User's should be running limited user accounts for daily-driver Windows machines.

Having said that, today's attacks are all about the data. It's all about exfil/ransomware/blackmail because there's money to be had there. On an individual home user PC there's no lateral movement or bigger targets to attack.

I hate to invoke xkcd, but it's true: https://xkcd.com/1200/

> You can also run something like applocker and whitelist all the apps you use.

That's a bit overkill for a personal machine and it won't be licensed for AppLocker anyway.

AppLocker is also a gigantic pain-in-the-ass on corporate machines. My experience with configuring AppLocker for anything other than very task-specific computers is that it's a huge and unending ordeal of whitelisting, trying again, whitelisting more, trying again. Wash, rinse, get complaints from end users, repeat.

> Also instead of separate physical boxes why not just use a VM ?

Pragmatism. I have a bunch of extra low-spec laptops laying around. My machines are, for the most part, cast-off Customer garbage. I haven't actually spent money on reasonable machine since about 2015. >smile<

>Pragmatism. I have a bunch of extra low-spec laptops laying around. My machines are, for the most part, cast-off Customer garbage. I haven't actually spent money on reasonable machine since about 2015. >smile<

But you either need to setup a secure tunnel on each one, or lose access anytime you are away from home.

Mostly isn't a problem for me. On the off chance I'd need the banking remotely I'd just take it with me. Mostly I don't do the sensitive stuff remotely and I rarely travel anymore.

Like I said in the parent post, I should be using Qubes. I'm just lazy.