Advanced Security Thales' Config 2024

[Thales]

You are using the Free version. In my case, this program had problems restoring partitions. That's why I don't use it. But that was a few years ago. Maybe it's different now.
How does it work now?

I barely remember but maybe it failed me one time only.
I'm not sure that with Easus to do backup or something else requires to turn Bitlocker off before you can restore to an encrypted partition.
Free version allow me to encrypt the backup and it is fast.

 

[M4RT1NE2]

I barely remember but maybe it failed me one time only.
I'm not sure that with Easus to do backup or something else requires to turn Bitlocker off before you can restore to an encrypted partition.
Free version allow me to encrypt the backup and it is fast.

And have you tried Macrium Reflect Free ?. It has saved my life more than once. It hasn't let me down yet and I have confidence in it.

 

[Thales]

And have you tried Macrium Reflect Free ?. It has saved my life more than once. It hasn't let me down yet and I have confidence in it.

Yes, I have used it for awhile.
The free version doesn't allow me to encrypt the backup.
Also I just discovered paragon has backup and restore software (password protected AES 256) with Win PE option (which is standard nowadays) and if EasUs ToDo failes me again I'm gonna switch.

 

[Guilhermesene]

How does this issue of a random password protected backup work? If it is random, when you will restore the image is it necessary to enter this password? (Sorry for the questions maybe even silly, but I never got to use this option)

I have Macrium Reflect Home (paid) and I say that it is the best software I have bought besides KTS to date.

 

[Thales]

How does this issue of a random password protected backup work? If it is random, when you will restore the image is it necessary to enter this password? (Sorry for the questions maybe even silly, but I never got to use this option)

I have Macrium Reflect Home (paid) and I say that it is the best software I have bought besides KTS to date.

It works as a normal password protected file. When you make the backup you enter your chosen password which will protect your backup.
The restoring process works the same way. The program ask your password before restoring your drive/files.

 

[Thales]

Changed my Bitlocker and SRP Settings. Here is the detailed list.
More changes are coming!

BitLocker Drive Encryption
Choose drive encryption method and cipher strength

Select the encryption method for operating system drives: XTS AES 256-bit​

Select the encryption method for fixed data drives: XTS AES 256-bit​

Select the encryption method for removable data drives: AES-CBC 256-bit​

Disable new DMA devices when this computer is locked Enabled
Prevent memory overwrite on restart Disabled

Fixed Data Drives
Choose how BitLocker-protected removable drives can be recovered Enabled

Allow data recovery agent​

Allow 48-digit recovery password​

Allow 256-bit recovery key​

Omit recovery options from the BitLocker setup wizard​

Save BitLocker recovery information to AD DS for operating system drives​

Backup recovery passwords and key packages​

Do not enable BitLocker until recovery information is stored to AD DS for operating system drives​

Configure use of passwords for fixed data drives Enabled
Allow password complexity
Minimum password length for fixed data drive: 14

​

Operating System Drives
Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. Disabled
Allow Secure Boot for integrity validation Enabled
Choose how BitLocker-protected operating system drives can be recovered Enabled

Allow data recovery agent​

Allow 48-digit recovery password​

Allow 256-bit recovery key​

Omit recovery options from the BitLocker setup wizard​

Save BitLocker recovery information to AD DS for operating system drives​

Store recovery passwords and key packages​

Do not enable BitLocker until recovery information is stored to AD DS for operating system drives​

Configure minimum PIN length for startup Enabled

Minimum characters: 14​

Configure use of passwords for operating system drives Enabled

Allow password complexity​

Minimum password length for operating system drive: 14​

Disallow standard users from changing the PIN or password Enabled
Require additional authentication at startup Enabled

UNCHECKED Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)​

Allow TPM​

Allow startup PIN with TPM​

Allow startup key with TPM​

Allow startup key and PIN with TPM​

Reset platform validation data after BitLocker recovery Enabled

Removable Data Drives
Choose how BitLocker-protected removable drives can be recovered Enabled

Allow data recovery agent​

Allow 48-digit recovery password​

Allow 256-bit recovery key​

Omit recovery options from the BitLocker setup wizard​

Save BitLocker recovery information to AD DS for operating system drives​

Backup recovery passwords and key packages​

Do not enable BitLocker until recovery information is stored to AD DS for operating system drives​

Configure use of passwords for fixed data drives Enabled
Allow password complexity
Minimum password length for fixed data drive: 14
Control use of BitLocker on removable drives Enabled

Allow users to apply BitLocker protection on removable data drives​

Allow users to suspend and decrypt BitLocker on removable data drives​

SRP

DISALLOWED list
%localAppData%\*.exe
%localAppData%\*\*.exe
%localAppData%\Temp\*.zip\*.exe
%localAppData%\Temp\7z*\*.exe
%localAppData%\Temp\Rar*\*.exe
%localAppData%\Temp\wz*\*.exe
%Temp%\*\*.exe
%Temp%\*.exe
powershell_ise.exe
powershell.exe

 

[Thales]

I've just changed from veracrypt to Boxcryptor. I wanna make my life easier, so I'm looking for simple but secure solution.
I used to use Boxcryptor in the past and I was happy with it, so let's see how it works again.

 

[Thales]

I bought Norton 360 license again.
I've changed a few settings only.

Antivirus
Boot Time Protection - Normal
SONAR Advanced Mode - Aggressive

Firewall
Notifications - OFF

Administrative Settings
Performance Monitoring - OFF

 

[Guilhermesene]

I bought Norton 360 license again.
I've changed a few settings only.

Antivirus
Boot Time Protection - Normal
SONAR Advanced Mode - Aggressive

Firewall
Notifications - OFF

Administrative Settings
Performance Monitoring - OFF

Why did you choose Norton? This is a question just out of curiosity

 

[Thales]

Why did you choose Norton? This is a question just out of curiosity

It took days. I was struggling between the big names. I checked the malware hub, price, reviews especually reviews by @Shadowra (thank you for your work. )
The remaining two was GDATA and Norton. Same price but Norton gives me more control, it is cheap and I already know how it performs.

 

[Guilhermesene]

It took days. I was struggling between the big names. I checked the malware hub, price, reviews especually reviews by @Shadowra (thank you for your work. )
The remaining two was GDATA and Norton. Same price but Norton gives me more control, it is cheap and I already know how it performs.

Thanks for the answer

Glad it was a well-thought-out choice, the most important thing is to use the product that you feel safest and that best fits your system.

 

[Thales]

Never gonna use Boxcryptor again. Back to Veracrypt.
I made a serious mistake. I uploaded my password database, backup codes, notes, recovery codes and everything without encryption.
Boxcryptor was password protected (local folder) and closed, so the files should have been encrypted but they wasn't. I noticed the mistake shortly and I deleted everything from 3 clouds but you know "there is no cloud just someone else's computer". I've changed all important passwords, 2FA, recovery codes in the last hours and it is ok now.

My system works but I should have never switched from veracrypt. It was my mistake.

 

[L0ckJaw]

I bought Norton 360 license again.
I've changed a few settings only.

Antivirus
Boot Time Protection - Normal
SONAR Advanced Mode - Aggressive

Firewall
Notifications - OFF

Administrative Settings
Performance Monitoring - OFF

Here are mine Firewall settings :

I have boot time protection to Aggressive ( no slowdowns )
I use it in combination with Simple Windows Hardening ( new version 2.0 )

 

[Thales]

I've changed a lot of passwords.
Fixed my short passwords and raised them to 20+ characters.
Changed from passwords to passphrases. It is easier to type in if I have to.

I generated 60 ok-ish and 90 strong (200+ bit) passphrases with Keepass

Like this:
the9*Tykes0*Chimes*across7*from*That9*Fanfare
passtimes Might7 Sneak Abreast9 Of the9 bird
slits0 hack0 The6 Lip0

but if you don't have this option you can use this website.

Security

Enhance your security with our expert IT security services and solutions. Protect your data, mitigate risks, and safeguard your business.

www.worksighted.com

 

[Thales]

New Windows

Main AV: Avast Free
Gpedit: Hardened Bitlocker
2nd Layer: OSA (mostly with default settings and more comfortable than gpedit)
Browser: NextDNS and one extension only
Password manager: KeepassXC (I still love it except the browser extension. It has improved but... meh)
Backup: EasUs ToDo and FreeFileSync

 

[Thales]

Snyc: I bought GoodSync for 1 year. I really needed this and it is the cheapest and best alternative of Syncbackpro. I enjoy this fully automated sync
Browser: from chrome to Edge (chrome is good but whatever Edge is also good)
Password Manager: also switched from KeepassXC to Keepass

A little recap: Avast is running fine. No bloat, no slowdowns. Rarely gives me pop-ups.

 

[Thales]

Switched back to WD. (I had no problem with Avast free. Recommended)

I made significant changes in GPO and provided detailed information in my first post.

Side note:
Edge settings in GPO are not applying. I found a lot of complaints about this, so it is not just me.
I don't know but probably whitelist is better than blacklist in SRP.

 

[Thales]

I added syshardener and enabled a few other settings in it. I still have 5 months of Norton 360 but I'm not gonna use it.
WD is good for me but if I'm gonna find a good AI based Antivirus or other AI based software I'm gonna use it

I am deeply in love with AI.

 

[Thales]

Today I turned on my computer and Windows notified me that Edge received an update. Then I began browsing and I was faced with advertisements. So I had to edit the DNs server system wide. 1-0 for me
Also, this little icon appeared on the Edge.

 

[Thales]

I reworked the GPO rules from scratch. I made only crucial edits. I also enabled some new settings like "Interactive logon: Do not require CTRL+ALT+DEL Disabled"

Spoiler: ASR rules

Block executable content from email client and webmail
BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block all Office applications from creating child processes
D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content
3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes
75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content
D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts
5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
01443614-CD74-433A-B99E-2ECDC07BFC25
Use advanced protection against ransomware
C1DB55AB-C21A-4637-BB3F-A12568109D35
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
Block process creations originating from PSExec and WMI commands
D1E49AAC-8F56-4280-B9BA-993A6D77406C
Block untrusted and unsigned processes that run from USB
B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4
Block Office communication application from creating child processes
26190899-1602-49E8-8B27-EB1D0A1CE869
Block Adobe Reader from creating child processes
7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C
Block persistence through WMI event subscription
E6DB77E5-3DF2-4CF1-B95A-636979351E5B.

Spoiler: Credential entry

Do not display network selection UI Enabled
Enumerate local users on domain-joined computers Disabled
Enumerate administrator accounts on elevation Disabled
Require trusted path for credential entry Enabled
Prevent the use of security questions for local accounts Enabled
Disable or enable software Secure Attention Sequence Disabled
Sign-in last interactive user automatically after a system-initiated restart Disabled
Interactive logon: Do not require CTRL+ALT+DEL Disabled

Spoiler: Early Malware

Boot-Start Driver Initialization Policy Enabled
Choose the boot-start drivers that can be initialized: Good and unknown

Spoiler: Defender

Turn off Microsoft Defender Antivirus Disabled
Configure detection for potentially unwanted applications Enabled
Configure local setting override for reporting to Microsoft MAPS Disabled
Configure the ‘Block at First Sight’ feature Enabled
Join Microsoft MAPS Enabled
Send file samples when further analysis is required Enabled
Configure extended cloud check Enabled
Specify the extended cloud check time in seconds: 50
Select cloud protection level Enabled
Select cloud blocking level: High blocking level or Zero Tolerance

Turn off real-time protection Disabled
Turn on behavior monitoring Enabled
Scan all downloaded files and attachments Enabled
Monitor file and program activity on your computer Enabled
Turn on raw volume write notifications Enabled
Turn on process scanning whenever real-time protection is enabled Enabled
Define the maximum size of downloaded files and attachments to be scanned Enabled
Configure local setting override for turn on behavior monitoring Disabled
Configure local setting override for scanning all downloaded files and attachments Disabled
Configure local setting override for monitoring file and program activity on your computer Disabled
Configure local setting override to turn on real-time protection Disabled
Configure local setting override for monitoring for incoming and outgoing file activity Disabled
Configure monitoring for incoming and outgoing file and program activity Enabled (Both)

Check for the latest virus and spyware definitions before running a scheduled scan Enabled
Scan archive files Enabled
Scan packed executables Enabled
Scan removable drives Enabled
Turn on e-mail scanning Enabled
Turn on heuristics Enabled
Configure detection for potentially unwanted application Enabled
Configure Windows Defender smartscreen Enabled

Spoiler: Bitlocker

BitLocker Drive Encryption
Choose drive encryption method and cipher strength
Select the encryption method for operating system drives: XTS AES 256-bit
Select the encryption method for fixed data drives: XTS AES 256-bit
Select the encryption method for removable data drives: AES-CBC 256-bit
Disable new DMA devices when this computer is locked Enabled
Prevent memory overwrite on restart Disabled

Fixed Data Drives
Choose how BitLocker-protected removable drives can be recovered Enabled
Allow data recovery agent
Allow 48-digit recovery password
Allow 256-bit recovery key
Save BitLocker recovery information to AD DS for operating system drives
Backup recovery passwords and key packages
Configure use of passwords for fixed data drives Enabled
Allow password complexity
Minimum password length for fixed data drive: 14
Operating System Drives
Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. Disabled
Allow Secure Boot for integrity validation Enabled
Choose how BitLocker-protected operating system drives can be recovered Enabled
Allow data recovery agent
Allow 48-digit recovery password
Allow 256-bit recovery key
Save BitLocker recovery information to AD DS for operating system drives
Store recovery passwords and key packages
Configure minimum PIN length for startup Enabled
Minimum characters: 14
Configure use of passwords for operating system drives Enabled
Allow password complexity
Minimum password length for operating system drive: 14
Disallow standard users from changing the PIN or password Enabled
Require additional authentication at startup Enabled
UNCHECKED Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
Allow TPM
Allow startup PIN with TPM
Allow startup key with TPM
Allow startup key and PIN with TPM
Reset platform validation data after BitLocker recovery Enabled

Removable Data Drives
Choose how BitLocker-protected removable drives can be recovered Enabled
Allow data recovery agent
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard
Save BitLocker recovery information to AD DS for operating system drives
Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives
Configure use of passwords for fixed data drives Enabled
Allow password complexity
Minimum password length for fixed data drive: 14
Control use of BitLocker on removable drives Enabled
Allow users to apply BitLocker protection on removable data drives
Allow users to suspend and decrypt BitLocker on removable data drives

Spoiler: Other Things

Prevent access to 16-bit applications Enabled