Advanced Plus Security Thales Hardened system for 2021

Last updated
Sep 15, 2021
How it's used?
For home and private use
Operating system
Windows 10
On-device encryption
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
User Access Control
Always notify
Smart App Control
Network firewall
Real-time security

WiseVector StopX​

Heuristic Analysis set to High
Ransomware rollback disabled
Enabled document folder protection (MEGA)
Firewall security
Microsoft Defender Firewall
About custom security
Bitlocker Changes (via Group policy)
  • Cypher strenght -> AES XTS 256
  • Disabled new DMA devices when this computer is locked
  • Allowed secure Boot for integrity validation
  • Requires additional authentication at Startup
    • Require TPM
    • Do not allow startup PIN with TPM
    • Do not allow startup key with TPM
    • Do not allow startup key and PIN with TPM

NextDNS
Security
Everything is on
Blocked most abused Top level Domains
Using IPv4 with Linked IP

Privacy
Blocklist

  • NextDNS Ads & Trackers Blocklist
  • UncheckyAds
  • oisd
Native Tracker Protection
  • Xiaomi
  • Huawei
  • Samsung
  • Apple
  • Roku
  • Sonos
Block Disguised Third-Party Trackers

Parental Control
Websites, Apps, Games

  • TikTok
  • Tinder
  • Fortnite
  • Minecraft
  • Tumblr
  • 9GAG
  • VK
  • Roblox
  • WhatsApp
  • Dailymotion
  • Hulu
Categories
  • Dating
  • Piracy
  • Porn
Block Bypass Methods
SafeSearch

Allow list
auth.vodafone.hu
g.api.mega.co.nz
pokercaption.com
qbittorrent.org
eu.static.mega.co.nz
1337x.to
mega.nz
twoplustwo.com
microsoft.com

Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening

OSA
Main protection is ON
(LOLBins are also blocked)

Nlock Specific Location
This is crucial, maybe AppData is also should be blocked.
  • Block executionof unsigned processes on root folder
  • Block execution of processes on Public Folder
  • Block Execution of processes on All User Folder
  • Block processes executed from Shared folder
  • Block processes executed from Network Drive
  • Block processes executed from USB
  • Block unknown processes from Windows folder
  • Block execution of unsigned processes on Downloads folder
  • Block execution of unsigned processes on Windows Temp
  • Block execution of unsigned processes on Temp Folder
Potentially unwanted processes
very important one, I don't use any remote management software, so I block everything here
  • Block execution of any processes related to Teamviewer
  • Block execution of any processes related to RealVNC
  • Block execution of any processes related to UltraVNC
  • Block execution of any processes related to NirSoft
  • Block execution of any processes related toLogMeIn
  • Block execution of any processes related to Security/Xploded
  • Block execution of any processes related to Radmin
  • Blck execution of PsTools Suite from Systernals
  • Block processes named like "keygen" or "crack"
Restrict Windows Programs
  • Block Execution of Internet Explorer
  • Block execution of Cortana
  • Block Execution of Windows Registry Editor
  • Bloc execution of UAC control Settings
Smart Powershell & CMD Rules
Maybe I should block more powershell commands. I'm not sure because I'm not familiar with powershell.
  • Block "ExecutionPolicy Bypass" on command-line (powershell)
Block Script Execution
  • Block execution of .ps1 (Powershell) scripts
  • Block ecxecution of .jar scripts
  • Block execution of .msc outside System Folder
  • Block execution of .cpl pplets outside System Folder
Other Useful Block Rules
  • Block any processes executed from mstsc (Remote Dektop)
  • Block any processes executed from runtimebroker.exe
  • Block any processes executed from java.exe
  • Block any processes executed from javaw.exe
  • Block execution of javaw\java.exe
  • Block regedit.exe from silently loading .reg scripts
  • Block reg.exe fro hijacking Registry startup entries
UAC bypass Mitigation Rules
  • Block reg.exe from disabling UAC
  • Block known and possible UAC.bypass attempts
  • Block "tricks" used to run UAC-bypass system processes

Recommended Rules by Firewall hardening
Periodic malware scanners
Hitman Pro Free
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Microsoft Edge
  • Adblock plus
  • Enpass
Secure DNS
NextDNS
Desktop VPN
Not at this moment
Password manager
Enpass
Maintenance tools
WiseDiskCleaner Free Automatically runs daily
File and Photo backup
Redundant Backup
(Multiple locations, independent from each other)
System recovery
EasUS todo backup free
Risk factors
    • Working from home
    • Browsing to popular websites
    • Opening email attachments
    • Logging into my bank account
    • Downloading malware samples
Notable changes
2021-06-12 WD, gpedit, syshardener, NextDNS
2021-06-13 NextDNS revamp
2021-06-15 syshardener replaced with SWH, FH, SRP
2021-06-17 Back to Keepass
What I'm looking for?

Looking for maximum feedback.

F

ForgottenSeer 89360

No problem :D



For me Firefox is fast as Edge. But I've never tried on mobile.
I tried Firefox mobile yesterday and ran Octane and other benchmarks. On my Galaxy S21 Ultra (enhanced processing not enabled), Chrome scored 21K on Octane, Ff scored 13K. On other benchmarks there was a big difference too...

Update: just tested Edge, it outperforms them both with a huge difference...34528 points on Octane...
It's literally Chrome + FF combined.
 
Last edited by a moderator:

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
Back to AVG because I still have 500+ days.
Also have Norton bu I don't like it since the recent update.
I was thinking of buying OSA because is has no impact on performance and it's enough with free antivirus. But why I paid for AVG if I don't use it.
The VPN worth it anyway.

However I know myself and I'm gonna buy it anyway :D

AVG Internet Security​

custom settings

  • Detection > Medium Security
  • Hardened mode
  • Enabled Site blocking (Web Shield)
Enabled Modules
  • Files Shield
  • Behavior Shield
  • Web Shield
  • Remote Access Shield
  • Enhanced Firewall
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
First of all I discovered how good Norton is but not configurable as ESET. Covers a lot of layers and it is light on my Laptop.
Despite of this I decided to try another solution because why not :D
I didn't want to buy another security software (ESET or OSA) because I already have two. I try free solution because using complete security suite makes me lazy and I don't educate myself. However I wanted to avoid using 3 or 4 different security programs and I think I've found the balanced solution.
Syshardener, Configure Defender and NextDNS are set and forget.
WFC can be installed but I'm not sure if I need it.

I hope my system remains stable and usable with syshardener. If not OSA is the solution.

Microsoft Defender

Configure Defender set to MAX
Controlled folder access disabled
Hide Security Center: Visible

Bitlocker Changes (via Group policy)
  • Cypher strenght -> AES CBC 256
  • Disabled new DMA devices when this computer is locked
  • Allowed secure Boot for integrity validation
  • Requires additional authentication at Startup
    • Require TPM
    • Do not allow startup PIN with TPM
    • Do not allow startup key with TPM
    • Do not allow startup key and PIN with TPM

Syshardener (Default + Extra changes)
Turn off remote desktop connection to the PC
Turn off sidebar and desktop gadgets
Disable Windows subsystem for Linux
Change powershell Execution Policy for Current User (Restricted)
Restrict powershell (v3+) to Constrained Language Mode
Disable Powershell Script Execution
Disable Powershell v2.0 Engine
Unassociate .JAR file Extension
Turn off Windows Error reporting Service
Turn off Radio management Service
Turn off Remote management Services
Block outbond connectiona for Lsass.exe

NextDNS
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
I removed Adblock because I heavily rely on NextDNS. I installed Adblock for Youtube and that's all I need.
With the new NextDNS setup I experienced insane browsing speed without ads.


NextDNS
Security
Everything is on
Blocked most abused Top level Domains

Privacy
Blocklist

  • NextDNS Ads & Trackers Blocklist
  • UncheckyAds
  • oisd
Native Tracker Protection
  • Xiaomi
  • Huawei
  • Samsung
  • Apple
  • Roku
  • Sonos
  • Block Disguised Third-Party Trackers
Parental Control
Websites, Apps, Games

  • TikTok
  • Tinder
  • Fortnite
  • Minecraft
  • Tumblr
  • 9GAG
  • VK
  • Roblox
  • WhatsApp
  • Dailymotion
  • Hulu
Categories
  • Dating
  • Piracy
  • Porn
  • Block Bypass Methods
Allow list
Microsoft.com

Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening

Thanks to @SecurityNightmares
 
Last edited:

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
Now I'm using NextDNS iIPv4 config with linked IP instead of the native app.
Also blocked port 80 for testing purpose. I can see only port 443 in the connection viewer.
I don't need VPN because it seems everything is encrypted, so public wifi couldn't be a problem.
of course some program like AIMP can't communicate with the update server but I don't care.
 
Last edited:

Brahman

Level 16
Verified
Top Poster
Well-known
Aug 22, 2013
794
Now I'm using NextDNS iIPv4 config with linked IP instead of the native app.
Also blocked port 80 for testing purpose. I can see only port 443 in the connection viewer.
I don't need VPN because it seems everything is encrypted, so public wifi couldn't be a problem.
of course some program like AIMP can't communicate with the update server but I don't care.
check port 53 and 5353 too, its unencrypted dns traffic. (pktmon filter add -p 53, pktmon start --etw -m real-time)
(Windows Insiders can now test DNS over HTTPS)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,004
You have to be careful with BAT, CMD, LNK, and CHM files. They are often used in fileless attacks.(y)
But, you will probably never see such attacks and many of them will be stopped by your current setup on the later stages of the infection chain.:)
From the usability viewpoint, there can be potential problems with scripts, because the user/system scripts cannot be whitelisted.
 
Last edited:

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
You have to be careful with BAT, CMD, LNK, and CHM files. They are often used in fileless attacks.(y)
But, you will probably never see such attacks and many of them will be stopped by your current setup on the later stages of the infection chain.:)
From the usability viewpoint, there can be potential problems with scripts, because the user/system scripts cannot be whitelisted.
I can block additional files like bat, reg, ps1 in syshardener. (I already did it)
LNK, CHM can be blocked by SRP but I don't use it currently.
As you said I can have problems that's why I prefer OSA over syshardener. But either SWH, OSA or syshardener I use I feel much more secure than with any AV suite.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,004
I can block additional files like bat, reg, ps1 in syshardener. (I already did it)
LNK, CHM can be blocked by SRP but I don't use it currently.
As you said I can have problems that's why I prefer OSA over syshardener. But either SWH, OSA or syshardener I use I feel much more secure than with any AV suite.
It is a very strong setup, almost as strong as tweaked KIS with blocking executables unknown to KSN.
You should bear in mind that the attack can still be performed by JAR files via initial LNK, BAT, CMD, CHM infection vectors (there are more, but not so popular). Blocking file extension (like JAR) can be bypassed by using CmdLine contained in LNK, BAT, CMD, or CHM files (and some others).
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
No problem with syshardener but I replaced with SWH, FH, and SRP..
Also I made a copy of the previous setup in the first post.
I'm gonna stick to this setup for the rest of the year. I'm just gonna improve the settings.
Suggestions are welcome!

SWH (Simple Windows Hardening)
Default settings

Firewall Hardening
Added Recommended Rules
Added LOLBin rules

SRP is ON
Default
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,004
No problem with syshardener but I replaced with SWH, FH, and SRP..
Also I made a copy of the previous setup in the first post.
I'm gonna stick to this setup for the rest of the year. I'm just gonna improve the settings.
Suggestions are welcome!

SWH (Simple Windows Hardening)
Default settings

Firewall Hardening
Added Recommended Rules
Added LOLBin rules

SRP is ON
Default
When using SWH and FH you should look from time to time into the Logs created by them.
I can advise you to use FH with empty BlockList (no rules at all) for some time (Logging feature set to ON). The FH Log contains any outbound connection blocked by Windows Firewall. Many such events are not related to FH. By using FH without active rules you can easily identify what is blocked by Windows Firewall due to system settings and other applications. You can save this Log and compare it later with the Log created after enabling FH rules.

Post edited - added info about using FH without active rules
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
Out of curiosity, is there a special reason you chose CBC instead of XTS, and specifically CBC without the elephant diffuser?
I didn't. Just for the removable media. This is a misspelling :)
Anyway I just followed the recommendation because I'm not familiar with CBC and XTS.
 

Attachments

  • 1623776997939.png
    1623776997939.png
    27.6 KB · Views: 224
Last edited:

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
Removed Enpass (paid) and back to Keepass combined with Windows Hello. No problem with Enpass but I gave another try to Keepass (original) and I prefer the database style view that Keepass provides.
No browser extension because I don't need it and it also reduces the attack surface.
I rarely need to log in to websites because I don't delete cookies.

Currently no keyfile. Also I have plaintext backup (psw protected) saved to multiple locations.
It is not complicated.
 
F

ForgottenSeer 85179

Removed Enpass (paid) and back to Keepass combined with Windows Hello. No problem with Enpass but I gave another try to Keepass (original) and I prefer the database style view that Keepass provides.
No browser extension because I don't need it and it also reduces the attack surface.
I rarely need to log in to websites because I don't delete cookies.

Currently no keyfile. Also I have plaintext backup (psw protected) saved to multiple locations.
It is not complicated.
My KeePass setup run with key file, stored in UAC protected folder while the KeePass database is on Onedrive and defender ransomware protection is enabled.

I also save non important data in Edge like for forums
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
I wanted to go with my old setup which is OSA, SRP and no Antivirus but I decided to give WiseVecor StopX a chance
Installed the lovely OSA again.

System Hardener: OSA (see the rules above)
Antivirus: WiseVector StopX (see the changes above)
Web Protection: NextDNS (see the rules above)
Firewall: Windows Firewall (Recommended rules by Firewall Hardening)

Minor changes:
NextDNS: Enabled SafeSearch, expanded the allowlist
 
Last edited:

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
Now I'm using only osid in NextDNS' privacy settings.

I'm still trying AV. I'm gonna keep the lightest one even if it is not the best protection-wise.
OSA is the best for me but maybe I should replace it with Eset IS and configure the HIPS. 😁
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
I'm still looking for AV (not Internet Security) but no luck, so WD is good for now.

System Hardener: SysHardener (Default + Extra changes)
Antivirus: Windows Defender (Configure Defender at High)
Web Protection: NextDNS
Firewall: Windows Firewall (Recommended rules by Firewall Hardening)

Turn off remote desktop connection to the PC
Turn off sidebar and desktop gadgets
Disable Windows subsystem for Linux
Change powershell Execution Policy for Current User (Restricted)
Restrict powershell (v3+) to Constrained Language Mode
Disable Powershell Script Execution
Disable Powershell v2.0 Engine
Turn off Windows Error reporting Service
Turn off Radio management Service
Turn off Remote management Services
Block outbond connectiona for Lsass.exe
Blocked every file type available in syshardener
Security
Everything is on
Blocked most abused Top level Domains
Using IPv4 with Linked IP
AI-Driver Threat Detection

Privacy
Blocklist

  • NextDNS Ads & Trackers Blocklist
  • UncheckyAds
  • oisd
Native Tracker Protection
  • Xiaomi
  • Huawei
  • Samsung
  • Apple
  • Roku
  • Sonos
Block Disguised Third-Party Trackers

Parental Control
Websites, Apps, Games

  • TikTok
  • Tinder
  • Fortnite
  • Minecraft
  • Tumblr
  • 9GAG
  • VK
  • Roblox
  • WhatsApp
  • Dailymotion
  • Hulu
Categories
  • Dating
  • Piracy
  • Porn
Block Bypass Methods

Allow list
Microsoft.com

Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top