SECURITY: Complete Thales Hardened system for 2021

Last updated
Sep 15, 2021
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 10
OS edition
Pro
Login security
    • Password-less (PIN, Biometric, Face)
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Microsoft account
Primary user
Admin user - Full permissions
Other users
Other accounts are Standard users
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Network firewall
ISP-issued router
Real-time protection

WiseVector StopX​

Heuristic Analysis set to High
Ransomware rollback disabled
Enabled document folder protection (MEGA)
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Bitlocker Changes (via Group policy)
  • Cypher strenght -> AES XTS 256
  • Disabled new DMA devices when this computer is locked
  • Allowed secure Boot for integrity validation
  • Requires additional authentication at Startup
    • Require TPM
    • Do not allow startup PIN with TPM
    • Do not allow startup key with TPM
    • Do not allow startup key and PIN with TPM

NextDNS
Security
Everything is on
Blocked most abused Top level Domains
Using IPv4 with Linked IP

Privacy
Blocklist

  • NextDNS Ads & Trackers Blocklist
  • UncheckyAds
  • oisd
Native Tracker Protection
  • Xiaomi
  • Huawei
  • Samsung
  • Apple
  • Roku
  • Sonos
Block Disguised Third-Party Trackers

Parental Control
Websites, Apps, Games

  • TikTok
  • Tinder
  • Fortnite
  • Minecraft
  • Tumblr
  • 9GAG
  • VK
  • Roblox
  • WhatsApp
  • Dailymotion
  • Hulu
Categories
  • Dating
  • Piracy
  • Porn
Block Bypass Methods
SafeSearch

Allow list
auth.vodafone.hu
g.api.mega.co.nz
pokercaption.com
qbittorrent.org
eu.static.mega.co.nz
1337x.to
mega.nz
twoplustwo.com
microsoft.com

Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening

OSA
Main protection is ON
(LOLBins are also blocked)

Nlock Specific Location
This is crucial, maybe AppData is also should be blocked.
  • Block executionof unsigned processes on root folder
  • Block execution of processes on Public Folder
  • Block Execution of processes on All User Folder
  • Block processes executed from Shared folder
  • Block processes executed from Network Drive
  • Block processes executed from USB
  • Block unknown processes from Windows folder
  • Block execution of unsigned processes on Downloads folder
  • Block execution of unsigned processes on Windows Temp
  • Block execution of unsigned processes on Temp Folder
Potentially unwanted processes
very important one, I don't use any remote management software, so I block everything here
  • Block execution of any processes related to Teamviewer
  • Block execution of any processes related to RealVNC
  • Block execution of any processes related to UltraVNC
  • Block execution of any processes related to NirSoft
  • Block execution of any processes related toLogMeIn
  • Block execution of any processes related to Security/Xploded
  • Block execution of any processes related to Radmin
  • Blck execution of PsTools Suite from Systernals
  • Block processes named like "keygen" or "crack"
Restrict Windows Programs
  • Block Execution of Internet Explorer
  • Block execution of Cortana
  • Block Execution of Windows Registry Editor
  • Bloc execution of UAC control Settings
Smart Powershell & CMD Rules
Maybe I should block more powershell commands. I'm not sure because I'm not familiar with powershell.
  • Block "ExecutionPolicy Bypass" on command-line (powershell)
Block Script Execution
  • Block execution of .ps1 (Powershell) scripts
  • Block ecxecution of .jar scripts
  • Block execution of .msc outside System Folder
  • Block execution of .cpl pplets outside System Folder
Other Useful Block Rules
  • Block any processes executed from mstsc (Remote Dektop)
  • Block any processes executed from runtimebroker.exe
  • Block any processes executed from java.exe
  • Block any processes executed from javaw.exe
  • Block execution of javaw\java.exe
  • Block regedit.exe from silently loading .reg scripts
  • Block reg.exe fro hijacking Registry startup entries
UAC bypass Mitigation Rules
  • Block reg.exe from disabling UAC
  • Block known and possible UAC.bypass attempts
  • Block "tricks" used to run UAC-bypass system processes

Recommended Rules by Firewall hardening
Malware testing
No malware samples
Periodic security scanners
Hitman Pro Free
Secure DNS
NextDNS
VPN
Not at this moment
Password manager
Enpass
Browsers, Search and Addons
Microsoft Edge
  • Adblock plus
  • Enpass
Maintenance and Cleaning
WiseDiskCleaner Free Automatically runs daily
Personal Files & Photos backup
Redundant Backup
(Multiple locations, independent from each other)
Personal backup routine
Automatic (scheduled)
Device recovery & backup
EasUS todo backup free
Device backup routine
Manual (maintained by self)
PC activity
  1. Working from home. 
  2. Browsing the web. 
  3. Emails. 
  4. Banking. 
  5. Malware samples. 
Personal changelog
2021-06-12 WD, gpedit, syshardener, NextDNS
2021-06-13 NextDNS revamp
2021-06-15 syshardener replaced with SWH, FH, SRP
2021-06-17 Back to Keepass
Feedback Response

Most critical feedback

SecureKongo

Level 21
Verified
Feb 25, 2017
1,083
I experience higher system impact with Windows Defender compared to F-Secure SAFE.
The lightest program I've ever used was HMPA. I know it is "just" a full-exploit stuff and MT members prefer something else but I liked it very much combined with OSA (old OSA, completely free).
The highest system impact I've ever experienced was with KIS.
I still have 2 years of subscription of AVG Total but it is not lighter than F-secure SAFE or HMPA
Even if we use the same OS systems are different and system impact depends on lot of things, so there is no universal solution that works for everyone. Testing is the only way to find out if something works or not. Even if I believe KIS is fantastic I can't use it because of my system.
What I have is AVG Total 2years of sub and F-secure SAFE 6 months of sub.
The reason why HMPA is so light, is because it isn't even a full AV. Out of AVG and F-Secure i personally would pick F-Secure, but its up to you to decide which one runs smoother on your system.
 

Thales

Level 12
Nov 26, 2017
572
The reason why HMPA is so light, is because it isn't even a full AV. Out of AVG and F-Secure i personally would pick F-Secure, but its up to you to decide which one runs smoother on your system.
Yeah, your are right about HMPA.
I've made serious changes and my system is super responsive and even more secure than before, however not everyone will like it :D
 
Last edited:

Thales

Level 12
Nov 26, 2017
572
I decided to run my system without any AV solution because I really think my solution is good as a traditional AV could be or even better.

Why it is good for me?
  • I'm tired of finding solutions in every 1 or 2 months because of high system impact, bugs, or any issues related to AV's.
  • I've never got infected and it is not because of any Antivirus.
  • I don't use cracks, hacks, illegal software and this fact reduces the possible infections by 95% if not more.
  • I don't install new programs because I have everything I need to my work, so SRP whitelist rules are permanent and this is also convinient
  • I still use "HitmanPro" and "Novirusthanks" Antimalware Remover regularly to make sure my solution works and OS is clean.
  • This way my system is super responsive and also very secure.
  • My CPU and RAM usage is very low even if Edge is open and Edge is always running :)
Performance is set to Best performance. Only smooth fonts and thumbnails are active.

WD has been disabled via Group policy to prevent running "AntiMalware Service Executable". This caused a high system impact. It is still running but consumes 0 CPU.

Main protection is ON
(LOLBins are also blocked)

Nlock Specific Location
This is crucial, maybe AppData is also should be blocked.
  • Block executionof unsigned processes on root folder
  • Block execution of processes on Public Folder
  • Block Execution of processes on All User Folder
  • Block processes executed from Shared folder
  • Block processes executed from Network Drive
  • Block processes executed from USB
  • Block unknown processes from Windows folder
  • Block execution of unsigned processes on Downloads folder
  • Block execution of unsigned processes on Windows Temp
  • Block execution of unsigned processes on Temp Folder
Potentially unwanted processes
very important one, I don't use any remote management software, so I block everything here
  • Block execution of any processes related to Teamviewer
  • Block execution of any processes related to RealVNC
  • Block execution of any processes related to UltraVNC
  • Block execution of any processes related to NirSoft
  • Block execution of any processes related toLogMeIn
  • Block execution of any processes related to Security/Xploded
  • Block execution of any processes related to Radmin
  • Blck execution of PsTools Suite from Systernals
  • Block processes named like "keygen" or "crack"
Restrict Windows Programs
  • Block Execution of Internet Explorer
  • Block execution of Cortana
  • Block Execution of Windows Registry Editor
  • Bloc execution of UAC control Settings
Smart Powershell & CMD Rules
Maybe I should block more powershell commands. I'm not sure because I'm not familiar with powershell.
  • Block "ExecutionPolicy Bypass" on command-line (powershell)
Block Script Execution
  • Block execution of .ps1 (Powershell) scripts
  • Block ecxecution of .jar scripts
  • Block execution of .msc outside System Folder
  • Block execution of .cpl pplets outside System Folder
Other Useful Block Rules
  • Block any processes executed from mstsc (Remote Dektop)
  • Block any processes executed from runtimebroker.exe
  • Block any processes executed from java.exe
  • Block any processes executed from javaw.exe
  • Block execution of javaw\java.exe
  • Block regedit.exe from silently loading .reg scripts
  • Block reg.exe fro hijacking Registry startup entries
UAC bypass Mitigation Rules
  • Block reg.exe from disabling UAC
  • Block known and possible UAC.bypass attempts
  • Block "tricks" used to run UAC-bypass system processes

System Restriction Policy
Set to Disallowed and controlled via Group policy
 

SecureKongo

Level 21
Verified
Feb 25, 2017
1,083
I decided to run my system without any AV solution because I really think my solution is good as a traditional AV could be or even better.

Why it is good for me?
  • I'm tired of finding solutions in every 1 or 2 months because of high system impact, bugs, or any issues related to AV's.
  • I've never got infected and it is not because of any Antivirus.
  • I don't use cracks, hacks, illegal software and this fact reduces the possible infections by 95% if not more.
  • I don't install new programs because I have everything I need to my work, so SRP whitelist rules are permanent and this is also convinient
  • I still use "HitmanPro" and "Novirusthanks" Antimalware Remover regularly to make sure my solution works and OS is clean.
  • This way my system is super responsive and also very secure.
  • My CPU and RAM usage is very low even if Edge is open and Edge is always running :)
Performance is set to Best performance. Only smooth fonts and thumbnails are active.

WD has been disabled via Group policy to prevent running "AntiMalware Service Executable". This caused a high system impact. It is still running but consumes 0 CPU.

Main protection is ON
(LOLBins are also blocked)

Nlock Specific Location
This is crucial, maybe AppData is also should be blocked.
  • Block executionof unsigned processes on root folder
  • Block execution of processes on Public Folder
  • Block Execution of processes on All User Folder
  • Block processes executed from Shared folder
  • Block processes executed from Network Drive
  • Block processes executed from USB
  • Block unknown processes from Windows folder
  • Block execution of unsigned processes on Downloads folder
  • Block execution of unsigned processes on Windows Temp
  • Block execution of unsigned processes on Temp Folder
Potentially unwanted processes
very important one, I don't use any remote management software, so I block everything here
  • Block execution of any processes related to Teamviewer
  • Block execution of any processes related to RealVNC
  • Block execution of any processes related to UltraVNC
  • Block execution of any processes related to NirSoft
  • Block execution of any processes related toLogMeIn
  • Block execution of any processes related to Security/Xploded
  • Block execution of any processes related to Radmin
  • Blck execution of PsTools Suite from Systernals
  • Block processes named like "keygen" or "crack"
Restrict Windows Programs
  • Block Execution of Internet Explorer
  • Block execution of Cortana
  • Block Execution of Windows Registry Editor
  • Bloc execution of UAC control Settings
Smart Powershell & CMD Rules
Maybe I should block more powershell commands. I'm not sure because I'm not familiar with powershell.
  • Block "ExecutionPolicy Bypass" on command-line (powershell)
Block Script Execution
  • Block execution of .ps1 (Powershell) scripts
  • Block ecxecution of .jar scripts
  • Block execution of .msc outside System Folder
  • Block execution of .cpl pplets outside System Folder
Other Useful Block Rules
  • Block any processes executed from mstsc (Remote Dektop)
  • Block any processes executed from runtimebroker.exe
  • Block any processes executed from java.exe
  • Block any processes executed from javaw.exe
  • Block execution of javaw\java.exe
  • Block regedit.exe from silently loading .reg scripts
  • Block reg.exe fro hijacking Registry startup entries
UAC bypass Mitigation Rules
  • Block reg.exe from disabling UAC
  • Block known and possible UAC.bypass attempts
  • Block "tricks" used to run UAC-bypass system processes

System Restriction Policy
Set to Disallowed and controlled via Group policy
I actually think you might be fine with NextDNS + OS Armor and don't even need an AV if you are careful online. NoVirusThanks Malware Remover however is outdated and didn't receive updates for a long time according to the information on their website. Somehow it's still optimized for Windows 10 even tho it didn't get updated since 2011... :unsure:. Maybe consider using at least WiseVector, people say it's really light and even cruelsister was losing some good words about it, and that means something.
Here the info I found about NVT Malware Remover:
Unbenannt.PNG
 

Thales

Level 12
Nov 26, 2017
572
Boredom is here, so I decided to give some antivirus a chance and I won't use SRP.

My first pick is

HEIMDAL™ PREMIUM SECURITY HOME​

I totally forget this software but an email reminded me that my licence has expired.

Performance:
Every module is active and I'm impressed how light it is. The GUI is nice and the software is responsive.
Protection:
I don't know how strong the protection is but I don't really care because OSA is still active :D

Another changes:
Back to syncbackpro because it is the best. Period :D
I'm thinking about using a password manager again but can't make up my mind. My current solution is good but not convenient.
Maybe firefox lockwise but changing to firefox from edge is not the first thing I would chose. Also Windows hello PIN is important because I don't wanna type my password again and again.
 
Last edited:

SecureKongo

Level 21
Verified
Feb 25, 2017
1,083
Boredom is here, so I decided to give some antivirus a chance and I won't use SRP.

My first pick is

HEIMDAL™ PREMIUM SECURITY HOME​

I totally forget this software but an email reminded me that my licence has expired.

Performance:
Every module is active and I'm impressed how light it is. The GUI is nice and the software is responsive.
Protection:
I don't know how strong the protection is but I don't really care because OSA is still active :D

Another changes:
Back to syncbackpro because it is the best. Period :D
I'm thinking about using a password manager again but can't make up my mind. My current solution is good but not convenient.
Maybe firefox lockwise but changing to firefox from edge is not the first thing I would chose. Also Windows hello PIN is important because I don't wanna type my password again and again.
Tried it too for a while but it was quite unstable and crashed from time to time back then. Is it stable for you and is it finally recognized by Windows as an AV?
Also, why you state using a third party firewall while using FirewallHardening?
 
Last edited:

Thales

Level 12
Nov 26, 2017
572
Tried it too for a while but it was quite unstable and crashed from time to time back then. Is it stable for you and is it finally recognized by Windows as an AV?
Also, why you state using a third party firewall while using FirewallHardening?
It is stable now. I don't remember why I didn't use it but I had a license.
Forget to delete the firewall hardening line. Thanks :D

1612534242513.png
 

Thales

Level 12
Nov 26, 2017
572
I deleted Heimdal Premium Security Home because I download some suspicious files intentionally and it failed to detect while HitmanPro recognized them. Also checked them on virustotal. The product is very light but the protection also light :D

My 2nd pick is

TREND MICRO MAXIMUM SECURITY​

My first impression is good. It is also very light but compared to Heimdal the protection is better. It recognized the files I downloaded and the test results of this product I found are good. I'm not a malware tester, so my opinion relies on other tests.
The GUI isn't bad, and it is responsive. Instantly stops the scan when I press the cancel button and it is rare in antivirus products.
I was impressed and I'm thinking about buying this product but still have 6 months of trial but Trend Micro Internet security is cheap. It has everything I need however I still have 2 years from AVG Ultimate but I don't use it except the VPN on my mobile phone.

Also back to Enpass. Convenient and it is a very good Password manager with Windows Hello.
 
Last edited:

Thales

Level 12
Nov 26, 2017
572
So, I tried McAfee again in the last week and it is still good. I had no any problem with it.
Since Norton my browser makes unknown disconnection sometimes. I'm pretty sure it is because of Norton firewall.
  • I bought Norton 360 Standard and I've been made few changes to maximum protection without sacrificing performance..
  • Removed OSA (I had no problem with it)
  • Removed Next DNS app because Norton and other AV'S say it is unsafe and malicious (probably false positive), but I set it up in the browser, so it works.
more info NextDNS agent 2.0.1 now detected as malware
 
Last edited:

Thales

Level 12
Nov 26, 2017
572
Couldn't solved the delay when loading webpages, so I'm temporally back to Firefox.
I tried to disable every protection Norton has but nothing helped. Maybe it is Edge itself but don1T care because the next system restore is coming and will see.
Firefox seems fine and works as Edge before.
 
Last edited:
Top