SECURITY: Complete Thales Hardened system for 2021

Last updated
Sep 15, 2021
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 10
OS edition
Pro
Login security
    • Password-less (PIN, Biometric, Face)
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Microsoft account
Primary user
Admin user - Full permissions
Other users
Other accounts are Standard users
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Network firewall
ISP-issued router
Real-time protection

WiseVector StopX​

Heuristic Analysis set to High
Ransomware rollback disabled
Enabled document folder protection (MEGA)
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Bitlocker Changes (via Group policy)
  • Cypher strenght -> AES XTS 256
  • Disabled new DMA devices when this computer is locked
  • Allowed secure Boot for integrity validation
  • Requires additional authentication at Startup
    • Require TPM
    • Do not allow startup PIN with TPM
    • Do not allow startup key with TPM
    • Do not allow startup key and PIN with TPM

NextDNS
Security
Everything is on
Blocked most abused Top level Domains
Using IPv4 with Linked IP

Privacy
Blocklist

  • NextDNS Ads & Trackers Blocklist
  • UncheckyAds
  • oisd
Native Tracker Protection
  • Xiaomi
  • Huawei
  • Samsung
  • Apple
  • Roku
  • Sonos
Block Disguised Third-Party Trackers

Parental Control
Websites, Apps, Games

  • TikTok
  • Tinder
  • Fortnite
  • Minecraft
  • Tumblr
  • 9GAG
  • VK
  • Roblox
  • WhatsApp
  • Dailymotion
  • Hulu
Categories
  • Dating
  • Piracy
  • Porn
Block Bypass Methods
SafeSearch

Allow list
auth.vodafone.hu
g.api.mega.co.nz
pokercaption.com
qbittorrent.org
eu.static.mega.co.nz
1337x.to
mega.nz
twoplustwo.com
microsoft.com

Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening

OSA
Main protection is ON
(LOLBins are also blocked)

Nlock Specific Location
This is crucial, maybe AppData is also should be blocked.
  • Block executionof unsigned processes on root folder
  • Block execution of processes on Public Folder
  • Block Execution of processes on All User Folder
  • Block processes executed from Shared folder
  • Block processes executed from Network Drive
  • Block processes executed from USB
  • Block unknown processes from Windows folder
  • Block execution of unsigned processes on Downloads folder
  • Block execution of unsigned processes on Windows Temp
  • Block execution of unsigned processes on Temp Folder
Potentially unwanted processes
very important one, I don't use any remote management software, so I block everything here
  • Block execution of any processes related to Teamviewer
  • Block execution of any processes related to RealVNC
  • Block execution of any processes related to UltraVNC
  • Block execution of any processes related to NirSoft
  • Block execution of any processes related toLogMeIn
  • Block execution of any processes related to Security/Xploded
  • Block execution of any processes related to Radmin
  • Blck execution of PsTools Suite from Systernals
  • Block processes named like "keygen" or "crack"
Restrict Windows Programs
  • Block Execution of Internet Explorer
  • Block execution of Cortana
  • Block Execution of Windows Registry Editor
  • Bloc execution of UAC control Settings
Smart Powershell & CMD Rules
Maybe I should block more powershell commands. I'm not sure because I'm not familiar with powershell.
  • Block "ExecutionPolicy Bypass" on command-line (powershell)
Block Script Execution
  • Block execution of .ps1 (Powershell) scripts
  • Block ecxecution of .jar scripts
  • Block execution of .msc outside System Folder
  • Block execution of .cpl pplets outside System Folder
Other Useful Block Rules
  • Block any processes executed from mstsc (Remote Dektop)
  • Block any processes executed from runtimebroker.exe
  • Block any processes executed from java.exe
  • Block any processes executed from javaw.exe
  • Block execution of javaw\java.exe
  • Block regedit.exe from silently loading .reg scripts
  • Block reg.exe fro hijacking Registry startup entries
UAC bypass Mitigation Rules
  • Block reg.exe from disabling UAC
  • Block known and possible UAC.bypass attempts
  • Block "tricks" used to run UAC-bypass system processes

Recommended Rules by Firewall hardening
Malware testing
No malware samples
Periodic security scanners
Hitman Pro Free
Secure DNS
NextDNS
VPN
Not at this moment
Password manager
Enpass
Browsers, Search and Addons
Microsoft Edge
  • Adblock plus
  • Enpass
Maintenance and Cleaning
WiseDiskCleaner Free Automatically runs daily
Personal Files & Photos backup
Redundant Backup
(Multiple locations, independent from each other)
Personal backup routine
Automatic (scheduled)
Device recovery & backup
EasUS todo backup free
Device backup routine
Manual (maintained by self)
PC activity
  1. Working from home. 
  2. Browsing the web. 
  3. Emails. 
  4. Banking. 
  5. Malware samples. 
Personal changelog
2021-06-12 WD, gpedit, syshardener, NextDNS
2021-06-13 NextDNS revamp
2021-06-15 syshardener replaced with SWH, FH, SRP
2021-06-17 Back to Keepass
Feedback Response

Most critical feedback

SecureKongo

Level 21
Verified
Feb 25, 2017
1,093
This is my current setup for 2021

Reminder how antiviruses perform on my system. (only performance, not protection)
Sophos = 1/5
Very heavy on my system. I uninstalled and won't use it in the near future.
Heimdal = 5/5
Very fast and responsive program however the protection rate is very bad and for this price there are better alternatives.

Trend Micro = 5/5
It is fast and offers better protection than Heaimdal.
McAfee = 5/5
Fast and the protection rate is also good.
AVG = 4/5
I have mixed feeling about it.
Norton = 5/5
It is crazy fast and responsive. Protection rate is on the top. Must have product. Probably the fastest and most improved complete suit I 've tried. Scanning consume 30-35% CPU which is very good and this way the system remains very usable..
Sophos 1/5? :oops:
I mean yea it has many processes, but is it actually slowing down your system that much? I have it installed for some days now and I can barely see any CPU usage.

Unbenannt.PNG

When scanning:

Scan.PNG

But as I can see you are totally fine with Norton. :)
 
Last edited by a moderator:

Thales

Level 12
Nov 26, 2017
573
Sophos 1/5? :oops:
I mean yea it has many processes, but is it actually slowing down your system that much? I have it installed for some days now and I can barely see any CPU usage.
Yes, and I was surprised too. It slowed down my system as hell. I couldn't even browsing or use my PC as usual.
I tried to make a quick scan to see how it performs but it used all of my CPU. I liked HMPA that's why I gave it a chance (I know different product but same brand).
Maybe it is my system that Sophos didn't like who knows.
 

blackice

Level 33
Verified
Apr 1, 2019
2,195
Yes, and I was surprised too. It slowed down my system as hell. I couldn't even browsing or use my PC as usual.
I tried to make a quick scan to see how it performs but it used all of my CPU. I liked HMPA that's why I gave it a chance (I know different product but same brand).
Maybe it is my system that Sophos didn't like who knows.
What do you use to measure system performance? Do you just browse and open programs, or do you use a benchmark of some sort?
 
F

ForgottenSeer 89360

@Thales
I agree with your opinion about Trend Micro, it's light, easy to use and intuitive.

Regarding McAfee, I personally would advise you to stay clear, as long as Avast, Kaspersky, Trend and Norton exist.
I tested it few nights ago and I have to say I am not impressed at all.
UI is now very fast and snappy, that's a plus. Programs launch fast, another plus.
But it missed too much malware and even missed a document with macro...Every AV now handles these, only McAfee doesn't.
I would recommend McAfee to people who work with a small set of trusted content, but people looking for protection, better look elsewhere.
 
Last edited by a moderator:

SecureKongo

Level 21
Verified
Feb 25, 2017
1,093
In my experience, it is better to install SHP on a newly configured system. It takes days to wind down and cache everything, so if you install it on a system with bunch of installed software, I can imagine how unresponsive the system would be.
That's what I did actually. Might be the reason why its running so smoothly on my side.
 

blackice

Level 33
Verified
Apr 1, 2019
2,195
In my experience, it is better to install SHP on a newly configured system. It takes days to wind down and cache everything, so if you install it on a system with bunch of installed software, I can imagine how unresponsive the system would be.
That's what I did actually. Might be the reason why its running so smoothly on my side.
I had the same experience. After waiting about 48 hours for it to cache things it ran very smooth. But, I know some people have had issues where it never settles in.
 

Divine_Barakah

Level 27
Verified
May 10, 2019
1,616
I had the same experience. After waiting about 48 hours for it to cache things it ran very smooth. But, I know some people have had issues where it never settles in.
Exactly. SHP was not for me and I had to look somewhere else, but I saw it working very light on some systems, high-end systems with decent internet speed. The product always slowed down Firefox.
 

Dex4Sure

Level 3
May 14, 2019
111
Not doing too bad
Test again on Android ;) Big difference. On Windows 10 FF does pretty well I agree. Still behind Chrome. And over time it still gets slower until you reinstall it while I've noticed while Chrome doesn't seem to. I just used 2 months Firefox straight cause I was fed up with Google, but nah I realized just can't do it any longer. The moment I tried Chrome again, everything just seemed to work faster and in some cases just more reliably too... Not to mention printing with Firefox... My printer just doesn't play nicely with FF while Chrome never had any issues.
 

SecureKongo

Level 21
Verified
Feb 25, 2017
1,093
Test again on Android ;) Big difference. On Windows 10 FF does pretty well I agree. Still behind Chrome. And over time it still gets slower until you reinstall it while I've noticed while Chrome doesn't seem to. I just used 2 months Firefox straight cause I was fed up with Google, but nah I realized just can't do it any longer. The moment I tried Chrome again, everything just seemed to work faster and in some cases just more reliably too... Not to mention printing with Firefox... My printer just doesn't play nicely with FF while Chrome never had any issues.
Oh, I only use the Windows version anyway so I can't say anything about the phone versions. Even tho Chrome might be faster, privacy goes first for me.
 

Dex4Sure

Level 3
May 14, 2019
111
Oh, I only use the Windows version anyway so I can't say anything about the phone versions. Even tho Chrome might be faster, privacy goes first for me.
I need to use my browser across different devices. Gotta say that when you need fast browser with great syncing capabilities Chrome is still the top dog to this day. There are many other fast Chromium browsers, but none of them really come close to Chrome in reliability of their sync feature. That's big problem for me as multi-device user. I have large number of bookmarks of which many are vital to me. For example Brave is great, but its sync is just inadequate for me.

The only browser that can somewhat compete in syncing with Chrome is Firefox, but it has the issues I mentioned earlier. And well perhaps Edge, but never really used it and don't think I will... So looks like I'm stuck with Google unfortunately.
 
Top