I have been using at home for about 2 years - it is useful as you need to do remote support, e.g. for family (from the web console you have access, among others: Patch management, Program installation, MDM, Remote Support. In addition, I have paused updates in Windows and installs patches when I am 100% sure that they will not cause problems in using the system
Kongo's Computer Security Config 2024
- Thread starter Kongo
- Start date
- Last updated
- Feb 25, 2024
- How it's used?
- For home and private use
- Operating system
- Windows 11
- On-device encryption
- BitLocker Device Encryption for Windows
- Log-in security
-
- Hardware security key
- Security updates
- Allow security updates and latest features
- Update channels
- Allow stable updates only
- User Access Control
- Always notify
- Smart App Control
- Off
- Network firewall
- Enabled
- About WiFi router
-
- Speedport Smart 4
- Firewalla Blue +
- Real-time security
-
Deep Instinct Endpoint Protection
- Firewall security
- Microsoft Defender Firewall with Advanced Security
- About custom security
-
Hardening tools:
- Firewall Hardening (blocking outbound connections of LOLBins)
- Run by SmartScreen (forces SmartScreen to scan files of choice)
- STOP/DJVU Ransomware Vaccine (immunizes system against this type of ransomware)
- O&O ShutUp10 (recommended settings)
- O&O AppBuster (removed unecessary Windows 11 apps)
- Windows Sandbox
System settings:
- Microsoft Defender running in sandbox (inactive)
- Reputation Based Protections (all modules enabled)
- Smart App Control enabled
- Data Execution Prevention set to AlwaysOn
- Core Isolation: Memory Integrity enabled
- Kernel-mode Hardware-enforced Stack Protection enabled
- Secure Boot enabled
- Drives encrypted via TPM (BitLocker)
- Windows Update Delivery Optimization disabled
- AutoPlay disabled
- Network Discovery disabled (Public Firewall profile)
- PowerShell --> Constrained Language Mode
- Hide extensions for known file types --> disabled
- Show hidden files --> enabled
- Virtualization enabled (allows Application Sandboxing)
- Custom Exploit Protection Settings for Firefox:
Code:Block low integrity images - ON Block remote images - ON Block untrusted fonts - ON Control flow guard (CFG) - ON Data execution prevention (DEP) - ON + Enable thunk emulation - CHECKED Disable extension points - ON Force randomization for images (Mandatory ASLR) - ON + Do not allow stripped images - CHECKED Randomize memory allocations (Bottom-up ASLR) - ON Validate exception chains (SEHOP) - ON Validate handle usage - ON Validate heap integrity - ON Validate image dependency integrity - ON
Thanks to @oldschool for sharing!
ㅤㅤㅤHardware Firewall (Firewalla Blue Plus):
- Active Protect (Strict)
- Ad Block (Strict)
- OISD blocklist enabled in Firewalla
- New Device Quarantine (restricted internet access for newly connected devices)
- Geo-IP Filtering (blocking connections from and to Russian + Chinese IPs)
- Unbound DNS enabled for all devices
ㅤ
- Periodic malware scanners
-
Norton Power Eraser, X-Sec and AdwCleaner
- Malware sample testing
- I do participate in malware testing. See details about my testing environment below.
- Environment for malware testing
-
ㅤㅤㅤ
VMware Workstation Player + Mullvad VPN on host machine while connected to the guest network.
Online Malware Analysis Platforms that I use:
- FileScan.iO
- Intenzer Analyze
- Hybrid Analysis
- VirusTotal
- Sophos Intelix
- Valkyrie
- ANY.RUN
- Triage
- Kaspersky Threat Intelligence Portal
- Docguard.iO
- PolySwarm
- Yomi
- Neiki.Dev
- ThreatZone
- UnpacMe
--> Currently I am barely testing
- Browser(s) and extensions
-
ㅤ
Mozilla Firefox v. 124.0.2
Extensions:
- uBlock Origin Lite
- SafeToOpen
- Bitwarden
Browser privacy and security settings:
- Tracking protection: Strict (enables Total Cookie Protection)
- Enable secure DNS using: Max Protection
- HTTPS-only-mode enabled
- DuckDuckGo set as search engine
- Pocket disabled
- Sending DNT-requests disabled (enabling makes you more identifiable and barely gives any advantage on most sites.)
- Clearing browsing data on exit
- Search suggestions disabled
- Websites overview disabled
- Blocking incoming location, camera and microphone requests
- AutoPlay for audio and video disabled
- Firefox telemetry disabled (also in about:config)
- Blocking pop-ups
- Warn when websites try to install addons enabled
- Protection against fraudulent content and dangerous software enabled
about:config tweaks:
- network.dns.echconfig.enabled = true
- network.dns.use_https_rr_as_altsvc = true
- fission.autostart = true
- pdfjs.enableScripting = false
- network.IDN_show_punycode = true
- security.ssl.require_safe_negotiation = true
- geo.enabled = false
- webgl.disabled = true
- network.trr.mode = 3 (NextDNS)
ㅤㅤ
- Secure DNS
-
ㅤ
- NextDNS with DoH + OISD blocklist (Firefox exclusively)
- Unbound DNS (Network-wide)
ㅤ
- Desktop VPN
-
Proton VPN with Secure Core, NetShield and Permanent Kill Switch
- Password manager
-
ㅤBitwarden Premium
- Maintenance tools
-
PatchMyPC, RuckZuck, UpdateHub, HiBit Uninstaller and Windows built in tools for cleaning and optimization
- File and Photo backup
-
ㅤbackup to external drive when necessary
- Active subscriptions
-
- Google One Standard 200GB
- System recovery
-
Aomei Backupper
- Risk factors
-
- Browsing to popular websites
- Browsing to unknown / untrusted / shady sites
- Opening email attachments
- Buying from online stores, entering banks card details
- Downloading software and files from reputable sites
- Gaming
- Streaming audio/video content from shady sites
- Downloading malware samples
- Computer specs
-
GPU: Nvidia Geforce RTX 360 TI
CPU: Intel I5 12600K
RAM: 16 GB DDR4-3200 Crucial
Hard disks: 500 GB Samsung 970 EVO Plus + 1 TB Western Digital Blue
- Notable changes
-
- Updated for year 2024
- What I'm looking for?
-
Looking for minimum feedback.
- Feb 25, 2017
- 2,495
+ added new Simple Windows Hardenining Beta
- Nov 9, 2022
- 282
- Mar 29, 2018
- 7,106
@Kongo please update "Last updated" in your configuration OP.
- Feb 25, 2017
- 2,495
Yeah I am actually wondering too how he is able to apply the restrictions if not via SRP. But it's definitely working.
- Dec 23, 2014
- 8,129
... and definitely via SRP.Yeah I am actually wondering too how he is able to apply the restrictions if not via SRP. But it's definitely working.
- Feb 25, 2017
- 2,495
So it's working again on Windows 11?... and definitely via SRP.
- Dec 23, 2014
- 8,129
It is fully functional if one knows how to turn it ON.So it's working again on Windows 11?
- Feb 25, 2017
- 2,495
Quick update, I now managed to install the client, contacted support, running really smooth now. Many thanks to all of you and Kongo. I do not want to fill up this thread, so I will give a short update in the Deep Instinct section.I see, I see...
- Feb 25, 2017
- 2,495
-removed Simple Windows Hardening due to protection overlap
- Mar 13, 2022
- 599
Ummm, I'm just a dumb Apple user, but with all your gizmo's switched on at once... does the computer still have enough power left to actually do anything?
- Feb 25, 2017
- 2,495
- Mar 29, 2018
- 7,106
@Kongo Regular settings doesn't have an option to fully disable. Do you set both of these advanced preferences to 'false'? Are there additional prefs?
Code:
privacy.donottrackheader.enabled
services.sync.prefs.sync.privacy.donottrackheader.enabledI'm hoping to snag a Firewalla Blue+ one of these days.
- Apr 16, 2017
- 2,094
- Apr 16, 2017
- 2,094
a gem of a post, I've never heard of Firewalla Blue+, looks interesting...@Kongo Regular settings doesn't have an option to fully disable. Do you set both of these advanced preferences to 'false'? Are there additional prefs?
Code:privacy.donottrackheader.enabled services.sync.prefs.sync.privacy.donottrackheader.enabled
I'm hoping to snag a Firewalla Blue+ one of these days.
- Feb 25, 2017
- 2,495
Didn't have those about:config settings disabled. Will change that.@Kongo Regular settings doesn't have an option to fully disable. Do you set both of these advanced preferences to 'false'? Are there additional prefs?
Code:privacy.donottrackheader.enabled services.sync.prefs.sync.privacy.donottrackheader.enabled
I'm hoping to snag a Firewalla Blue+ one of these days.
About Firewalla Blue+: I would take one of their other options if I were you. Blue + is the oldest one of them and probably the next to be discontinued. Otherwise you can't go wrong with Firewalla
- Feb 25, 2017
- 2,495
- Mar 29, 2018
- 7,106
I think the first preference is the default 'true' when DNT is set to "Only when FF is set to block know trackers". Not sure what that 2nd preference is for.
I'm confused about the meaning of the "Only when ... " option in settings, especially upon reading this
How do I turn on the Do Not Track feature? | Firefox Help
It seems to me that the "Only when ... " setting is always sending DNT with TP enabled, but not so according to above link.
- Feb 25, 2017
- 2,495
+ added RuckZuck Software Updater
+ DuckDuckGo as new default search engine
+ DuckDuckGo as new default search engine
Similar threads
