SECURITY: Complete Thales Hardened system for 2021

Last updated
Sep 15, 2021
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 10
OS edition
Pro
Login security
    • Password-less (PIN, Biometric, Face)
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Microsoft account
Primary user
Admin user - Full permissions
Other users
Other accounts are Standard users
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Network firewall
ISP-issued router
Real-time protection

WiseVector StopX​

Heuristic Analysis set to High
Ransomware rollback disabled
Enabled document folder protection (MEGA)
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Bitlocker Changes (via Group policy)
  • Cypher strenght -> AES XTS 256
  • Disabled new DMA devices when this computer is locked
  • Allowed secure Boot for integrity validation
  • Requires additional authentication at Startup
    • Require TPM
    • Do not allow startup PIN with TPM
    • Do not allow startup key with TPM
    • Do not allow startup key and PIN with TPM

NextDNS
Security
Everything is on
Blocked most abused Top level Domains
Using IPv4 with Linked IP

Privacy
Blocklist

  • NextDNS Ads & Trackers Blocklist
  • UncheckyAds
  • oisd
Native Tracker Protection
  • Xiaomi
  • Huawei
  • Samsung
  • Apple
  • Roku
  • Sonos
Block Disguised Third-Party Trackers

Parental Control
Websites, Apps, Games

  • TikTok
  • Tinder
  • Fortnite
  • Minecraft
  • Tumblr
  • 9GAG
  • VK
  • Roblox
  • WhatsApp
  • Dailymotion
  • Hulu
Categories
  • Dating
  • Piracy
  • Porn
Block Bypass Methods
SafeSearch

Allow list
auth.vodafone.hu
g.api.mega.co.nz
pokercaption.com
qbittorrent.org
eu.static.mega.co.nz
1337x.to
mega.nz
twoplustwo.com
microsoft.com

Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening

OSA
Main protection is ON
(LOLBins are also blocked)

Nlock Specific Location
This is crucial, maybe AppData is also should be blocked.
  • Block executionof unsigned processes on root folder
  • Block execution of processes on Public Folder
  • Block Execution of processes on All User Folder
  • Block processes executed from Shared folder
  • Block processes executed from Network Drive
  • Block processes executed from USB
  • Block unknown processes from Windows folder
  • Block execution of unsigned processes on Downloads folder
  • Block execution of unsigned processes on Windows Temp
  • Block execution of unsigned processes on Temp Folder
Potentially unwanted processes
very important one, I don't use any remote management software, so I block everything here
  • Block execution of any processes related to Teamviewer
  • Block execution of any processes related to RealVNC
  • Block execution of any processes related to UltraVNC
  • Block execution of any processes related to NirSoft
  • Block execution of any processes related toLogMeIn
  • Block execution of any processes related to Security/Xploded
  • Block execution of any processes related to Radmin
  • Blck execution of PsTools Suite from Systernals
  • Block processes named like "keygen" or "crack"
Restrict Windows Programs
  • Block Execution of Internet Explorer
  • Block execution of Cortana
  • Block Execution of Windows Registry Editor
  • Bloc execution of UAC control Settings
Smart Powershell & CMD Rules
Maybe I should block more powershell commands. I'm not sure because I'm not familiar with powershell.
  • Block "ExecutionPolicy Bypass" on command-line (powershell)
Block Script Execution
  • Block execution of .ps1 (Powershell) scripts
  • Block ecxecution of .jar scripts
  • Block execution of .msc outside System Folder
  • Block execution of .cpl pplets outside System Folder
Other Useful Block Rules
  • Block any processes executed from mstsc (Remote Dektop)
  • Block any processes executed from runtimebroker.exe
  • Block any processes executed from java.exe
  • Block any processes executed from javaw.exe
  • Block execution of javaw\java.exe
  • Block regedit.exe from silently loading .reg scripts
  • Block reg.exe fro hijacking Registry startup entries
UAC bypass Mitigation Rules
  • Block reg.exe from disabling UAC
  • Block known and possible UAC.bypass attempts
  • Block "tricks" used to run UAC-bypass system processes

Recommended Rules by Firewall hardening
Malware testing
No malware samples
Periodic security scanners
Hitman Pro Free
Secure DNS
NextDNS
VPN
Not at this moment
Password manager
Enpass
Browsers, Search and Addons
Microsoft Edge
  • Adblock plus
  • Enpass
Maintenance and Cleaning
WiseDiskCleaner Free Automatically runs daily
Personal Files & Photos backup
Redundant Backup
(Multiple locations, independent from each other)
Personal backup routine
Automatic (scheduled)
Device recovery & backup
EasUS todo backup free
Device backup routine
Manual (maintained by self)
PC activity
  1. Working from home. 
  2. Browsing the web. 
  3. Emails. 
  4. Banking. 
  5. Malware samples. 
Personal changelog
2021-06-12 WD, gpedit, syshardener, NextDNS
2021-06-13 NextDNS revamp
2021-06-15 syshardener replaced with SWH, FH, SRP
2021-06-17 Back to Keepass
Feedback Response

Most critical feedback

Thales

Level 12
Nov 26, 2017
571
This is my current setup for 2021

Reminder how antiviruses perform on my system. (only performance, not protection)
Sophos = 1/5
Very heavy on my system. I uninstalled and won't use it in the near future.
Heimdal = 5/5
Very fast and responsive program however the protection rate is very bad and for this price there are better alternatives.

Trend Micro = 5/5
It is fast and offers better protection than Heaimdal.
McAfee = 5/5
Fast and the protection rate is also good.
AVG = 4/5
I have mixed feeling about it.
Norton = 5/5
It is fast and responsive. Protection rate is on the top. Scanning consume 30-35% CPU which is very good and this way the system remains very usable..

Settings to remeber on 2021-06-15

Bitlocker Changes (via Group policy)
  • Cypher strenght -> AES CBC 256
  • Disabled new DMA devices when this computer is locked
  • Allowed secure Boot for integrity validation
  • Requires additional authentication at Startup
    • Require TPM
    • Do not allow startup PIN with TPM
    • Do not allow startup key with TPM
    • Do not allow startup key and PIN with TPM

Syshardener (Default + Extra changes)
Turn off remote desktop connection to the PC
Turn off sidebar and desktop gadgets
Disable Windows subsystem for Linux
Change powershell Execution Policy for Current User (Restricted)
Restrict powershell (v3+) to Constrained Language Mode
Disable Powershell Script Execution
Disable Powershell v2.0 Engine
Turn off Windows Error reporting Service
Turn off Radio management Service
Turn off Remote management Services
Block outbond connectiona for Lsass.exe
Blocked every file type available in syshardener

NextDNS
Security
Everything is on
Blocked most abused Top level Domains
Using IPv4 with Linked IP

Privacy
Blocklist

  • NextDNS Ads & Trackers Blocklist
  • UncheckyAds
  • oisd
Native Tracker Protection
  • Xiaomi
  • Huawei
  • Samsung
  • Apple
  • Roku
  • Sonos
Block Disguised Third-Party Trackers

Parental Control
Websites, Apps, Games

  • TikTok
  • Tinder
  • Fortnite
  • Minecraft
  • Tumblr
  • 9GAG
  • VK
  • Roblox
  • WhatsApp
  • Dailymotion
  • Hulu
Categories
  • Dating
  • Piracy
  • Porn
Block Bypass Methods

Allow list
Microsoft.com

Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening
 
Last edited:

Thales

Level 12
Nov 26, 2017
571
Really nice setup imo, but why would you use an adblock for Youtube only while there are better alternatives out there? I mean I don't see the downside of replacing it with Ublock or Adguard tbh... :)

Yes, the reason is the performance. I used to use AdGuard, Ublock, NanoAdblocker, Adblock plus, Ghostery but everything except NanoAdblocker slowed down my system. Couldn't watch Netflix, youtube properly and everything was so slow.
Tried other browsers with in-built adblocker like Brave but couldn't resolve the issue. Unfortunatelly Nano is not available anymore, so I use NextDNs now and I need adblock for youtube only.
 

SecureKongo

Level 21
Verified
Malware Tester
Feb 25, 2017
1,082
Yes, the reason is the performance. I used to use AdGuard, Ublock, NanoAdblocker, Adblock plus, Ghostery but everything except NanoAdblocker slowed down my system. Couldn't watch Netflix, youtube properly and everything was so slow.
Tried other browsers with in-built adblocker like Brave but couldn't resolve the issue. Unfortunatelly Nano is not available anymore, so I use NextDNs now and I need adblock for youtube only.
Well, you got NextDNS anyway with some filter activated I guess. So if you don't care about cosmetic filters that should be enough. Maybe you could check out Bluhell Firewall. You won't even notice that its installed. :)
 

Thales

Level 12
Nov 26, 2017
571
Well, you got NextDNS anyway with some filter activated I guess. So if you don't care about cosmetic filters that should be enough. Maybe you could check out Bluhell Firewall. You won't even notice that its installed. :)
Thank you. NextDNS is awesome except blocking youtube video ads :)
I agree firewalls are very good. I used to use Firewalls in the past as my first line of defence. WFC, Simplewall, AVG, Glasswire. For now I'm good with hardenned firewall but next time I'm gonna try Bluhell firewall.
Thank you for the tip!
 

SecureKongo

Level 21
Verified
Malware Tester
Feb 25, 2017
1,082
Thank you. NextDNS is awesome except blocking youtube video ads :)
I agree firewalls are very good. I used to use Firewalls in the past as my first line of defence. WFC, Simplewall, AVG, Glasswire. For now I'm good with hardenned firewall but next time I'm gonna try Bluhell firewall.
Thank you for the tip!
It's not a real firewall, it's a light adblocking extension :LOL:
 

silversurfer

Level 74
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,314
Bluhell Firewall is always confusing for the most people as it's an adblocker browser extension for both Chrome and Firefox.

 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,901
Yes, the reason is the performance. I used to use AdGuard, Ublock, NanoAdblocker, Adblock plus, Ghostery but everything except NanoAdblocker slowed down my system. Couldn't watch Netflix, youtube properly and everything was so slow.
Tried other browsers with in-built adblocker like Brave but couldn't resolve the issue. Unfortunatelly Nano is not available anymore, so I use NextDNs now and I need adblock for youtube only.
You know that Edge has built-in tracking prevention? Do you use that in basic, balanced (recommended) or strict mode?
 
F

ForgottenSeer 85179

With Edge Tracking-Protection (i recommend HIGH) and NextDNS you're good protected.
If you can live with some website element ads, don't add any browser extension and enjoy the faster browsing speed.

Because of FirewallHardening you also don't need another Firewall. It's more than safe.

  • Control use of bitlocker on removable drives (allowed)
This is only needed if you use Microsoft Baseline. If not, this policy isn't active by Bitlocker itself.

Nice setup with Windows and Andy's tools (y)
Keep it clean
 

Thales

Level 12
Nov 26, 2017
571
With Edge Tracking-Protection (i recommend HIGH) and NextDNS you're good protected.
If you can live with some website element ads, don't add any browser extension and enjoy the faster browsing speed.

Because of FirewallHardening you also don't need another Firewall. It's more than safe.


This is only needed if you use Microsoft Baseline. If not, this policy isn't active by Bitlocker itself.

Nice setup with Windows and Andy's tools (y)
Keep it clean
Thank you :)
I activated the Control use of bitlocker on removable drives because "turn on Bitlocker" option was missing. I read about this and it is a bug caused an update.
The solution was this:
1, delete partition in disk management.
2, create new partition
3, remove the media
4, plug in the media
5, Magic :D
 

Thales

Level 12
Nov 26, 2017
571
I like the security setup! Looks good!

How are you liking NextDNS?

~Brain
Thank you. ;)

NextDns is so far so good and I think it is gonna be my permanent DNS service.
However it doesn't block hidden links (but blocks the popup pages) under the buttons but it happens so rarely and only on a couple of pages, so not a serious problem..
No performance issue (why would be), and it blocks a lot of queries. The setup page is also well designed and I use it fairly often to see what is happening.
Some pages are also blocked via google saerch engine but I think it is because of the google services because they work via duckduckgo. So, I'm gonna use duckduckgo search engine again.
 
Last edited:

Thales

Level 12
Nov 26, 2017
571
I experience higher system impact with Windows Defender compared to F-Secure SAFE.
The lightest program I've ever used was HMPA. I know it is "just" a full-exploit stuff and MT members prefer something else but I liked it very much combined with OSA (old OSA, completely free).
The highest system impact I've ever experienced was with KIS.
I still have 2 years of subscription of AVG Total but it is not lighter than F-secure SAFE or HMPA
Even if we use the same OS systems are different and system impact depends on lot of things, so there is no universal solution that works for everyone. Testing is the only way to find out if something works or not. Even if I believe KIS is fantastic I can't use it because of my system.
What I have is AVG Total 2years of sub and F-secure SAFE 6 months of sub.
 
Top