Advanced Plus Security Thales Hardened system for 2021

Last updated
Sep 15, 2021
How it's used?
For home and private use
Operating system
Windows 10
On-device encryption
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
User Access Control
Always notify
Smart App Control
Network firewall
Real-time security

WiseVector StopX​

Heuristic Analysis set to High
Ransomware rollback disabled
Enabled document folder protection (MEGA)
Firewall security
Microsoft Defender Firewall
About custom security
Bitlocker Changes (via Group policy)
  • Cypher strenght -> AES XTS 256
  • Disabled new DMA devices when this computer is locked
  • Allowed secure Boot for integrity validation
  • Requires additional authentication at Startup
    • Require TPM
    • Do not allow startup PIN with TPM
    • Do not allow startup key with TPM
    • Do not allow startup key and PIN with TPM

NextDNS
Security
Everything is on
Blocked most abused Top level Domains
Using IPv4 with Linked IP

Privacy
Blocklist

  • NextDNS Ads & Trackers Blocklist
  • UncheckyAds
  • oisd
Native Tracker Protection
  • Xiaomi
  • Huawei
  • Samsung
  • Apple
  • Roku
  • Sonos
Block Disguised Third-Party Trackers

Parental Control
Websites, Apps, Games

  • TikTok
  • Tinder
  • Fortnite
  • Minecraft
  • Tumblr
  • 9GAG
  • VK
  • Roblox
  • WhatsApp
  • Dailymotion
  • Hulu
Categories
  • Dating
  • Piracy
  • Porn
Block Bypass Methods
SafeSearch

Allow list
auth.vodafone.hu
g.api.mega.co.nz
pokercaption.com
qbittorrent.org
eu.static.mega.co.nz
1337x.to
mega.nz
twoplustwo.com
microsoft.com

Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening

OSA
Main protection is ON
(LOLBins are also blocked)

Nlock Specific Location
This is crucial, maybe AppData is also should be blocked.
  • Block executionof unsigned processes on root folder
  • Block execution of processes on Public Folder
  • Block Execution of processes on All User Folder
  • Block processes executed from Shared folder
  • Block processes executed from Network Drive
  • Block processes executed from USB
  • Block unknown processes from Windows folder
  • Block execution of unsigned processes on Downloads folder
  • Block execution of unsigned processes on Windows Temp
  • Block execution of unsigned processes on Temp Folder
Potentially unwanted processes
very important one, I don't use any remote management software, so I block everything here
  • Block execution of any processes related to Teamviewer
  • Block execution of any processes related to RealVNC
  • Block execution of any processes related to UltraVNC
  • Block execution of any processes related to NirSoft
  • Block execution of any processes related toLogMeIn
  • Block execution of any processes related to Security/Xploded
  • Block execution of any processes related to Radmin
  • Blck execution of PsTools Suite from Systernals
  • Block processes named like "keygen" or "crack"
Restrict Windows Programs
  • Block Execution of Internet Explorer
  • Block execution of Cortana
  • Block Execution of Windows Registry Editor
  • Bloc execution of UAC control Settings
Smart Powershell & CMD Rules
Maybe I should block more powershell commands. I'm not sure because I'm not familiar with powershell.
  • Block "ExecutionPolicy Bypass" on command-line (powershell)
Block Script Execution
  • Block execution of .ps1 (Powershell) scripts
  • Block ecxecution of .jar scripts
  • Block execution of .msc outside System Folder
  • Block execution of .cpl pplets outside System Folder
Other Useful Block Rules
  • Block any processes executed from mstsc (Remote Dektop)
  • Block any processes executed from runtimebroker.exe
  • Block any processes executed from java.exe
  • Block any processes executed from javaw.exe
  • Block execution of javaw\java.exe
  • Block regedit.exe from silently loading .reg scripts
  • Block reg.exe fro hijacking Registry startup entries
UAC bypass Mitigation Rules
  • Block reg.exe from disabling UAC
  • Block known and possible UAC.bypass attempts
  • Block "tricks" used to run UAC-bypass system processes

Recommended Rules by Firewall hardening
Periodic malware scanners
Hitman Pro Free
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Microsoft Edge
  • Adblock plus
  • Enpass
Secure DNS
NextDNS
Desktop VPN
Not at this moment
Password manager
Enpass
Maintenance tools
WiseDiskCleaner Free Automatically runs daily
File and Photo backup
Redundant Backup
(Multiple locations, independent from each other)
System recovery
EasUS todo backup free
Risk factors
    • Working from home
    • Browsing to popular websites
    • Opening email attachments
    • Logging into my bank account
    • Downloading malware samples
Notable changes
2021-06-12 WD, gpedit, syshardener, NextDNS
2021-06-13 NextDNS revamp
2021-06-15 syshardener replaced with SWH, FH, SRP
2021-06-17 Back to Keepass
What I'm looking for?

Looking for maximum feedback.

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
This is my current setup for 2021

Reminder how antiviruses perform on my system. (only performance, not protection)
Sophos = 1/5
Very heavy on my system. I uninstalled and won't use it in the near future.
Heimdal = 5/5
Very fast and responsive program however the protection rate is very bad and for this price there are better alternatives.

Trend Micro = 5/5
It is fast and offers better protection than Heaimdal.
McAfee = 5/5
Fast and the protection rate is also good.
AVG = 4/5
I have mixed feeling about it.
Norton = 5/5
It is fast and responsive. Protection rate is on the top. Scanning consume 30-35% CPU which is very good and this way the system remains very usable..

Settings to remeber on 2021-06-15

Bitlocker Changes (via Group policy)
  • Cypher strenght -> AES CBC 256
  • Disabled new DMA devices when this computer is locked
  • Allowed secure Boot for integrity validation
  • Requires additional authentication at Startup
    • Require TPM
    • Do not allow startup PIN with TPM
    • Do not allow startup key with TPM
    • Do not allow startup key and PIN with TPM

Syshardener (Default + Extra changes)
Turn off remote desktop connection to the PC
Turn off sidebar and desktop gadgets
Disable Windows subsystem for Linux
Change powershell Execution Policy for Current User (Restricted)
Restrict powershell (v3+) to Constrained Language Mode
Disable Powershell Script Execution
Disable Powershell v2.0 Engine
Turn off Windows Error reporting Service
Turn off Radio management Service
Turn off Remote management Services
Block outbond connectiona for Lsass.exe
Blocked every file type available in syshardener

NextDNS
Security
Everything is on
Blocked most abused Top level Domains
Using IPv4 with Linked IP

Privacy
Blocklist

  • NextDNS Ads & Trackers Blocklist
  • UncheckyAds
  • oisd
Native Tracker Protection
  • Xiaomi
  • Huawei
  • Samsung
  • Apple
  • Roku
  • Sonos
Block Disguised Third-Party Trackers

Parental Control
Websites, Apps, Games

  • TikTok
  • Tinder
  • Fortnite
  • Minecraft
  • Tumblr
  • 9GAG
  • VK
  • Roblox
  • WhatsApp
  • Dailymotion
  • Hulu
Categories
  • Dating
  • Piracy
  • Porn
Block Bypass Methods

Allow list
Microsoft.com

Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening
 
Last edited:

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,448
Really nice setup imo, but why would you use an adblock for Youtube only while there are better alternatives out there? I mean I don't see the downside of replacing it with Ublock or Adguard tbh... :)
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
Really nice setup imo, but why would you use an adblock for Youtube only while there are better alternatives out there? I mean I don't see the downside of replacing it with Ublock or Adguard tbh... :)

Yes, the reason is the performance. I used to use AdGuard, Ublock, NanoAdblocker, Adblock plus, Ghostery but everything except NanoAdblocker slowed down my system. Couldn't watch Netflix, youtube properly and everything was so slow.
Tried other browsers with in-built adblocker like Brave but couldn't resolve the issue. Unfortunatelly Nano is not available anymore, so I use NextDNs now and I need adblock for youtube only.
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,448
Yes, the reason is the performance. I used to use AdGuard, Ublock, NanoAdblocker, Adblock plus, Ghostery but everything except NanoAdblocker slowed down my system. Couldn't watch Netflix, youtube properly and everything was so slow.
Tried other browsers with in-built adblocker like Brave but couldn't resolve the issue. Unfortunatelly Nano is not available anymore, so I use NextDNs now and I need adblock for youtube only.
Well, you got NextDNS anyway with some filter activated I guess. So if you don't care about cosmetic filters that should be enough. Maybe you could check out Bluhell Firewall. You won't even notice that its installed. :)
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
Well, you got NextDNS anyway with some filter activated I guess. So if you don't care about cosmetic filters that should be enough. Maybe you could check out Bluhell Firewall. You won't even notice that its installed. :)
Thank you. NextDNS is awesome except blocking youtube video ads :)
I agree firewalls are very good. I used to use Firewalls in the past as my first line of defence. WFC, Simplewall, AVG, Glasswire. For now I'm good with hardenned firewall but next time I'm gonna try Bluhell firewall.
Thank you for the tip!
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,448
Thank you. NextDNS is awesome except blocking youtube video ads :)
I agree firewalls are very good. I used to use Firewalls in the past as my first line of defence. WFC, Simplewall, AVG, Glasswire. For now I'm good with hardenned firewall but next time I'm gonna try Bluhell firewall.
Thank you for the tip!
It's not a real firewall, it's a light adblocking extension :LOL:
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
9,959
Bluhell Firewall is always confusing for the most people as it's an adblocker browser extension for both Chrome and Firefox.

 

Gandalf_The_Grey

Level 75
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,440
Yes, the reason is the performance. I used to use AdGuard, Ublock, NanoAdblocker, Adblock plus, Ghostery but everything except NanoAdblocker slowed down my system. Couldn't watch Netflix, youtube properly and everything was so slow.
Tried other browsers with in-built adblocker like Brave but couldn't resolve the issue. Unfortunatelly Nano is not available anymore, so I use NextDNs now and I need adblock for youtube only.
You know that Edge has built-in tracking prevention? Do you use that in basic, balanced (recommended) or strict mode?
 
F

ForgottenSeer 85179

With Edge Tracking-Protection (i recommend HIGH) and NextDNS you're good protected.
If you can live with some website element ads, don't add any browser extension and enjoy the faster browsing speed.

Because of FirewallHardening you also don't need another Firewall. It's more than safe.

  • Control use of bitlocker on removable drives (allowed)
This is only needed if you use Microsoft Baseline. If not, this policy isn't active by Bitlocker itself.

Nice setup with Windows and Andy's tools (y)
Keep it clean
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
With Edge Tracking-Protection (i recommend HIGH) and NextDNS you're good protected.
If you can live with some website element ads, don't add any browser extension and enjoy the faster browsing speed.

Because of FirewallHardening you also don't need another Firewall. It's more than safe.


This is only needed if you use Microsoft Baseline. If not, this policy isn't active by Bitlocker itself.

Nice setup with Windows and Andy's tools (y)
Keep it clean
Thank you :)
I activated the Control use of bitlocker on removable drives because "turn on Bitlocker" option was missing. I read about this and it is a bug caused an update.
The solution was this:
1, delete partition in disk management.
2, create new partition
3, remove the media
4, plug in the media
5, Magic :D
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
I like the security setup! Looks good!

How are you liking NextDNS?

~Brain
Thank you. ;)

NextDns is so far so good and I think it is gonna be my permanent DNS service.
However it doesn't block hidden links (but blocks the popup pages) under the buttons but it happens so rarely and only on a couple of pages, so not a serious problem..
No performance issue (why would be), and it blocks a lot of queries. The setup page is also well designed and I use it fairly often to see what is happening.
Some pages are also blocked via google saerch engine but I think it is because of the google services because they work via duckduckgo. So, I'm gonna use duckduckgo search engine again.
 
Last edited:

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
I experience higher system impact with Windows Defender compared to F-Secure SAFE.
The lightest program I've ever used was HMPA. I know it is "just" a full-exploit stuff and MT members prefer something else but I liked it very much combined with OSA (old OSA, completely free).
The highest system impact I've ever experienced was with KIS.
I still have 2 years of subscription of AVG Total but it is not lighter than F-secure SAFE or HMPA
Even if we use the same OS systems are different and system impact depends on lot of things, so there is no universal solution that works for everyone. Testing is the only way to find out if something works or not. Even if I believe KIS is fantastic I can't use it because of my system.
What I have is AVG Total 2years of sub and F-secure SAFE 6 months of sub.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top