

 

Hi Sampei,

no I don't use a cleaner for the browser. I run Firefox in Firejail with the shortcut command: "firejail /usr/lib/firefox-esr/firefox-esr -no-remote %u" with a firejail-default profile enforced under apparmor.

Of course I know you don't want to use Firejail or apparmor , but I feel the same as @nicolaasjan that you are still running securely without additional security measures other than the firewall under Linux.

 

Th.
I don't use a dedicated sandbox with Windows, and even more so I don't consider using a sandbox under Linux.
But I understand that others have different needs from mine.

 

Oh,
Remember that /dev/shm is limited to half of the installed RAM (8GB in my case).



That's not really a lot in case of your sisters PC...

Oh,
And if you want Chromium to use RAM for it's cache, append to your shortcut:

Code:

 --disk-cache-dir=/dev/shm/chromium/ --disk-cache-size=536870912 %U

 

As LinuxLite is based on Ubuntu, here are some cleaning tips:
https://easylinuxtipsproject.blogspot.com/p/clean-ubuntu.html.

 

I would never use Chromium in Linux.
The pc is my daughter's, not sister's.


It would be interesting instead to use the Command Line Switch in Edge under Windows.
But not all Switches of Peter Beverloo's list work in Edge.
It would be necessary to verify.

P.S.

Interesting you entered perfectly 0.5 GB in bytes,is this cache size enough for your needs?

 

It's enough for me, because I never browse a long time with Chromium.
And I guess the browser deletes older entries when reaching that limit?

Here you are:
https://www.thewindowsclub.com/change-microsoft-edge-cache-size-in-windows-10
[Edit]
The switch is formatted a bit different for Edge:

Code:

--disk-cache-size-<size in bytes>

I just included that tip for others that might want to use it.

 

Ahhh, but there is a benefit:

https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux/sandboxing.md

Especially the Seccomp-BPF sandbox type. But I admit that's not even enough to persuade me to use Chrome in Linux let alone any other OS platform

 

In my Ungoogled-Chromium:

Code:

chrome://sandbox/

https://dl.dropboxusercontent.com/s/r0l7plqd7dnnq0s/screenshot-sandbox.png