Hardening MS Windows

[anthax.acide]

Attack Surface Reduction
Attack Surface Reduction (ASR), a security feature of Microsoft Windows 10, forms part of Microsoft Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Microsoft Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations.
ASR offers a number of attack surface reduction rules, these include:

• Block executable content from email client and webmail
  BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
  
• Block all Office applications from creating child processes
  D4F940AB-401B-4EFC-AADC-AD5F3C50688A
  
• Block Office applications from creating executable content
  3B576869-A4EC-4529-8536-B80A7769E899
  
• Block Office applications from injecting code into other processes
  75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
  
• Block JavaScript or VBScript from launching downloaded executable content
  D3E037E1-3EB8-44C8-A917-57927947596D
  
• Block execution of potentially obfuscated scripts
  5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
  
• Block Win32 API calls from Office macro
  92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
  
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  01443614-CD74-433A-B99E-2ECDC07BFC25
  
• Use advanced protection against ransomware
  C1DB55AB-C21A-4637-BB3F-A12568109D35
  
• Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
  
• Block process creations originating from PSExec and WMI commands
  D1E49AAC-8F56-4280-B9BA-993A6D77406C
  
• Block untrusted and unsigned processes that run from USB
  B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4
  
• Block Office communication application from creating child processes
  26190899-1602-49E8-8B27-EB1D0A1CE869
  
• Block Adobe Reader from creating child processes
  7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C
  
• Block persistence through WMI event subscription
  E6DB77E5-3DF2-4CF1-B95A-636979351E5B.
  

[anthax.acide]

Early Launch Antimalware
Another key security feature of Trusted Boot, supported by Microsoft Windows 10 and motherboards with an Unified Extensible Firmware Interface (UEFI), is Early Launch Antimalware (ELAM). Used in conjunction with Secure Boot, an ELAM driver can be registered as the first non-Microsoft driver that will be initialised on a workstation as part of the boot process, thus allowing it to verify all subsequent drivers before they are initialised. The ELAM driver is capable of allowing only known good drivers to initialise; known good and unknown drivers to initialise; known good, unknown and bad but critical drivers to initialise; or all drivers to initialise. To reduce the risk of malicious drivers, only known good and unknown drivers should be allowed to be initialised during the boot process.
The following Group Policy setting can be implemented to ensure only known good and unknown drivers will be initialised at boot time.

[gugtenterf]

Can MS Defender Antivirus replace security bundles products like Norton 360? Or it just work as an antivirus? Does anybody knows if it can block cryptomining powershell scripts loaded in memory?

[ibay770]

I don't think so. 
I've found a helpful tip, is to get a firewall like tinywall that blacks everything except for what you all, so even if you do get a coinminer,  it won't be able to connect to the Internet.  
Also try this and this. You may have to do some tweaking to get the right abalnace of running your software and blocking the rest. 
Also you can adjust your software restriction policies with this to block coin miners running from specific folders.

[wrex]

I ever get ransomware, all my files on my laptop cannot open