Basic Security Itachi Sempai Security Config 2022

Last updated
Jan 8, 2022
How it's used?
Operating system
Windows 10
On-device encryption
Log-in security
Security updates
Allow security updates
User Access Control
Always notify
Smart App Control
Network firewall
N/A
Real-time security
windows defender
Firewall security
About custom security
COMODO firewall
proactive security with some tweaking is on (its almost max usable security) + ports are stealthed

Simple Windows Hardening
everything is on MAX settings

SysHardener
everything is ON except error reporting service, superfetch and connections
Periodic malware scanners
no
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
browser is only chrome
scriptsafe is installed and every blocking option is on, i whitelist the websites that i want to visit
sandboxie plus runs chrome, it is on default settings don`t know how to tweak it yet (comodos virtualization is bad)
Secure DNS
9.9.9.9
Desktop VPN
no
Password manager
MYKI password manager
it is offline manager installs on phone and sends password to desktop but no cloud sync (i am little concerned about this one its not an open source)
Maintenance tools
no
File and Photo backup
no
System recovery
no
Risk factors
    • Browsing to popular websites
What I'm looking for?

Looking for maximum feedback.

Itachi Sempai

Level 2
Thread author
Verified
Sep 20, 2017
93
windows is LTSC 2021 + manually disabled some useless services + VeraCrypt is used to encrypt system drive and to store some files in vaults too... the only other software installed is 7zip and libreoffice both open source
there is separate android phone (will switch to iphone soon) only for MYKI password manager 2FA,s and trading apps... every other app that i could delete is deleted and every permission is restricted to every other app


any advice would be greatly appreciated 👽
 
Last edited by a moderator:

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,478
windows is LTSC 2021 + manually disabled some useless services + VeraCrypt is used to encrypt system drive and to store some files in vaults too... the only other software installed is 7zip and libreoffice both open source
there is separate android phone (will switch to iphone soon) only for MYKI password manager 2FA,s and trading apps... every other app that i could delete is deleted and every permission is restricted to every other app


any advice would be greatly appreciated 👽
Solid config even tho I personally wouldn't use Chrome nowadays as there are so many more privacy friendly and better options after all. At least in my opinion. Consider doing backups if you have any important data stored on your PC.
Think about removing SysHardener as you already have Simple Windows Hardening and Comodo Firewall's HIPS and it's outdated anyway.
Otherwise nice config. :)
 
Last edited:

Itachi Sempai

Level 2
Thread author
Verified
Sep 20, 2017
93
Solid config even tho I personally wouldn't use Chrome nowadays as there are so many more privacy friendly and better options after all. At least in my opinion. Consider doing backups if you have any important data stored on your PC.
Think about removing SysHardener as you already have Simple Windows Hardening and Comodo Firewall's HIPS anyway.
Otherwise nice config. :)
thanks for response... privacy is not a concern as long as google employees dont attack this PC or leak some info but security is top priority and i think chrome is overall most secure

syshardener only enables some security settings on windows it is not run actively so i use it only once after installing windows
 
Last edited:

Shadowra

Level 33
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,243
Don't use an ad blocker?
If so, I recommend NextDNS, which will block them, but also protect our browsing!

On the other hand, I recommend you some software to make backups.
Not only in case of malware infection, but also in case of hard drive failure...

And finally, make scans with other tools than your antivirus.
Malwarebytes is a reference in this matter, but you have others! (like Norton Power Eraser, KVRT, Eset Online Scan etc)
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,478
thanks for response... privacy is not a concern as long as google employees dont attack this PC but security is top priority and i think chrome is overall most secure

syshardener only enables some security settings on windows it is not run actively so i use it only once after installing windows
Maybe you know it already but instead of SysHardener you can take a look at Hard_Configurator: Hard_Configurator – GUI to manage Software Restriction Policy (SRP) and harden Windows
Still is being updated and the dev is active here. @Andy Ful
 

Itachi Sempai

Level 2
Thread author
Verified
Sep 20, 2017
93
Maybe you know it already but instead of SysHardener you can take a look at Hard_Configurator: Hard_Configurator – GUI to manage Software Restriction Policy (SRP) and harden Windows
Still is being updated and the dev is active here. @Andy Ful
i know that it is very solid but i find it difficult to figure out that program (it will take too much time) while Simple Windows Hardening is a reforged hard configurator but it has simple UI and essential components... as far as i see syshardener and Simple Windows Hardening overlap just a little but there are a lot of settings that are unique for each of them
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
scriptsafe is a great tool and I have used it before, but the fact that it has not been updated since 2017 when normally everything receives security updates bothers me.

You could have a look at uBlock Origin and its different modes.
More info can be found here:
And here:

No backup, not even cloud sync?
Hardware can fail and leaves you without your files.

When using Microsoft Defender as antivirus it is recommended to use Microsoft Defender Browser Protection as addon in Google Chrome.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
... as far as i see syshardener and Simple Windows Hardening overlap just a little but there are a lot of settings that are unique for each of them
In fact, they overlap much (on important features), but SWH is more restrictive. Some features configured by SysHardener are already hardened in default settings on Windows 7+.

If you use Defender + Comodo Firewall, then you can try @cruelsister settings and skip SWH and Syshardener.

Otherwise, configure Defender with HIGH settings, and:
  1. For basic hardening without whitelisting, use SysHardener on default settings and skip SWH. SysHardened has not got any logs so it is usually hard to recognize what was blocked (to solve the block issues). That is why most users should not use it on MAX settings. Advanced users can use Windows Event logs for that.
    SysHardener uses blocks without the possibility of whitelisting, so if something useful is blocked one has to disable the feature that blocks it (security is weakened).
  2. For more restrictive hardening with whitelisting, use SWH and skip SysHardener. SWH is more restrictive than SysHardener, but whitelisting can allow your trusted files and still block unknown files.
    If you did not disable Windows Firewall you can use the FirewallHardening tool which is more comprehensive compared to the current SysHardener firewall rules. You can also use custom Comodo Firewall rules instead FirewallHardening tool (this will require adding many rules for LOLBins).
(y)
 
Last edited:

Itachi Sempai

Level 2
Thread author
Verified
Sep 20, 2017
93
In fact, they overlap much (on important features), but SWH is more restrictive. Some features configured by SysHardener are already hardened in default settings on Windows 7+.

If you use Defender + Comodo Firewall, then you can try @cruelsister settings and skip SWH and Syshardener.

Otherwise, configure Defender with HIGH settings, and:
  1. For basic hardening without whitelisting, use SysHardener on default settings and skip SWH. SysHardened has not got any logs so it is usually hard to recognize what was blocked (to solve the block issues). That is why most users should not use it on MAX settings. Advanced users can use Windows Event logs for that.
    SysHardener uses blocks without the possibility of whitelisting, so if something useful is blocked one has to disable the feature that blocks it (security is weakened).
  2. For more restrictive hardening with whitelisting, use SWH and skip SysHardener. SWH is more restrictive than SysHardener, but whitelisting can allow your trusted files and still block unknown files.
    If you did not disable Windows Firewall you can use the FirewallHardening tool which is more comprehensive compared to the current SysHardener firewall rules. You can also use custom Comodo Firewall rules instead FirewallHardening tool (this will require adding many rules for LOLBins).
(y)


so it would be better to learn about hard configurator and use it (instead of syshardener and SWH) alongside with comodo? i want to have at least 2 layers of security only windows hardening could be insufficient if some crazy zero day comes up




No backup, not even cloud sync?
Hardware can fail and leaves you without your files.
yea i know i have 4 different backups of files that i dont want to lose... that laptop is used only for web surfing... well its bad if scriptsafe has not been updated for so long, so it could have some bugs you think? i do use ublock (for ad blocking) but could not block scripts with it, did everything as in instructions... i will switch to noscript then
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
so it would be better to learn about hard configurator and use it (instead of syshardener and SWH) alongside with comodo? i want to have at least 2 layers of security only windows hardening could be insufficient if some crazy zero day comes up
You like to use Comodo Firewall and Defender. So, it would be natural to learn first about these two security layers (with advanced tweaks) and about your web browser's security.

Next, you can refine your protection and adjust it to your safe habits. At this point, learning about Windows built-in protection configured by SWH (SysHardener), Hard_Configurator, or another method can be helpful.

Please note, that Hard_Configurator has many setting profiles and some of them are very restrictive. Before using it, you should probably learn much (except if you are an advanced user).

Please, read first the H_C manual to see if this kind of security is for you. I created H_C for advanced users who like very strong protection at home or want to be home administrators of family computers used by inexperienced users.
 

Itachi Sempai

Level 2
Thread author
Verified
Sep 20, 2017
93
You like to use Comodo Firewall and Defender. So, it would be natural to learn first about these two security layers (with advanced tweaks) and about your web browser's security.

Next, you can refine your protection and adjust it to your safe habits. At this point, learning about Windows built-in protection configured by SWH (SysHardener), Hard_Configurator, or another method can be helpful.

Please note, that Hard_Configurator has many setting profiles and some of them are very restrictive. Before using it, you should probably learn much (except if you are an advanced user).

Please, read first the H_C manual to see if this kind of security is for you. I created H_C for advanced users who like very strong protection at home or want to be home administrators of family computers used by inexperienced users.
wow you are the creator of hard configurator? nice good job man (y)

ok so i will tell you exactly what i want and will do as you tell me to... i use that laptop only for online browsing (will visit about 10-15 websites maximum) and will install very few programs if at all, so i need default deny environment with a backup plan, if there is some tricky zero day and first layer of default deny fails for second one to work... in this case i dont think i need antivirus and i dont like defender but i live it as it is just in case and because removing it is real pain... i have researched comodo a lot and i know how to configure it, i will look into hard configurator and figure out how it all works... in this case do i need both comodo and HC? or maybe i need something more?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
ok so i will tell you exactly what i want and will do as you tell me to... i use that laptop only for online browsing (will visit about 10-15 websites maximum) and will install very few programs if at all, so i need default deny environment with a backup plan, if there is some tricky zero day and first layer of default deny fails for second one to work... in this case i dont think i need antivirus and i dont like defender but i live it as it is just in case and because removing it is real pain... i have researched comodo a lot and i know how to configure it, i will look into hard configurator and figure out how it all works... in this case do i need both comodo and HC? or maybe i need something more?
My knowledge about CF may be outdated. I know that it has got a great firewall, strong sandbox, and strong protection against classic attack vectors via PE files. I am not sure about its protection against modern attacks via the fileless methods and .Net framework DLLs. These methods can be neutralized by adding scripting Interpreters and some LOLBins to the Unrecognized group (run in the sandbox).
If I correctly recall, CF has to be configured for maximum security to trust only essential vendors to avoid DLL hijacking via vulnerable legal programs.
There are some MT members that can know more about these factors.

You can tweak CF (@cruelsister settings)+ SWH to reproduce most of the H_C protection for the home computer. This could be recommendable in your case.

If you use CF without @cruelsister settings, then you can use it with the H_C (instead of SWH).

If you do not need a strong firewall, then you can also replace CF + SWH with H_C.

When choosing the H_C, you have to respect SmartScreen alerts when installing applications. The H_C uses Forced SmartScreen to bypass default-deny for EXE and MSI installers.(y)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top