Advanced Plus Security kC77's Security Config for 2021

Last updated
Nov 6, 2021
How it's used?
For home and private use
Operating system
Windows 11
On-device encryption
Log-in security
Security updates
Allow security updates and latest features
User Access Control
Always notify
Smart App Control
Network firewall
Real-time security
Unifi UDM-Pro Security Gateway - IDS set to FULL, DPI Full, No Open Ports, multiple VLAN's (Trusted network/iOT network/Guest Network) also Geoblocking ALL countries except the UK)

Windows Defender with Configure defender on High

Controlled Folders using Defender & exclusions as required

Spyshelter Firewall 12.7

but the MOST important security protection is COMMON SENSE - i run COMMON Sense v1.0 !
Firewall security
About custom security
OS partly controlled by Spyshelter Firewall 12.7 Hips / Antikeylogger
Also use O&O shutup 10+ to remove many privacy concerns

only 3 devices on my Main "trusted" network VLAN

everything else (chromemcasts/pihole/security cameras/xbox/shield/mobile devices/tv's etc) are on their own iOT VLAN

another VLAN/Subnet NiX_Lan where my lonely pi4b sits which is out there in the wild of the interwebz, this serves as my "Nextcloud" server - only open to the UK unless im out of the country and need to add a rule

anyone else friends/family can access a completely separate isolated Vlan Guest_lan
Periodic malware scanners
Hitman Pro
ADWCleaner
NPE
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
BRAVE (personal)
EDGE Chromium (work) (bypassed in protonvpn)

both use Brave Search
Edge has uBlock Origin (brave doesnt need it) & pihole catches most anyway

No website shares any password, all my accounts have individual secured/randomized passwords.

2FA is used everywhere possible
Secure DNS
Pihole (raspberry pi) on separate VLAN (iOT network) - firewall rule to allow main LAN UDP 53 & tcp80 for mgmt.
Pihole uses UNBOUND on the same PI in recursive mode working with DNSSEC, so I am my own DNS server.
Desktop VPN
ProtonVPN
Password manager
keepass
Maintenance tools
Windows defrag auto
Brave/edge browser set to auto cleanup on exit
CleanMGR+ ran before taking a backup
File and Photo backup
manually Robocopied to NAS

Occasionally a second offline NAS on sepratae VLAN is powered on to SYNC NAS's, once synced, its then powered off (so its Immutable)

every few days manually robocopy to external bitlockered driver stored in car
(if my house burns down while im AFK i have everything needed)
System recovery
Macrium reflect 8 to backup my OS drive only, usually incremental daily sometimes a Full before or after any major changes/updates, then robocopy to NAS-A for the other drives/data (photos/music/projects etc) robocopy in /MIR mode

Macrium reflect my Rpi3 (pihole/unbound) to NAS-A again before or after any major changes/updates

Macrium reflect my Rpi4 (nextcloud) to NAS-A again before or after any major changes/updates

then robocopy NAS-A to NAS-B (nas B is immutable by being offline and in another vlan/subnet, only brought online for an occasional sync, then shutdown) no accounts anywhere are shared, dont re-use the same password anywhere.

BOTH NAS's are encrypted and need to be mounted at boot with a secure password (not auto mounted)

also I robocopy the most essential things to a 8tb USB3 bitlockered drive occasionally. This is kept in my car, so if im away and a meteor hits the house, ive got most the stuff id need



if something took out the house & the car, then theres a good chance it took me out too... so f*7k the data!
Risk factors
    • Working from home
    • Browsing to popular websites
    • Browsing to unknown / untrusted / shady sites
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Downloading software and files from reputable sites
    • Sharing and receiving files and torrents
    • Requesting and accepting remote access
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Streaming audio/video content from shady sites
Computer specs
Self built, I7 6700K, 32GB ram. onboardGPU.
512Gb SSD OS
3 x 4TB WD drives for Audio/Photos/Video editing
Notable changes
08/12/21 - updated as instead of using cloudflare for DNS, I now run UNBOUND on my pi for extra privacy (no 3rd party DNS provider)
What I'm looking for?

Not looking for any feedback.

kC77

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
230
not only for security, but more for privacy, over the past few months ive replaced many apps & services with better or self hosted solutions....... and i am totally trying to degoogle my life.

Chrome -> Brave
google search -> Brave Search
uBlockorigin > no longer needed as already running pihole network wide & brave has great inbuilt adblock no extension required
google dns > cloudflare > unbound (recursive dns sec on my pi3) i am the DNS!
gmail > protonmail
google calendar & contacts > netxcloud (self hosted on secondary rasperry pi4b)
google drive & dropbox > netxcloud (self hosted on secondary rasperry pi4b)
google photos > netxcloud (self hosted on secondary rasperry pi4b)
google keep > standard notes
microsft onenote > standard notes
Google Maps > Magic Earth
Google Authenticator - AndroidOTP (on mobile) & keepass (when on desktop/laptop)

after for years being so reliant on google accounts & google services ........my next step is to put calyxOS on my pixel4
 
  • Applause
  • Like
Reactions: CyberTech, harlan4096 and Kongo
Kongo

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,498
Great move and great alternatives. Still, there are two things I would change.

1. Instead of Dropbox you could use MEGA which is open-source and private friendly. It even supports anonymous payment options like Bitcoin or PaySafeCard.

2. Consider using Quad9 DNS instead of Cloudflare which is better in terms of privacy and even security (malicious sites blocking abilities)

Edit: Whoops, you are not using Dropbox. Got you wrong, my bad. :)
 
  • Like
Reactions: CyberTech, harlan4096 and plat
kC77

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
230
SecureKongo said:
Great move and great alternatives. Still, there are two things I would change.

1. Instead of Dropbox you could use MEGA which is open-source and private friendly. It even supports anonymous payment options like Bitcoin or PaySafeCard.

2. Consider using Quad9 DNS instead of Cloudflare which is better in terms of privacy and even security (malicious sites blocking abilities)
Click to expand...
Hi thanks, I'm avoiding the middlemen in both of those...
Running nextcloud I am my own mega... I control the encryption keys and access and host it myself.

As for DNS, I actually block all outbound DNS requests unless it comes from my own hosted unbound server (recursive)
So all my pi knows is the root.hints.....and dnssec from there, the pi-hole then categorizes the clients as to what they can or cannot access (social/porn/tracking/telemetry etc) I have zero reliance on any public DNS provider gathering up data, and if any device or malware tries to bypass it (hardcoded DNS), it's blocked at the firewall.
 
  • Like
  • Applause
Reactions: harlan4096, plat and Kongo
kC77

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
230
SecureKongo said:
So the only reason for using Cloudflare is speed?
Click to expand...
There is no cloudflare at all...

I used to use Google DNS... Then I used to use cloudflare .... But now neither.... My only dns server is myself

Every device (even when I'm mobile I vpn to home) gets the DNS of my unbound/pihole server

Pihole passes these queries on and according to the blocklists deals with accordingly

So unbound is the recursive DNS server, it doesn't have any forward lookups or upstream DNS... All it knows are the root hints and deals with dnssec.... It caches queries, but even when not cached is blisteringly quick.

unbound - Pi-hole documentation

docs.pi-hole.net docs.pi-hole.net
 
  • Like
  • Thanks
Reactions: CyberTech, harlan4096, oldschool and 1 other person
P

plat

Level 29
Top Poster
Sep 13, 2018
1,793
I am curious as to what method you used to bypass the cpu requirement for Windows 11. Do you like Windows 11? I was OK with it but then encountered an annoying disk issue that compelled me to reinstall Windows 10. Definitely seeing the difference in performance (11 is better).
 
  • Like
Reactions: CyberTech, harlan4096, kC77 and 2 others
Kongo

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,498
kC77 said:
There is no cloudflare at all...

I used to use Google DNS... Then I used to use cloudflare .... But now neither.... My only dns server is myself

Every device (even when I'm mobile I vpn to home) gets the DNS of my unbound/pihole server

Pihole passes these queries on and according to the blocklists deals with accordingly

So unbound is the recursive DNS server, it doesn't have any forward lookups or upstream DNS... All it knows are the root hints and deals with dnssec.... It caches queries, but even when not cached is blisteringly quick.

unbound - Pi-hole documentation

docs.pi-hole.net docs.pi-hole.net
Click to expand...
I guess it's too late for my brain to work, sorry for that. Got it now, thanks for the explanation :)
 
  • HaHa
  • Like
Reactions: CyberTech, oldschool and kC77
kC77

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
230
plat1098 said:
I am curious as to what method you used to bypass the cpu requirement for Windows 11. Do you like Windows 11? I was OK with it but then encountered an annoying disk issue that compelled me to reinstall Windows 10. Definitely seeing the difference in performance (11 is better).
Click to expand...
Hi, running a few machines (work laptop/main desktop/surface pro all on windows 11) (but all have TPM) this regtweak allowed the CPU to be bypassed

• create a new registry entry on HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup Use the “REG_DWORD” type
• Name it “AllowUpgradesWithUnsupportedTPMOrCPU”
• Set value to “1”
• Reboot your system

From <Microsoft shares Windows 11 TPM check bypass for unsupported PCs>

i was running windows 11 from insider (since late august) and had no major issues, with any 3rd party apps/drivers, performance has been as good if not better for most things.
 
Last edited:
  • Like
  • Thanks
Reactions: CyberTech, harlan4096 and plat
kC77

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
230
SecureKongo said:
I guess it's too late for my brain to work, sorry for that. Got it now, thanks for the explanation :)
Click to expand...
no worries.... for most people the best would be to use quad9 or cloudflare especially with the additional filtering they provide... e.g malware blocking/cloud filtering, the upsides to these services is ease of use & security the downsides to these services is privacy.
.
however I am not interested in the protection/filtering they provide, I am already covered for protection..... I am more interested in privacy, my DNS queries are not being logged in the traditional manner, yes cloudflare etc may say they dont log your queries..... but im not so sure and id rather take control of this myself.
now when any device on my lan or vpn client looks up a domain, it goes to my pi, pihole checks the lists.... if its good, it gets sent to unbound that uses the root hints Root Servers to then securely via dnsec if possible try to resolve the record and caches it on my pi.... at no point is any public/upstream dns server involved.
if it was a domain in my blocklist/regex then it just gets sunk.

i've never been a big linux user, but raspberry pis are amazing devices.....
a good firewall... a pi for pihole/unbound and a pi for nextcloud.... many happy windows devices private and secure behind it.... ill update again in 2022... probably have 45 raspberry pis by then!
 
  • +Reputation
Reactions: Kongo
CyberTech

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,250
kC77 said:
Google Authenticator - AndroidOTP (on mobile) & keepass (when on desktop/laptop)

after for years being so reliant on google accounts & google services ........my next step is to put calyxOS on my pixel4
Click to expand...
What about Aegis Authenticator and andOTP? they are the best Authenticator for Android phone thats privacy

According to the sources, Avoid Authy or Google Authenticator.
 
  • Like
Reactions: harlan4096
kC77

kC77

Level 5
Thread author
Verified
Well-known
Aug 16, 2021
230
CyberTech said:
What about Aegis Authenticator and andOTP? they are the best Authenticator for Android phone thats privacy

According to the sources, Avoid Authy or Google Authenticator.
Click to expand...

yes AndOTP thats what im using, google auth has gone
"Google Authenticator - AndroidOTP (on mobile) "

that should of read "Google Authenticator -> AndOTP (on mobile) "

thanks!
 
  • Like
Reactions: harlan4096 and CyberTech
You must log in or register to reply here.

Similar threads

Kongo
    • Like
    • Applause
Advanced Security Kongo's Mobile Security Config 2024
Replies
9
Views
583
Mobile Setup Configuration Help & Showcase
Kongo
Kongo
Tiamati
    • Like
  • Poll
Serious Discussion WD and Free Antivirus programs are bad, says this PC Gamer article. Do you agree?
Replies
13
Views
1,076
General Security Discussions
Ink
Ink
tidyloop
    • Like
Hi all
Replies
9
Views
457
New Members Introduction
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top