SECURITY: Complete Thales Hardened system for 2021

Last updated
Sep 15, 2021
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 10
OS edition
Pro
Login security
    • Password-less (PIN, Biometric, Face)
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Microsoft account
Primary user
Admin user - Full permissions
Other users
Other accounts are Standard users
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Network firewall
ISP-issued router
Real-time protection

WiseVector StopX​

Heuristic Analysis set to High
Ransomware rollback disabled
Enabled document folder protection (MEGA)
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Bitlocker Changes (via Group policy)
  • Cypher strenght -> AES XTS 256
  • Disabled new DMA devices when this computer is locked
  • Allowed secure Boot for integrity validation
  • Requires additional authentication at Startup
    • Require TPM
    • Do not allow startup PIN with TPM
    • Do not allow startup key with TPM
    • Do not allow startup key and PIN with TPM

NextDNS
Security
Everything is on
Blocked most abused Top level Domains
Using IPv4 with Linked IP

Privacy
Blocklist

  • NextDNS Ads & Trackers Blocklist
  • UncheckyAds
  • oisd
Native Tracker Protection
  • Xiaomi
  • Huawei
  • Samsung
  • Apple
  • Roku
  • Sonos
Block Disguised Third-Party Trackers

Parental Control
Websites, Apps, Games

  • TikTok
  • Tinder
  • Fortnite
  • Minecraft
  • Tumblr
  • 9GAG
  • VK
  • Roblox
  • WhatsApp
  • Dailymotion
  • Hulu
Categories
  • Dating
  • Piracy
  • Porn
Block Bypass Methods
SafeSearch

Allow list
auth.vodafone.hu
g.api.mega.co.nz
pokercaption.com
qbittorrent.org
eu.static.mega.co.nz
1337x.to
mega.nz
twoplustwo.com
microsoft.com

Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening

OSA
Main protection is ON
(LOLBins are also blocked)

Nlock Specific Location
This is crucial, maybe AppData is also should be blocked.
  • Block executionof unsigned processes on root folder
  • Block execution of processes on Public Folder
  • Block Execution of processes on All User Folder
  • Block processes executed from Shared folder
  • Block processes executed from Network Drive
  • Block processes executed from USB
  • Block unknown processes from Windows folder
  • Block execution of unsigned processes on Downloads folder
  • Block execution of unsigned processes on Windows Temp
  • Block execution of unsigned processes on Temp Folder
Potentially unwanted processes
very important one, I don't use any remote management software, so I block everything here
  • Block execution of any processes related to Teamviewer
  • Block execution of any processes related to RealVNC
  • Block execution of any processes related to UltraVNC
  • Block execution of any processes related to NirSoft
  • Block execution of any processes related toLogMeIn
  • Block execution of any processes related to Security/Xploded
  • Block execution of any processes related to Radmin
  • Blck execution of PsTools Suite from Systernals
  • Block processes named like "keygen" or "crack"
Restrict Windows Programs
  • Block Execution of Internet Explorer
  • Block execution of Cortana
  • Block Execution of Windows Registry Editor
  • Bloc execution of UAC control Settings
Smart Powershell & CMD Rules
Maybe I should block more powershell commands. I'm not sure because I'm not familiar with powershell.
  • Block "ExecutionPolicy Bypass" on command-line (powershell)
Block Script Execution
  • Block execution of .ps1 (Powershell) scripts
  • Block ecxecution of .jar scripts
  • Block execution of .msc outside System Folder
  • Block execution of .cpl pplets outside System Folder
Other Useful Block Rules
  • Block any processes executed from mstsc (Remote Dektop)
  • Block any processes executed from runtimebroker.exe
  • Block any processes executed from java.exe
  • Block any processes executed from javaw.exe
  • Block execution of javaw\java.exe
  • Block regedit.exe from silently loading .reg scripts
  • Block reg.exe fro hijacking Registry startup entries
UAC bypass Mitigation Rules
  • Block reg.exe from disabling UAC
  • Block known and possible UAC.bypass attempts
  • Block "tricks" used to run UAC-bypass system processes

Recommended Rules by Firewall hardening
Malware testing
No malware samples
Periodic security scanners
Hitman Pro Free
Secure DNS
NextDNS
VPN
Not at this moment
Password manager
Enpass
Browsers, Search and Addons
Microsoft Edge
  • Adblock plus
  • Enpass
Maintenance and Cleaning
WiseDiskCleaner Free Automatically runs daily
Personal Files & Photos backup
Redundant Backup
(Multiple locations, independent from each other)
Personal backup routine
Automatic (scheduled)
Device recovery & backup
EasUS todo backup free
Device backup routine
Manual (maintained by self)
PC activity
  1. Working from home. 
  2. Browsing the web. 
  3. Emails. 
  4. Banking. 
  5. Malware samples. 
Personal changelog
2021-06-12 WD, gpedit, syshardener, NextDNS
2021-06-13 NextDNS revamp
2021-06-15 syshardener replaced with SWH, FH, SRP
2021-06-17 Back to Keepass
Feedback Response

Most critical feedback

F

ForgottenSeer 89360

No problem :D



For me Firefox is fast as Edge. But I've never tried on mobile.
I tried Firefox mobile yesterday and ran Octane and other benchmarks. On my Galaxy S21 Ultra (enhanced processing not enabled), Chrome scored 21K on Octane, Ff scored 13K. On other benchmarks there was a big difference too...

Update: just tested Edge, it outperforms them both with a huge difference...34528 points on Octane...
It's literally Chrome + FF combined.
 
Last edited by a moderator:

Thales

Level 12
Nov 26, 2017
572
Back to AVG because I still have 500+ days.
Also have Norton bu I don't like it since the recent update.
I was thinking of buying OSA because is has no impact on performance and it's enough with free antivirus. But why I paid for AVG if I don't use it.
The VPN worth it anyway.

However I know myself and I'm gonna buy it anyway :D

AVG Internet Security​

custom settings

  • Detection > Medium Security
  • Hardened mode
  • Enabled Site blocking (Web Shield)
Enabled Modules
  • Files Shield
  • Behavior Shield
  • Web Shield
  • Remote Access Shield
  • Enhanced Firewall
 

Thales

Level 12
Nov 26, 2017
572
First of all I discovered how good Norton is but not configurable as ESET. Covers a lot of layers and it is light on my Laptop.
Despite of this I decided to try another solution because why not :D
I didn't want to buy another security software (ESET or OSA) because I already have two. I try free solution because using complete security suite makes me lazy and I don't educate myself. However I wanted to avoid using 3 or 4 different security programs and I think I've found the balanced solution.
Syshardener, Configure Defender and NextDNS are set and forget.
WFC can be installed but I'm not sure if I need it.

I hope my system remains stable and usable with syshardener. If not OSA is the solution.

Microsoft Defender

Configure Defender set to MAX
Controlled folder access disabled
Hide Security Center: Visible

Bitlocker Changes (via Group policy)
  • Cypher strenght -> AES CBC 256
  • Disabled new DMA devices when this computer is locked
  • Allowed secure Boot for integrity validation
  • Requires additional authentication at Startup
    • Require TPM
    • Do not allow startup PIN with TPM
    • Do not allow startup key with TPM
    • Do not allow startup key and PIN with TPM

Syshardener (Default + Extra changes)
Turn off remote desktop connection to the PC
Turn off sidebar and desktop gadgets
Disable Windows subsystem for Linux
Change powershell Execution Policy for Current User (Restricted)
Restrict powershell (v3+) to Constrained Language Mode
Disable Powershell Script Execution
Disable Powershell v2.0 Engine
Unassociate .JAR file Extension
Turn off Windows Error reporting Service
Turn off Radio management Service
Turn off Remote management Services
Block outbond connectiona for Lsass.exe

NextDNS
 

Thales

Level 12
Nov 26, 2017
572
I removed Adblock because I heavily rely on NextDNS. I installed Adblock for Youtube and that's all I need.
With the new NextDNS setup I experienced insane browsing speed without ads.


NextDNS
Security
Everything is on
Blocked most abused Top level Domains

Privacy
Blocklist

  • NextDNS Ads & Trackers Blocklist
  • UncheckyAds
  • oisd
Native Tracker Protection
  • Xiaomi
  • Huawei
  • Samsung
  • Apple
  • Roku
  • Sonos
  • Block Disguised Third-Party Trackers
Parental Control
Websites, Apps, Games

  • TikTok
  • Tinder
  • Fortnite
  • Minecraft
  • Tumblr
  • 9GAG
  • VK
  • Roblox
  • WhatsApp
  • Dailymotion
  • Hulu
Categories
  • Dating
  • Piracy
  • Porn
  • Block Bypass Methods
Allow list
Microsoft.com

Settings
Anonymized EDNS Client Subnet
Cache Boost
CNAME Flattening

Thanks to @SecurityNightmares
 
Last edited:

Thales

Level 12
Nov 26, 2017
572
Now I'm using NextDNS iIPv4 config with linked IP instead of the native app.
Also blocked port 80 for testing purpose. I can see only port 443 in the connection viewer.
I don't need VPN because it seems everything is encrypted, so public wifi couldn't be a problem.
of course some program like AIMP can't communicate with the update server but I don't care.
 
Last edited:

JoyousBudweiser

Level 12
Verified
Aug 22, 2013
577
Now I'm using NextDNS iIPv4 config with linked IP instead of the native app.
Also blocked port 80 for testing purpose. I can see only port 443 in the connection viewer.
I don't need VPN because it seems everything is encrypted, so public wifi couldn't be a problem.
of course some program like AIMP can't communicate with the update server but I don't care.
check port 53 and 5353 too, its unencrypted dns traffic. (pktmon filter add -p 53, pktmon start --etw -m real-time)
(Windows Insiders can now test DNS over HTTPS)
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,125
You have to be careful with BAT, CMD, LNK, and CHM files. They are often used in fileless attacks.(y)
But, you will probably never see such attacks and many of them will be stopped by your current setup on the later stages of the infection chain.:)
From the usability viewpoint, there can be potential problems with scripts, because the user/system scripts cannot be whitelisted.
 
Last edited:

Thales

Level 12
Nov 26, 2017
572
You have to be careful with BAT, CMD, LNK, and CHM files. They are often used in fileless attacks.(y)
But, you will probably never see such attacks and many of them will be stopped by your current setup on the later stages of the infection chain.:)
From the usability viewpoint, there can be potential problems with scripts, because the user/system scripts cannot be whitelisted.
I can block additional files like bat, reg, ps1 in syshardener. (I already did it)
LNK, CHM can be blocked by SRP but I don't use it currently.
As you said I can have problems that's why I prefer OSA over syshardener. But either SWH, OSA or syshardener I use I feel much more secure than with any AV suite.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,125
I can block additional files like bat, reg, ps1 in syshardener. (I already did it)
LNK, CHM can be blocked by SRP but I don't use it currently.
As you said I can have problems that's why I prefer OSA over syshardener. But either SWH, OSA or syshardener I use I feel much more secure than with any AV suite.
It is a very strong setup, almost as strong as tweaked KIS with blocking executables unknown to KSN.
You should bear in mind that the attack can still be performed by JAR files via initial LNK, BAT, CMD, CHM infection vectors (there are more, but not so popular). Blocking file extension (like JAR) can be bypassed by using CmdLine contained in LNK, BAT, CMD, or CHM files (and some others).
 

Thales

Level 12
Nov 26, 2017
572
No problem with syshardener but I replaced with SWH, FH, and SRP..
Also I made a copy of the previous setup in the first post.
I'm gonna stick to this setup for the rest of the year. I'm just gonna improve the settings.
Suggestions are welcome!

SWH (Simple Windows Hardening)
Default settings

Firewall Hardening
Added Recommended Rules
Added LOLBin rules

SRP is ON
Default
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,125
No problem with syshardener but I replaced with SWH, FH, and SRP..
Also I made a copy of the previous setup in the first post.
I'm gonna stick to this setup for the rest of the year. I'm just gonna improve the settings.
Suggestions are welcome!

SWH (Simple Windows Hardening)
Default settings

Firewall Hardening
Added Recommended Rules
Added LOLBin rules

SRP is ON
Default
When using SWH and FH you should look from time to time into the Logs created by them.
I can advise you to use FH with empty BlockList (no rules at all) for some time (Logging feature set to ON). The FH Log contains any outbound connection blocked by Windows Firewall. Many such events are not related to FH. By using FH without active rules you can easily identify what is blocked by Windows Firewall due to system settings and other applications. You can save this Log and compare it later with the Log created after enabling FH rules.

Post edited - added info about using FH without active rules
 

Thales

Level 12
Nov 26, 2017
572
Out of curiosity, is there a special reason you chose CBC instead of XTS, and specifically CBC without the elephant diffuser?
I didn't. Just for the removable media. This is a misspelling :)
Anyway I just followed the recommendation because I'm not familiar with CBC and XTS.
 

Attachments

  • 1623776997939.png
    1623776997939.png
    27.6 KB · Views: 65
Last edited:

Thales

Level 12
Nov 26, 2017
572
Removed Enpass (paid) and back to Keepass combined with Windows Hello. No problem with Enpass but I gave another try to Keepass (original) and I prefer the database style view that Keepass provides.
No browser extension because I don't need it and it also reduces the attack surface.
I rarely need to log in to websites because I don't delete cookies.

Currently no keyfile. Also I have plaintext backup (psw protected) saved to multiple locations.
It is not complicated.
 
F

ForgottenSeer 85179

Removed Enpass (paid) and back to Keepass combined with Windows Hello. No problem with Enpass but I gave another try to Keepass (original) and I prefer the database style view that Keepass provides.
No browser extension because I don't need it and it also reduces the attack surface.
I rarely need to log in to websites because I don't delete cookies.

Currently no keyfile. Also I have plaintext backup (psw protected) saved to multiple locations.
It is not complicated.
My KeePass setup run with key file, stored in UAC protected folder while the KeePass database is on Onedrive and defender ransomware protection is enabled.

I also save non important data in Edge like for forums
 

Thales

Level 12
Nov 26, 2017
572
I wanted to go with my old setup which is OSA, SRP and no Antivirus but I decided to give WiseVecor StopX a chance
Installed the lovely OSA again.

System Hardener: OSA (see the rules above)
Antivirus: WiseVector StopX (see the changes above)
Web Protection: NextDNS (see the rules above)
Firewall: Windows Firewall (Recommended rules by Firewall Hardening)

Minor changes:
NextDNS: Enabled SafeSearch, expanded the allowlist
 
Last edited:
Top