Advanced Plus Security Sampei Nihira Security Config 2026

Last updated
Feb 19, 2026
How it's used?
For home and private use
Operating system
Windows 11
On-device encryption
BitLocker Device Encryption for Windows
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
On
Network firewall
Enabled
About WiFi router
TP-Link with IPv6 disabled and all security features enabled - Wi-Fi is disabled for security reasons.
Real-time security
Standard Microsoft Account
Secure Boot enabled
Disabled some services
Virtualization enabled
O&O ShutUp10
O&O AppBuster
Show hidden files enabled
Hide extensions for known file types disabled
SMB1 - off
Hard_Configurator - Recommedend Settings
Validate Admin Code Signatures registry key enabled set via H_C
Block Remote Access set via H_C
Windows Script Host - Added Trust Policy = 0x00000002
LockBatchFilesWhenInUse = 1 (Enhanced security and performance for batch files)
PowerShell 7 - Constrained Language Mode - RemoteSigned
Windows PowerShell - Constrained Language Mode - RemoteSigned

Microsoft Defender hardened with Configure Defender [Hard_Configurator] (Customized level) - Cloud Block Level
Core Isolation: Memory integrity - enabled
Local Security Authority Protection - enabled
Microsoft Vulnerable Driver Blocklist - enabled
Reputation Based Protections all modules - enabled
Ransomware protection - enabled
Exploit Protection - All System Override enabled + 13/14 Override applied to the most vulnerable softwares
Firewall security
Microsoft Defender Firewall with Advanced Security
About custom security
Firewall Hardening [Hard_Configurator] LOLBins + Recommended H_C + some custom blocking rules
Periodic malware scanners
  • MD
  • VT
  • PE
  • Sirius LLM
Malware sample testing
I do not participate in malware testing
Environment for malware testing
N/A
Browser(s) and extensions
(Main browser) Chrome --disable-webgl --no-pings --enable-features=NetworkServiceSandbox,EnableCsrssLockdown,WinSboxDisableExtensionPoint,RendererAppContainer --cipher-suite-blacklist=0x002F,0x009D,0x009C,0x0035,0xC013,0xC014 --disable-features=ExtensionManifestV2Unsupported,ExtensionManifestV2Disabled
  • Home page Start.DDG
  • Search engine = DDG
  • DNT disabled
  • HTTPS enabled
  • Delete data on exit
  • JavaScript block = http://*
  • Block third-party cookies
  • Safe browsing - Standard Protection
Policies:
  • ClearBrowsingDataOnExitList = [ "browsing_history", "download_history", "cookies_and_other_site_data", "cached_images_and_files", "autofill" ,"hosted_app_data" ]
  • DnsOverHttpsMode = secure
  • DnsOverHttpsTemplates = Private Next DNS
  • SavingBrowserHistoryDisabled = true
  • GenAILocalFoundationalModelSettings = 1
Flags:

  • Block scripts loaded via document.write
  • TLS 1.3 Early Data
  • Parallel downloading
  • Save PDF to Drive - disabled
  • Input protection
  • Strict-Origin-Isolation
  • Bind cookies to their setting origin's port
  • Bind cookies to their setting origin's scheme
  • Origin-keyed Processes by default
  • Safe Browsing Local Lists use v5 API
  • Enable RenderDocument - Enabled Swap RendererFrameHosts on same-site navigatios from any frame (experimental)
  • Device Bound Session Credentials (Standard)
  • Device Bound Session Credentials (Standard) - Federated Registrations
  • Device Bound Session Credentials (Standard) on Google
  • Local Network Access Checks - Enabled (Blocking)
  • Local Network Access Checks for WebRTC
  • Local Network Access Checks for WebSockets
  • Local Network Access Checks for WebTransport
  • Always show confirmation dialog for new search engine overrides
Extensions:
  • uBlock Origin - Super Hard Mode (1p scripts + 3p + 3p frames + 3p scripts) outside the 9 TLDs.
  • API Void Script Stop - Extended Medium Mode (1p-frame + 3p-script + 3p-frame) within the 9 TLDs.
  • Bonjourr
  • Search Engine Blocker - enabled only on certain websites
  • AG Browser Extension - Super Hard Mode - off by default
  • Video DownloadHelper - off by default
  • FetchV - off by default

(Secondary) Firefox:
  • Home page Start.DDG
  • Search engine = DDG
  • GPC enabled
  • Tracking protection: Custom Protection - All cross-site cookies
  • DNS over HTTPS : Max Protection
  • HTTPS-only-mode enabled
  • Pocket disabled
  • Clearing browsing data on exit
  • Firefox telemetry disabled
  • Protection against fraudulent content and dangerous software enabled - all enabled
  • Some FastFox.js settings
  • Some Arkenfox.js settings
Policies:
  • OverridePostUpdatePage set to ""
  • DontCheckDefaultBrowser = true
  • OverrideFirstRunPage set to ""
Extensions:
  • uBlock Origin - Super Hard Mode (1p scripts + 3p + 3p frames + 3p scripts) outside the 9 TLDs.
  • API Void Script Stop - Extended Medium Mode (1p-frame + 3p-script + 3p-frame) within the 9 TLDs.
  • Video DownloadHelper - (off by default)
  • HLS Downloader (off by default)
Secure DNS
System = Cloudflare DNS encrypted
Browsers = Next DNS DOH (Account) - All Security settings enabled - Blocking of all domains with non-European characters + dangerous TLDs - HaGeZi - Multi ULTIMATE
Desktop VPN
none
Password manager
built-in
Maintenance tools
Process Explorer
CCleaner - Block updates with firewall rule + some Hosts file rules
Thunderbird - hardened
Pop-Peeper Email Notifier
File and Photo backup
External SSD + Pen-drive USB
Subscriptions
    • None
System recovery
External SSD
Risk factors
    • Browsing to popular websites
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Downloading software and files from reputable sites
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
Lenovo IdeaCentre AIO 3
AMD Athlon Silver
8 GB RAM
SSD 238 GB
Notable changes
  • Enabled RendererAppContainer (Chrome) via Chromium Command Line Switch
  • Added Sirius LLM as on-demand scan
  • Added these flags to Chrome - "Save PDF to Drive" -disabled + "Bind cookies to their setting origin's port" + "Bind cookies to their setting origin's scheme"
  • AMD Software Adrenalin Edition - AMD Crash Defender Service - (manual) + AMD External Events Utility Service (disabled)
  • Switched Microsoft Video to MPC BE, which was added to the WD Anti-Exploit list with 13 overrides
  • Switched Microsoft Photo to PhoXoSee which was added to the WD Anti-Exploit list with 13 overrides
  • Added "Safe Browsing Local Lists use v5 API" flag in Chrome
  • Added "Search Engine Blocker" extension on Chrome - enabled only on certain websites
  • Added "GenAILocalFoundationalModelSettings" policy on Chrome
  • Enabled LockBatchFilesWhenInUse = 1
  • Enabled "Input protection" flag on Chrome
  • Switched from uBoL in Firefox/Chrome to the API Void Script Stop (3p-script + 3p-frame)
  • Added to API Void Script Stop (1p-frame block)
What I'm looking for?

Looking for minimum feedback.

I managed to enable RendererAppcontainer in Chrome via Chromium Command Line Switch.
As shown in the image:

1.png

It does not work via policy.

Considering that it was also impossible for @Bot, I would like to ask the

@harlan4096
@Jack
to review my security configuration for the transition to:

"Advanced Security Plus"

Thank you very much.(y)

P.S. Obviously, the Chromium Command Line Switch alone is not sufficient.;)
 
Last edited:
  • Like
  • Hundred Points
Reactions: Moonhorse, harlan4096, LinuxFan58 and 1 other person
"In general", to get Advanced Plus tag, a config should have well covered ALL the main security aspects (security-related fields), specially those related to Windows security and also those related to data user backup and system recovery...

I see You don't use VPN nor 3rd party on demand scanners to complement MD detection.
 
Last edited:
  • Like
  • +Reputation
  • Hundred Points
Reactions: Sorrento, silversurfer, Berny and 1 other person
harlan4096 said:
"In general", to get Advanced Plus tag, a config should have well covered ALL the main security aspects (security-related fields), specially those related to Windows security and also those related to data user backup and system recovery...

I see You don't use VPN nor 3rd party on demand scanners to complement MD detection.
Click to expand...
Hi,
the recovery system was created using the backup and restore feature from the control panel + create a recovery drive on a USB flash drive and the image on an external SSD drive as described.

That's right, no VPN, I don't need it.

I used Hitman Pro as an on-demand scan (never detected any infections) and after the @cruelsister test I removed it because it was useless.
The same with NPE.

App Review - Thoughts on HitManPro
 
  • Like
Reactions: Sorrento and harlan4096
I asked ChatGPT5 to evaluate, using the usual table, whether the "CacheEncryptionEnabled" policy improves the security of my primary browser.
Here is the result:
cittografia cache.png


This warning should be carefully evaluated before stable implementation:


Browser cache encryption may affect performance.
Click to expand...

Chrome Enterprise Policy List & Management | Documentation

P.S.

Removed because the policy can only be applied via the cloud.
 
Last edited:
  • Like
Reactions: oldschool, Halp2001 and Sorrento
I had ChatGPT 5 analyze the differences between Enhanced and Standard Protection in Chrome:

1.png

Defending 1 billion Chrome users with Enhanced Protection

Your data, including URLs, page contents, files and more, is anonymized whenever possible. It’s used only for security purposes, and retained only as long as necessary.
Click to expand...

I am very undecided whether to leave my current protection at Standard or change it to Enhanced.:unsure:

@to all

Any suggestions?
 
  • Like
Reactions: Sorrento, TairikuOkami and Halp2001
Enhanced Protection in Chrome adds extra defenses against phishing and malicious downloads, though it requires sharing more data with Google. Standard Protection already covers the essentials and is usually enough when combined with other security measures. Ultimately, it’s a balance between privacy and that extra layer of protection.🔒⚖️🌐
 
  • Like
  • Thanks
Reactions: Sorrento, oldschool and Sampei.Nihira
Sampei.Nihira said:
I am very undecided whether to leave my current protection at Standard or change it to Enhanced.:unsure:

@to all

Any suggestions?
Click to expand...
NextDNS contains Google Safe Browsing, which is what Enhanced Protection is based on. I have Enhanced Safe Browsing disabled in my Google account, it would be pointless.
 
  • Like
  • Applause
  • Thanks
Reactions: Sorrento, lokamoka820, oldschool and 3 others
TairikuOkami said:
NextDNS contains Google Safe Browsing, which is what Enhanced Protection is based on. I have Enhanced Safe Browsing disabled in my Google account, it would be pointless.
Click to expand...

3.png

I was asking about this:

chrome://settings/security

Yes, I made this comparison some time ago.
As you can see, there are some significant differences in the browser and at the DNS level.
 
  • Like
Reactions: Sorrento, oldschool, TairikuOkami and 1 other person
Sampei.Nihira said:
As you can see, there are some significant differences in the browser and at the DNS level.
Click to expand...
Yes, but I am the most concerned about the last entry, privacy. Not just data shared with Google, but anyone on the line could listen.
I had comments removed, accounts blocked and data restricted, because of an "questionable" content, so I value privacy over security.
 
  • Like
  • +Reputation
  • Thanks
Reactions: simmerskool, Sorrento, lokamoka820 and 3 others
oldschool said:
If you're using Chrome you may as well use enhanced protection.
Click to expand...

I ran several tests this afternoon.
No advantage in detection.
I did not consider the download.
I would not rely exclusively on Google's advanced protection over the standard protection when judging a file.

So I'm sticking with the Standard Protection.
Thank you all.
 
  • Like
  • Applause
  • Hundred Points
Reactions: simmerskool, Sorrento, Gandalf_The_Grey and 3 others
I've organized Windows PowerShell and PowerShell 7 a bit.
CLM + "RemoteSigned" Policy.

I've found that the Full Language Mode + "Restricted" policy, for ChatGPT 5, is worse in terms of security and usability.
Although I should add that this is for my own needs.
I also added an outbound connection blocking rule in PowerShell 7 that isn't present in H_C.

P.S.

ChatGPT 5, based on my needs, did not recommend that I set the “AllSigned” policy, which would be more restrictive than the one I have currently set.
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, Sorrento and Halp2001

You may also like...