Advanced Plus Security SecureKongo's Computer Security Config 2022

Last updated
Jan 1, 2022
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 11
OS edition
Pro
Login security
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Local account
Primary user
Admin user - Full permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Network firewall
Third-party router
Real-time protection
Microsoft Defender
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings

Hardening tools:
- Configure Defender (set to "High")
- Firewall Hardening (blocking LOLBins and MS Office)
- Simple Windows Hardening (recommended settings)
- Documents Anti-Exploit (all enabled)
-
STOP/DJVU Ransomware Vaccine
- O&O ShutUp10 (recommended settings)
- O&O AppBuster (removed unecessary Windows 11 apps)
- Windows Sandbox + Sandboxie Plus



System settings:
- Data Execution Prevention set to AlwaysOn
- Core Isolation: Memory Integrity enabled
- Secure Boot enabled
- Drives encrypted via TPM (BitLocker)
- Windows Update Delivery Optimization disabled
- AutoPlay disabled
- Network Discovery disabled (Public Firewall profile)
- Hide extensions for known file types --> disabled
- Show hidden files --> enabled

- Virtualization enabled (allows Application Sandboxing)
- Custom Exploit Protection Settings for Firefox:
Code:
Block low integrity images - ON
Block remote images - ON
Block untrusted fonts - ON
Control flow guard (CFG) - ON
Data execution prevention (DEP) - ON + Enable thunk emulation - CHECKED
Disable extension points - ON
Force randomization for images (Mandatory ASLR) - ON + Do not allow stripped images - CHECKED
Randomize memory allocations (Bottom-up ASLR) - ON
Validate exception chains (SEHOP) - ON
Validate handle usage - ON
Validate heap integrity - ON
Validate image dependency integrity - ON

Thanks to @oldschool for sharing! :)

ㅤㅤㅤHardware Firewall (Firewalla Blue Plus):
- Active Protect (Strict)
- Ad Block (Strict)
- OISD blocklist enabled in Firewalla
- New Device Quarantine (restricted internet access for newly connected devices)
‎‎‎ㅤ‎ ‎ ‎ ‎ ‎
Malware testing
Malware samples are downloaded
Periodic security scanners
ESET Online Scanner, Norton Power Eraser, AdwCleaner
Secure DNS

NextDNS with DoH + OISD blocklist (Firefox exclusively)
Cloudflare with DoH configured natively in Windows 11 (system-wide)

NextDNS for security --> Browser is the main entry point for malware

Cloudflare for speed and stability --> Speed and stability on the rest of the system
VPN
Mullvad VPN
Password manager
Bitwarden Premium
Browsers, Search and Addons

Mozilla Firefox v. 100.0.2 (Running isolated in Sandboxie Plus)

Extensions:
- AdGuard Extension (AdGuard Base filter + AdGuard Tracking filter + AdGuard URL Tracking filter)
- Skip Redirect (Skip all redirects except for URLs matching any of the lines in the no-skip-urls-list)
-
Bitwarden (2FA enabled)


Browser privacy and security settings:
- Tracking protection: Strict (enables Total Cookie Protection)
- HTTPS-only-mode enabled
- DuckDuckGo set as search engine
- Pocket disabled (also in about:config)
- Sending DNT-requests disabled (enabling makes you more identifiable and barely gives any advantage on most sites.)
- Clearing browsing data on exit
- Search suggestions disabled
- Websites overview disabled
- Blocking incoming location, camera and microphone requests
- AutoPlay for audio and video disabled
- Firefox telemetry disabled (also in about:config)
- Blocking pop-ups
- Warn when websites try to install addons enabled
- Protection against fraudulent content and dangerous software enabled



about:config tweaks:
- network.dns.echconfig.enabled =
true
- network.dns.use_https_rr_as_altsvc = true
- fission.autostart = true (enabled by default in Firefox 94+)
- privacy.resistFingerprinting =
true
- pdfjs.enableScripting = false
- browser.send_pings = false
- plugin.scan.plid.all = false
- browser.urlbar.speculativeConnect.enabled = false
- dom.event.clipboardevents.enabled = false
- dom.webnotifications.enabled = false
- browser.urlbar.groupLabels.enabled = false
- media.navigator.enabled = false
- media.peerconnection.enabled = false
- network.dns.disablePrefetch = true
- network.prefetch-next = false
- webgl.disabled = true
- browser.sessionstore.privacy_level = 2
- beacon.enabled = false
- browser.safebrowsing.downloads.remote.enabled = false
- network.IDN_show_punycode = true
- geo.enabled = false
- browser.cache.offline.enable = false
- browser.newtabpage.activity-stream.feeds.telemetry = false
- browser.ping-centre.telemetry = false
- browser.tabs.crashReporting.sendReport = false
- toolkit.telemetry.enabled = false
- toolkit.telemetry.server (URL removed)
- toolkit.telemetry.unified =
false
- extensions.pocket.enabled = false
- security.ssl3.rsa_des_ede3_sha = false
- security.ssl.require_safe_negotiation = true
- network.trr.mode = 3 (NextDNS)

ㅤㅤ
Maintenance and Cleaning
PatchMyPC, SUMo, HiBit Uninstaller and Windows built in tools for cleaning and optimization
Personal Files & Photos backup
backup to external drive when necessary
Personal backup routine
Manual (maintained by self)
Device recovery & backup
AOMEI Backupper Pro
Device backup routine
Manual (maintained by self)
PC activity
  1. Browsing the web. 
  2. Browsing to unknown sites. 
  3. Emails. 
  4. Shopping. 
  5. Downloading software. 
  6. File sharing and torrents. 
  7. PC and cloud gaming. 
  8. Streaming. 
  9. Malware samples. 
Computer specs
GPU: Nvidia Geforce RTX 360 TI
CPU: Intel I5 12600K
RAM: 16 GB DDR4-3200 Crucial
Hard disks: 500 GB Samsung 970 EVO Plus + 1 TB Western Digital Blue
Personal changelog
- added some more details and explanations to existing entries (2022-01-01)
Feedback Response

Most critical feedback

SecureKongo

Level 28
Thread author
Verified
Top poster
Well-known
Feb 25, 2017
1,732
I see that you use Adguard VPN, your opinion on it ? :)
Wireguard ?
I am really satisfied. It feels fast and has a wide collection of servers. It doesn't have WireGuard as it uses its own protocol:
 

SecureKongo

Level 28
Thread author
Verified
Top poster
Well-known
Feb 25, 2017
1,732
Developer informed me he has no time to maintain this extension.

This is another "one man show" extension that will disappear with MV3, if Google actually rolls it out.
Thanks for letting me know. He already said that in the past but continued updating it some weeks after. Will keep experimenting a bit and probably go back to uBlock Origin or AdGuard v. 4 anyway. :)
 

SecureKongo

Level 28
Thread author
Verified
Top poster
Well-known
Feb 25, 2017
1,732
@SecureKongo did you get a free or discounted license for Sophos? How is it performing?
I got a discount for Sophos. Well, I would lie if I said that it offers the best protection out there, but it's solid after all. I am currently testing Sophos on my VM too and I can say that it's really strong in detecting malicious PE-files with it's ML-engine. It still has problems with malicious scripts, but as I have it covered with SWH that isn't a problem. I mainly use it because of it's anti-exploit capabilites, Safe Browsing, Keystroke Encryption and risk-reduction protections. Performance-wise it is meh. As I got decent hardware it isn't really a problem for me, but for people with older PC's it might be a problem. Lastly I can say that it's really stable without any bugs as far as I am aware. Just try the trial if you are interested, I think that's the best way of finding out if it's crippling your PC or not. :)
 

SecureKongo

Level 28
Thread author
Verified
Top poster
Well-known
Feb 25, 2017
1,732
Link for Firewall Hardening please ? :)

There you go :)