Advanced Security TairikuOkami's Configuration 202x

[TairikuOkami]

Is Canary build very buggy? Do you use this on your test pc only?

On normal PC, I never had any serious problems, maybe a flashing explorer or a bad task manager, but usually fixed within a week. I have not had BSOD since Vista, except caused by me.

 

[Parkinsond]

I have decided to remove WFC, it was giving me too much headache. Windows Firewall with outbound allowed still honors block rules, so I am just going to block bad ports by default like:

netsh advfirewall firewall delete rule name=all
netsh advfirewall firewall add rule name="TCP Block" dir=out action=block protocol=TCP remoteport=1-79,81-442,444-852,854-1024
netsh advfirewall firewall add rule name="UDP Block" dir=out action=block protocol=UDP remoteport=1-442,444-1024
netsh advfirewall firewall add rule name="Brave TCP" dir=out action=block protocol=TCP remoteport=1-442,444-65535 program="C:\Users\Tairi\AppData\Local\BraveSoftware\Brave-Browser\Application\brave.exe"
netsh advfirewall firewall add rule name="Edge TCP" dir=out action=block protocol=TCP remoteport=1-442,444-65535 program="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
netsh advfirewall firewall add rule name="Edge UDP" dir=out action=block protocol=UDP remoteport=443 program="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
netsh advfirewall firewall add rule name="LibreWolf TCP" dir=out action=block protocol=TCP remoteport=1-442,444-65535 program="C:\Program Files\LibreWolf\librewolf.exe"
netsh advfirewall firewall add rule name="LibreWolf UDP" dir=out action=block protocol=UDP remoteport=443 program="C:\Program Files\LibreWolf\librewolf.exe"
netsh advfirewall firewall add rule name="OneDrive TCP" dir=out action=block protocol=TCP remoteport=1-442,444-65535 program="C:\Program Files\Microsoft OneDrive\OneDrive.exe"
netsh advfirewall firewall add rule name="IceDrive TCP" dir=out action=block protocol=TCP remoteport=1-442,444-65535 program="C:\Users\Tairi\AppData\Local\Temp\IcedrivePortable\Icedrive.exe"

Is it necessary to apply such rules if using a 3rd party firewall aksing for permission before any connection?

 

[Andy Ful]

I have restricted some exes (lolbins) like mshta.exe via Disallow policy. Port 80 aka http is not allowed. To partially prevent malware using legitimate processes, I have allowed only trusted IP ranges for the most vulnerable apps like svchost or discord. Process Hacker checks running processes in VirusTotal.

Hi,

It is always interesting to discuss the No-AV setup.
Many attacks will be blocked, but some popular attack vectors are still possible. Therefore, the user must be cautious and have extensive knowledge and experience in using Process Hacker (System Informer).

In your case, the problem may be related to game mods or game updates. For example, when the gaming server is compromised, the malicious content will be installed. In such cases, the protection provided by NextDNS is often slowed.
Unfortunately, the installed malware often uses trusted IP ranges and HTTPS.
ProcessHacker with VT integration is a good protection layer, but may be insufficient nowadays. Many malware use DLLs (no integration with VT) for persistence.

It would be interesting to use SAC or a specially adjusted WDAC policy to periodically audit non-system DLLs and drivers. The audit starts when enabling SAC in Evaluate mode or copying the WDAC policy to the appropriate folder.

 

[piquiteco]

Thanks, it would be actually interesting to see, how would this AV-less setup hold against real a malware/ransomware, but that would require someone more skilled than me. I once tested wannacry real life and it failed to do anything, since ransomware requires SYSTEM permissions and I pretty much denied that on important partitions and folders.

No need to worry, friend. What a coincidence, I also tested a WannaCry sample back in 2017. I had BDTS with folder protection similar to what MD has today. WannaCry also did not encrypt protected folders because I was using the SUA account and still had the C:\Users\Public folders protected. The process remained running but was unable to elevate system or administrator privileges on the SUA account to encrypt my files. Then I ran the test without folder protection, and it only encrypted the files of the standard account users. The admin account files remained untouched. Since I was using RBX at the time, I just reverted to a previous snapshot and I was back, just for peace of mind, but Wannacry did not spread to other machines. Coincidence or not, you think similarly to me, you like to configure and harden the operating system without relying too much on AVs. In your settings, theoretically, ransomware and malware would not be able to do much, I presume, precisely because of the configuration restrictions you imposed on your OS. For example, the malware would not be able to communicate with C2 due to your DNS and the blocking of ports commonly used and abused by malware. Here we will also consider LOLBins. If your system is applied, blocked by the firewall, the malware would also not be able to download the payload, so the malware would remain inactive. Very interesting configuration @TairikuOkami. I liked your approach. Sorry for the delay in answering your question, I'm as slow as a turtle when it comes to typing.

 

[piquiteco]

Is it necessary to apply such rules if using a 3rd party firewall aksing for permission before any connection?

Of course not, these rules only apply to the Windows firewall. But you can still apply them if you uninstall the third-party firewall or disable it for testing purposes.

 

[piquiteco]

What ports should be allowed?

Same as @TairikuOkami's post number #33. I won't post here anymore, otherwise it will clutter up @TairikuOkami's thread, which is about his computer settings. Let's respect him.

 

[Parkinsond]

Same as @TairikuOkami's post number #33. I won't post here anymore, otherwise it will clutter up @TairikuOkami's thread, which is about his computer settings. Let's respect him.

Yes, I have noticed the settings after asking you; apologies.

 

[SeriousHoax]

@TairikuOkami What was your reason for switching to DoT on Windows 11 over the default DoH?

 

[TairikuOkami]

What was your reason for switching to DoT on Windows 11 over the default DoH?

Easier to control and monitor, chromium browsers leak via default DNS, unless it is blocked.
People mention that it has less vulnerabilities compared to widespread HTTP. Good article:

DNS-over-TLS (DoT) vs DNS-over-HTTPS (DoH): What’s the Difference?

Learn which encrypted DNS protocol is best for security, compliance, and network control in 2025.

controld.com

 

[piquiteco]

@TairikuOkami Thanks again for sharing your configuration. When I used CF/CIS, I blocked all TCP ports 1-65535 on the firewall. I never did that on the Windows firewall. But it's interesting, it gives you peace of mind when you know that no ports are open or exposed to the web.

 

[Andy Ful]

DOT can have a clear advantage only in Enterprises or for users who can efficiently monitor the network traffic. In the case of malicious traffic, it can be blocked without blocking other connections. Also, the users cannot easily bypass the restrictions put by the Enterprise Administrators.
However, for most home users, properly configured DOH is considered a better solution.

 

[SeriousHoax]

Easier to control and monitor, chromium browsers leak via default DNS, unless it is blocked.
People mention that it has less vulnerabilities compared to widespread HTTP. Good article:

DNS-over-TLS (DoT) vs DNS-over-HTTPS (DoH): What’s the Difference?

Learn which encrypted DNS protocol is best for security, compliance, and network control in 2025.

controld.com

I see. It makes it easy for you to monitor it. You're still using DoH in your browser so there's that.
If you want to use DoT even in your browser then you could install YogaDNS or AdGuard Home. AdGuard Home can prevent leaking default DNS in Chromium by using something like, https://1.1.1.1/dns-query as the bootstrap address.
I like DoH/3 & DoQ (both slightly faster than DoH and DoQ) but browsers and operating systems don't natively support them so third-party software is needed.

 

[simmerskool]

for most home users, properly configured DOH is considered a better solution.

I've been tweaking & tweaking DNS / DoH for a few days on various VMs with some "help" from chatGPT, I've learned a little. I'm no longer in the mode (or mood) to analyze w/wireshark...

 

[TairikuOkami]

I have just cleaned my pet bear, totally unrelated to the security, then again, it makes me feel safe, considering my life problems. I have used the Lavender oil, it smells great, but looks dashy.

m

 

[oldschool]

What are your life problems?

 

[rashmi]

I have just cleaned my pet bear, totally unrelated to the security, then again, it makes me feel safe, considering my life problems. I have used the Lavender oil, it smells great, but looks dashy.

View attachment 290260 mView attachment 290262

Based on these images, I can picture the moment of betrayal... You forced your pet bear into the bathtub against his will; no amount of lavender oil can mask the look in your pet bear's eyes... "Great-smelling lavender oil" cannot erase the memory of the struggle—I see a pet bear who's plotting revenge!

 

[TairikuOkami]

I was "forced" to switch back to Stable. Canary failed to update due to insufficient space. My partition was 64GB, no surprise there 25H2 took 65GB after a clean install.
Unfortunately due to stupid MS, I had to remove all partitions, since 11 considered the faster disk as secondary and refused to install it, just like during HDD's jumper days.
Luckily my BIOS allows me to clear SSDs, I had to remove everything to be able to clean install 11, it worked, sadly on a slower SSD, but 25H2 runs pretty light, after tweaking.

 

[oldschool]

25H2 runs pretty light, after tweaking.

I think you mean "after seriously hacking".

 

[TairikuOkami]

I have reverted back to 26H1, I got bored and I wanted NVMe 70% performance gain, but it did not turn out the way I expected.
Slow disk has got noticeably slower and fast disk has got slightly faster. I have to use slow disk for Windows, not happy about it.

Spoiler

reg add "HKLM\System\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" /v "156965516" /t REG_DWORD /d "1" /f
reg add "HKLM\System\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" /v "735209102" /t REG_DWORD /d "1" /f
reg add "HKLM\System\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" /v "1853569164" /t REG_DWORD /d "1" /f

Announcing Native NVMe in Windows Server 2025: Ushering in a New Era of Storage Performance | Microsoft Community Hub

We’re thrilled to announce the arrival of Native NVMe support in Windows Server 2025—a leap forward in storage innovation that will redefine what’s possible...

techcommunity.microsoft.com

Windows 11 Home (28020.1362) - it settles down after 7min - 62 processes (+SystemInformer/+XnView) / 618 threads / 26962 handles / 2.1GB RAM

 

[TairikuOkami]

I got Revolut Premium, so I could buy commodities like silver with smaller fees and as a bonus I got NordVPN Standard and unlike other VPNs, it just works with my config, no background processes either when OFF. I can watch US/UK Netflix content, like Mr Bean, but the best part is, that it works with NextDNS flawlessly. Best from both worlds.