SECURITY: Complete Thales Hardened system for 2021

Last updated
Jun 17, 2021
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 10
OS edition
Pro
Login security
    • Password-less (PIN, Biometric, Face)
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Microsoft account
Primary user
Admin user - Full permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Network firewall
Third-party router
Real-time protection

Microsoft Defender​

Configure Defender Set to MAX

Controlled folder access disabled
Hide Security Center: Visible
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Bitlocker Changes (via Group policy)
  • Cypher strenght -> AES XTS 256
  • Disabled new DMA devices when this computer is locked
  • Allowed secure Boot for integrity validation
  • Requires additional authentication at Startup
    • Require TPM
    • Do not allow startup PIN with TPM
    • Do not allow startup key with TPM
    • Do not allow startup key and PIN with TPM
NextDNS
Security
Everything is on
Blocked most abused Top level Domains
Using IPv4 with Linked IP

Privacy
Blocklist

  • NextDNS Ads & Trackers Blocklist
  • UncheckyAds
  • oisd
Native Tracker Protection
  • Xiaomi
  • Huawei
  • Samsung
  • Apple
  • Roku
  • Sonos
Block Disguised Third-Party Trackers

Parental Control
Websites, Apps, Games

  • TikTok
  • Tinder
  • Fortnite
  • Minecraft
  • Tumblr
  • 9GAG
  • VK
  • Roblox
  • WhatsApp
  • Dailymotion
  • Hulu
Categories
  • Dating
  • Piracy
  • Porn
Block Bypass Methods

Allow list
Microsoft.com

Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening

SWH (Simple Windows Hardening)
Default settings

Firewall Hardening
Added Recommended Rules
Added LOLBin rules

SRP is ON
Malware testing
No malware samples
Periodic security scanners
Hitman Pro Free
Secure DNS
NextDNS
VPN
Not at this moment
Password manager
Keepass
  • Another Favicon
  • Windows Hello
  • TOTP
Browsers, Search and Addons
Microsoft Edge
  • Adblock for youtube
Maintenance and Cleaning
WiseDiskCleaner Free Automatically runs once a week
Personal Files & Photos backup
Redundant Backup
(Multiple locations, independent from each other)
Personal backup routine
Automatic (scheduled)
Device recovery & backup
AOMEI Backupper pro
Device backup routine
Manual (maintained by self)
PC activity
  1. Working from home. 
  2. Browsing the web. 
  3. Emails. 
  4. Banking. 
  5. Malware samples. 
Personal changelog
2021-06-12 WD, gpedit, syshardener, NextDNS
2021-06-13 NextDNS revamp
2021-06-15 syshardener replaced with SWH, FH, SRP
2021-06-17 Back to Keepass
Feedback Response

Most critical feedback

Thales

Level 12
Nov 26, 2017
572
This is my current setup for 2021

Reminder how antiviruses perform on my system. (only performance, not protection)
Sophos = 1/5
Very heavy on my system. I uninstalled and won't use it in the near future.
Heimdal = 5/5
Very fast and responsive program however the protection rate is very bad and for this price there are better alternatives.

Trend Micro = 5/5
It is fast and offers better protection than Heaimdal.
McAfee = 5/5
Fast and the protection rate is also good.
AVG = 4/5
I have mixed feeling about it.
Norton = 5/5
It is fast and responsive. Protection rate is on the top. Scanning consume 30-35% CPU which is very good and this way the system remains very usable..

Settings to remeber on 2021-06-15

Bitlocker Changes (via Group policy)
  • Cypher strenght -> AES CBC 256
  • Disabled new DMA devices when this computer is locked
  • Allowed secure Boot for integrity validation
  • Requires additional authentication at Startup
    • Require TPM
    • Do not allow startup PIN with TPM
    • Do not allow startup key with TPM
    • Do not allow startup key and PIN with TPM

Syshardener (Default + Extra changes)
Turn off remote desktop connection to the PC
Turn off sidebar and desktop gadgets
Disable Windows subsystem for Linux
Change powershell Execution Policy for Current User (Restricted)
Restrict powershell (v3+) to Constrained Language Mode
Disable Powershell Script Execution
Disable Powershell v2.0 Engine
Turn off Windows Error reporting Service
Turn off Radio management Service
Turn off Remote management Services
Block outbond connectiona for Lsass.exe
Blocked every file type available in syshardener

NextDNS
Security
Everything is on
Blocked most abused Top level Domains
Using IPv4 with Linked IP

Privacy
Blocklist

  • NextDNS Ads & Trackers Blocklist
  • UncheckyAds
  • oisd
Native Tracker Protection
  • Xiaomi
  • Huawei
  • Samsung
  • Apple
  • Roku
  • Sonos
Block Disguised Third-Party Trackers

Parental Control
Websites, Apps, Games

  • TikTok
  • Tinder
  • Fortnite
  • Minecraft
  • Tumblr
  • 9GAG
  • VK
  • Roblox
  • WhatsApp
  • Dailymotion
  • Hulu
Categories
  • Dating
  • Piracy
  • Porn
Block Bypass Methods

Allow list
Microsoft.com

Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening
 
Last edited:

Thales

Level 12
Nov 26, 2017
572
Really nice setup imo, but why would you use an adblock for Youtube only while there are better alternatives out there? I mean I don't see the downside of replacing it with Ublock or Adguard tbh... :)

Yes, the reason is the performance. I used to use AdGuard, Ublock, NanoAdblocker, Adblock plus, Ghostery but everything except NanoAdblocker slowed down my system. Couldn't watch Netflix, youtube properly and everything was so slow.
Tried other browsers with in-built adblocker like Brave but couldn't resolve the issue. Unfortunatelly Nano is not available anymore, so I use NextDNs now and I need adblock for youtube only.
 

SecureKongo

Level 21
Verified
Malware Tester
Feb 25, 2017
1,053
Yes, the reason is the performance. I used to use AdGuard, Ublock, NanoAdblocker, Adblock plus, Ghostery but everything except NanoAdblocker slowed down my system. Couldn't watch Netflix, youtube properly and everything was so slow.
Tried other browsers with in-built adblocker like Brave but couldn't resolve the issue. Unfortunatelly Nano is not available anymore, so I use NextDNs now and I need adblock for youtube only.
Well, you got NextDNS anyway with some filter activated I guess. So if you don't care about cosmetic filters that should be enough. Maybe you could check out Bluhell Firewall. You won't even notice that its installed. :)
 

Thales

Level 12
Nov 26, 2017
572
Well, you got NextDNS anyway with some filter activated I guess. So if you don't care about cosmetic filters that should be enough. Maybe you could check out Bluhell Firewall. You won't even notice that its installed. :)
Thank you. NextDNS is awesome except blocking youtube video ads :)
I agree firewalls are very good. I used to use Firewalls in the past as my first line of defence. WFC, Simplewall, AVG, Glasswire. For now I'm good with hardenned firewall but next time I'm gonna try Bluhell firewall.
Thank you for the tip!
 

SecureKongo

Level 21
Verified
Malware Tester
Feb 25, 2017
1,053
Thank you. NextDNS is awesome except blocking youtube video ads :)
I agree firewalls are very good. I used to use Firewalls in the past as my first line of defence. WFC, Simplewall, AVG, Glasswire. For now I'm good with hardenned firewall but next time I'm gonna try Bluhell firewall.
Thank you for the tip!
It's not a real firewall, it's a light adblocking extension :LOL:
 

silversurfer

Level 73
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,233
Bluhell Firewall is always confusing for the most people as it's an adblocker browser extension for both Chrome and Firefox.

 

Gandalf_The_Grey

Level 48
Verified
Trusted
Content Creator
Apr 24, 2016
3,765
Yes, the reason is the performance. I used to use AdGuard, Ublock, NanoAdblocker, Adblock plus, Ghostery but everything except NanoAdblocker slowed down my system. Couldn't watch Netflix, youtube properly and everything was so slow.
Tried other browsers with in-built adblocker like Brave but couldn't resolve the issue. Unfortunatelly Nano is not available anymore, so I use NextDNs now and I need adblock for youtube only.
You know that Edge has built-in tracking prevention? Do you use that in basic, balanced (recommended) or strict mode?
 

SecurityNightmares

Level 40
Verified
Jan 9, 2020
2,955
With Edge Tracking-Protection (i recommend HIGH) and NextDNS you're good protected.
If you can live with some website element ads, don't add any browser extension and enjoy the faster browsing speed.

Because of FirewallHardening you also don't need another Firewall. It's more than safe.

  • Control use of bitlocker on removable drives (allowed)
This is only needed if you use Microsoft Baseline. If not, this policy isn't active by Bitlocker itself.

Nice setup with Windows and Andy's tools (y)
Keep it clean
 

Thales

Level 12
Nov 26, 2017
572
With Edge Tracking-Protection (i recommend HIGH) and NextDNS you're good protected.
If you can live with some website element ads, don't add any browser extension and enjoy the faster browsing speed.

Because of FirewallHardening you also don't need another Firewall. It's more than safe.


This is only needed if you use Microsoft Baseline. If not, this policy isn't active by Bitlocker itself.

Nice setup with Windows and Andy's tools (y)
Keep it clean
Thank you :)
I activated the Control use of bitlocker on removable drives because "turn on Bitlocker" option was missing. I read about this and it is a bug caused an update.
The solution was this:
1, delete partition in disk management.
2, create new partition
3, remove the media
4, plug in the media
5, Magic :D
 

Thales

Level 12
Nov 26, 2017
572
I like the security setup! Looks good!

How are you liking NextDNS?

~Brain
Thank you. ;)

NextDns is so far so good and I think it is gonna be my permanent DNS service.
However it doesn't block hidden links (but blocks the popup pages) under the buttons but it happens so rarely and only on a couple of pages, so not a serious problem..
No performance issue (why would be), and it blocks a lot of queries. The setup page is also well designed and I use it fairly often to see what is happening.
Some pages are also blocked via google saerch engine but I think it is because of the google services because they work via duckduckgo. So, I'm gonna use duckduckgo search engine again.
 
Last edited:

Thales

Level 12
Nov 26, 2017
572
I experience higher system impact with Windows Defender compared to F-Secure SAFE.
The lightest program I've ever used was HMPA. I know it is "just" a full-exploit stuff and MT members prefer something else but I liked it very much combined with OSA (old OSA, completely free).
The highest system impact I've ever experienced was with KIS.
I still have 2 years of subscription of AVG Total but it is not lighter than F-secure SAFE or HMPA
Even if we use the same OS systems are different and system impact depends on lot of things, so there is no universal solution that works for everyone. Testing is the only way to find out if something works or not. Even if I believe KIS is fantastic I can't use it because of my system.
What I have is AVG Total 2years of sub and F-secure SAFE 6 months of sub.
 
Top