- Nov 26, 2017
- 730
No problemMy bad, apologies
For me Firefox is fast as Edge. But I've never tried on mobile.
Thales Hardened system for 2021
- Thread starter Thales
- Start date
For me Firefox is fast as Edge. But I've never tried on mobile.
I tried Firefox mobile yesterday and ran Octane and other benchmarks. On my Galaxy S21 Ultra (enhanced processing not enabled), Chrome scored 21K on Octane, Ff scored 13K. On other benchmarks there was a big difference too...No problem
For me Firefox is fast as Edge. But I've never tried on mobile.
Update: just tested Edge, it outperforms them both with a huge difference...34528 points on Octane...
It's literally Chrome + FF combined.
Last edited by a moderator:
- Nov 26, 2017
- 730
Back to AVG because I still have 500+ days.
Also have Norton bu I don't like it since the recent update.
I was thinking of buying OSA because is has no impact on performance and it's enough with free antivirus. But why I paid for AVG if I don't use it.
The VPN worth it anyway.
However I know myself and I'm gonna buy it anyway
Also have Norton bu I don't like it since the recent update.
I was thinking of buying OSA because is has no impact on performance and it's enough with free antivirus. But why I paid for AVG if I don't use it.
The VPN worth it anyway.
However I know myself and I'm gonna buy it anyway
AVG Internet Security
custom settings
- Detection > Medium Security
- Hardened mode
- Enabled Site blocking (Web Shield)
- Files Shield
- Behavior Shield
- Web Shield
- Remote Access Shield
- Enhanced Firewall
- Nov 26, 2017
- 730
First of all I discovered how good Norton is but not configurable as ESET. Covers a lot of layers and it is light on my Laptop.
Despite of this I decided to try another solution because why not
I didn't want to buy another security software (ESET or OSA) because I already have two. I try free solution because using complete security suite makes me lazy and I don't educate myself. However I wanted to avoid using 3 or 4 different security programs and I think I've found the balanced solution.
Syshardener, Configure Defender and NextDNS are set and forget.
WFC can be installed but I'm not sure if I need it.
I hope my system remains stable and usable with syshardener. If not OSA is the solution.
Bitlocker Changes (via Group policy)
Syshardener (Default + Extra changes)
NextDNS
Despite of this I decided to try another solution because why not
I didn't want to buy another security software (ESET or OSA) because I already have two. I try free solution because using complete security suite makes me lazy and I don't educate myself. However I wanted to avoid using 3 or 4 different security programs and I think I've found the balanced solution.
Syshardener, Configure Defender and NextDNS are set and forget.
WFC can be installed but I'm not sure if I need it.
I hope my system remains stable and usable with syshardener. If not OSA is the solution.
Microsoft Defender
Configure Defender set to MAX
Controlled folder access disabled
Hide Security Center: Visible
Controlled folder access disabled
Hide Security Center: Visible
Bitlocker Changes (via Group policy)
- Cypher strenght -> AES CBC 256
- Disabled new DMA devices when this computer is locked
- Allowed secure Boot for integrity validation
- Requires additional authentication at Startup
- Require TPM
- Do not allow startup PIN with TPM
- Do not allow startup key with TPM
- Do not allow startup key and PIN with TPM
Syshardener (Default + Extra changes)
Turn off remote desktop connection to the PC
Turn off sidebar and desktop gadgets
Disable Windows subsystem for Linux
Change powershell Execution Policy for Current User (Restricted)
Restrict powershell (v3+) to Constrained Language Mode
Disable Powershell Script Execution
Disable Powershell v2.0 Engine
Unassociate .JAR file Extension
Turn off Windows Error reporting Service
Turn off Radio management Service
Turn off Remote management Services
Block outbond connectiona for Lsass.exe
Turn off sidebar and desktop gadgets
Disable Windows subsystem for Linux
Change powershell Execution Policy for Current User (Restricted)
Restrict powershell (v3+) to Constrained Language Mode
Disable Powershell Script Execution
Disable Powershell v2.0 Engine
Unassociate .JAR file Extension
Turn off Windows Error reporting Service
Turn off Radio management Service
Turn off Remote management Services
Block outbond connectiona for Lsass.exe
NextDNS
- Nov 26, 2017
- 730
I removed Adblock because I heavily rely on NextDNS. I installed Adblock for Youtube and that's all I need.
With the new NextDNS setup I experienced insane browsing speed without ads.
NextDNS
Thanks to @SecurityNightmares
malwaretips.com
With the new NextDNS setup I experienced insane browsing speed without ads.
NextDNS
Security
Everything is on
Blocked most abused Top level Domains
Privacy
Blocklist
Websites, Apps, Games
Microsoft.com
Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening
Everything is on
Blocked most abused Top level Domains
Privacy
Blocklist
- NextDNS Ads & Trackers Blocklist
- UncheckyAds
- oisd
- Xiaomi
- Huawei
- Samsung
- Apple
- Roku
- Sonos
- Block Disguised Third-Party Trackers
Websites, Apps, Games
- TikTok
- Tinder
- Fortnite
- Minecraft
- Tumblr
- 9GAG
- VK
- Roblox
- Dailymotion
- Hulu
- Dating
- Piracy
- Porn
- Block Bypass Methods
Microsoft.com
Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening
Thanks to @SecurityNightmares
Tutorial - NextDNS: a DoH/ DoT guide
As Lenny_Fox request a NextDNS guide with pictures, here we go - based on Your NextDNS settings thread. First, info about NextDNS can be read at: official Website & GitHub I use and recommend using their service in easiest way you can implement. For me that is on router level so i don't need...
malwaretips.com
Last edited:
- Nov 26, 2017
- 730
Now I'm using NextDNS iIPv4 config with linked IP instead of the native app.
Also blocked port 80 for testing purpose. I can see only port 443 in the connection viewer.
I don't need VPN because it seems everything is encrypted, so public wifi couldn't be a problem.
of course some program like AIMP can't communicate with the update server but I don't care.
Also blocked port 80 for testing purpose. I can see only port 443 in the connection viewer.
I don't need VPN because it seems everything is encrypted, so public wifi couldn't be a problem.
of course some program like AIMP can't communicate with the update server but I don't care.
Last edited:
I can recommend "Foobar2000 mobile" from Windows Store.
Minimalist version but most secure because it run as AppContainer
- Aug 22, 2013
- 886
check port 53 and 5353 too, its unencrypted dns traffic. (pktmon filter add -p 53, pktmon start --etw -m real-time)
(Windows Insiders can now test DNS over HTTPS)
Last edited:
- Dec 23, 2014
- 8,513
You have to be careful with BAT, CMD, LNK, and CHM files. They are often used in fileless attacks.
But, you will probably never see such attacks and many of them will be stopped by your current setup on the later stages of the infection chain.
From the usability viewpoint, there can be potential problems with scripts, because the user/system scripts cannot be whitelisted.
But, you will probably never see such attacks and many of them will be stopped by your current setup on the later stages of the infection chain.
From the usability viewpoint, there can be potential problems with scripts, because the user/system scripts cannot be whitelisted.
Last edited:
- Nov 26, 2017
- 730
I can block additional files like bat, reg, ps1 in syshardener. (I already did it)You have to be careful with BAT, CMD, LNK, and CHM files. They are often used in fileless attacks.
But, you will probably never see such attacks and many of them will be stopped by your current setup on the later stages of the infection chain.
From the usability viewpoint, there can be potential problems with scripts, because the user/system scripts cannot be whitelisted.
LNK, CHM can be blocked by SRP but I don't use it currently.
As you said I can have problems that's why I prefer OSA over syshardener. But either SWH, OSA or syshardener I use I feel much more secure than with any AV suite.
- Dec 23, 2014
- 8,513
It is a very strong setup, almost as strong as tweaked KIS with blocking executables unknown to KSN.
You should bear in mind that the attack can still be performed by JAR files via initial LNK, BAT, CMD, CHM infection vectors (there are more, but not so popular). Blocking file extension (like JAR) can be bypassed by using CmdLine contained in LNK, BAT, CMD, or CHM files (and some others).
- Nov 26, 2017
- 730
No problem with syshardener but I replaced with SWH, FH, and SRP..
Also I made a copy of the previous setup in the first post.
I'm gonna stick to this setup for the rest of the year. I'm just gonna improve the settings.
Suggestions are welcome!
SWH (Simple Windows Hardening)
Default settings
Firewall Hardening
Added Recommended Rules
Added LOLBin rules
SRP is ON
Default
Also I made a copy of the previous setup in the first post.
I'm gonna stick to this setup for the rest of the year. I'm just gonna improve the settings.
Suggestions are welcome!
SWH (Simple Windows Hardening)
Default settings
Firewall Hardening
Added Recommended Rules
Added LOLBin rules
SRP is ON
Default
- Dec 23, 2014
- 8,513
When using SWH and FH you should look from time to time into the Logs created by them.
I can advise you to use FH with empty BlockList (no rules at all) for some time (Logging feature set to ON). The FH Log contains any outbound connection blocked by Windows Firewall. Many such events are not related to FH. By using FH without active rules you can easily identify what is blocked by Windows Firewall due to system settings and other applications. You can save this Log and compare it later with the Log created after enabling FH rules.
Post edited - added info about using FH without active rules
- Jan 21, 2018
- 48
Out of curiosity, is there a special reason you chose CBC instead of XTS, and specifically CBC without the elephant diffuser?
- Nov 26, 2017
- 730
I didn't. Just for the removable media. This is a misspelling
Anyway I just followed the recommendation because I'm not familiar with CBC and XTS.
Attachments
Last edited:
- Nov 26, 2017
- 730
Removed Enpass (paid) and back to Keepass combined with Windows Hello. No problem with Enpass but I gave another try to Keepass (original) and I prefer the database style view that Keepass provides.
No browser extension because I don't need it and it also reduces the attack surface.
I rarely need to log in to websites because I don't delete cookies.
Currently no keyfile. Also I have plaintext backup (psw protected) saved to multiple locations.
It is not complicated.
No browser extension because I don't need it and it also reduces the attack surface.
I rarely need to log in to websites because I don't delete cookies.
Currently no keyfile. Also I have plaintext backup (psw protected) saved to multiple locations.
It is not complicated.
My KeePass setup run with key file, stored in UAC protected folder while the KeePass database is on Onedrive and defender ransomware protection is enabled.
I also save non important data in Edge like for forums
- Nov 26, 2017
- 730
I wanted to go with my old setup which is OSA, SRP and no Antivirus but I decided to give WiseVecor StopX a chance
Installed the lovely OSA again.
System Hardener: OSA (see the rules above)
Antivirus: WiseVector StopX (see the changes above)
Web Protection: NextDNS (see the rules above)
Firewall: Windows Firewall (Recommended rules by Firewall Hardening)
Minor changes:
NextDNS: Enabled SafeSearch, expanded the allowlist
Installed the lovely OSA again.
System Hardener: OSA (see the rules above)
Antivirus: WiseVector StopX (see the changes above)
Web Protection: NextDNS (see the rules above)
Firewall: Windows Firewall (Recommended rules by Firewall Hardening)
Minor changes:
NextDNS: Enabled SafeSearch, expanded the allowlist
Last edited:
- Nov 26, 2017
- 730
Now I'm using only osid in NextDNS' privacy settings.
I'm still trying AV. I'm gonna keep the lightest one even if it is not the best protection-wise.
OSA is the best for me but maybe I should replace it with Eset IS and configure the HIPS.
I'm still trying AV. I'm gonna keep the lightest one even if it is not the best protection-wise.
OSA is the best for me but maybe I should replace it with Eset IS and configure the HIPS.
- Nov 26, 2017
- 730
I'm still looking for AV (not Internet Security) but no luck, so WD is good for now.
System Hardener: SysHardener (Default + Extra changes)
Antivirus: Windows Defender (Configure Defender at High)
Web Protection: NextDNS
Firewall: Windows Firewall (Recommended rules by Firewall Hardening)
System Hardener: SysHardener (Default + Extra changes)
Antivirus: Windows Defender (Configure Defender at High)
Web Protection: NextDNS
Firewall: Windows Firewall (Recommended rules by Firewall Hardening)
Turn off remote desktop connection to the PC
Turn off sidebar and desktop gadgets
Disable Windows subsystem for Linux
Change powershell Execution Policy for Current User (Restricted)
Restrict powershell (v3+) to Constrained Language Mode
Disable Powershell Script Execution
Disable Powershell v2.0 Engine
Turn off Windows Error reporting Service
Turn off Radio management Service
Turn off Remote management Services
Block outbond connectiona for Lsass.exe
Blocked every file type available in syshardener
Turn off sidebar and desktop gadgets
Disable Windows subsystem for Linux
Change powershell Execution Policy for Current User (Restricted)
Restrict powershell (v3+) to Constrained Language Mode
Disable Powershell Script Execution
Disable Powershell v2.0 Engine
Turn off Windows Error reporting Service
Turn off Radio management Service
Turn off Remote management Services
Block outbond connectiona for Lsass.exe
Blocked every file type available in syshardener
Security
Everything is on
Blocked most abused Top level Domains
Using IPv4 with Linked IP
AI-Driver Threat Detection
Privacy
Blocklist
Parental Control
Websites, Apps, Games
Allow list
Microsoft.com
Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening
Everything is on
Blocked most abused Top level Domains
Using IPv4 with Linked IP
AI-Driver Threat Detection
Privacy
Blocklist
- NextDNS Ads & Trackers Blocklist
- UncheckyAds
- oisd
- Xiaomi
- Huawei
- Samsung
- Apple
- Roku
- Sonos
Parental Control
Websites, Apps, Games
- TikTok
- Tinder
- Fortnite
- Minecraft
- Tumblr
- 9GAG
- VK
- Roblox
- Dailymotion
- Hulu
- Dating
- Piracy
- Porn
Allow list
Microsoft.com
Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening
Similar threads
