Skip over existing policy definitions by adding missing definitions in WINDOWS system file folder directory. Use POWERSHELL 7 to enter Microsoft Management Console, etc. Download files by renaming their format to anything else that's not related by at least 5 characters long. The policy is still in test for remote.

You see SYSTEM without remote access in management console components defaults.

You give Everyone full permission and every other group/user combined that are not Everyone, Authenticated, Local user and administrators groups, INTERACTIVE, CONSOLE LOGON in a group with major NT SERVICES - separately with NETWORK, SERVICE, SYSTEM including NETWORK SERVICE, LOCAL SERVICE in registry without inheriting to control set services. User Rights Assignments in group policy needs administrators, users, NETWORK, SERVICE, SYSTEM including NETWORK SERVICE, LOCAL SERVICE in every descriptor too.

Classes, Windows runtime, HKEY_USERS user identificator entries can only be read by group/user combined and users can only read it too. Same for WMI root in management console and components management console where they are given that group/user combination and users themselves only local access as for components and only enabled account in WMI root as the entry is being added. Where in defaults of components IUSR, ANONYMOUS, power users, guests are blocked and in limits only power users, guests are blocked.

Permissions are done without overriding as parent.

The servers software file system maps, high-end security software maps or internet demanding file system maps like steam for gaming are given the read only access as for users themselves and the group/user combination in users management console that you made is given the same read only by any chance removing authenticated users, and giving your own single user account profile read and execute permission.

SNORT automatic service with community rules, COMODO OPENEDR, BESTCRYPT data shelter whole drive with default policy and DISKDRILL licensed with BEETHINK DDOS protection.

To wrap it up you deny logon locally in User Rights Assignments to the group/user combination that you made and all other deny entries like deny logon as a batch job or deny remote desktop have guests group blocked. Don't forget to create a group within itself for your single user account profile itself it will add up automatically to your user profile.

Use encrypted containers or encrypted virtual hard drives instead of disk encryptions for any work since internet. BI-OS password for memory is the best solution in case of formatting methods furtherless.

Check if LOCALHOST and COMPUTER NAME is in internet options restricted sites list.

The end. Enjoy.

MICROSOFT 365 conditional access

You permit no one to your azure subscription, you do not save password even in edge and can manage access to all Azure subscriptions and management groups in this tenant. Your administrative unit is empty. You have no allowed guests, users or other directory roles than global administrators. You are in global administrators group and you have no SSO, API or web applications.