Advanced Security Thales' ROG Config 2022

Last updated
Sep 3, 2022
Use case
For personal use
Shared with
No one
Desktop OS
Windows 10
Windows OS SKU
Pro
Login Unlock
    • Passwordless PIN or Biometrics
Sign-in with
Microsoft account
Primary user
Administrator rights - Full permissions that can perform harmful changes
OS updates
Automatic updates
Windows UAC
Always notify
Network firewall
ISP-issued router [Mod: depreciated - please choose another option]
Always-on protection
  1. Defender (Manually configured via GPO) (Description in the first post!)
  2. Group Policy Settings (Description in the first post!)
  3. SRP (Description in the first post!)
Firewall
Microsoft Defender Firewall (Windows 11 & 10)
Custom RT/Firewall security
Description in the first post!
Malware testing
No malware samples
Periodic scanning
Eset Online Scanner
Secure DNS
Edge: NextDNS
VPN
Nope
Password manager
Keepass
Browsers and Extensions
Edge: NONE
Utilities for Maintenance
Wise Disk Cleaner Free (Auto clean-up daily)
Files & Photos backup
Google Drive, Dropbox, Box, MEGA: Sync by Goodsync
Files & Photos backup routine
Manual
Emergency recovery plan
EasUs ToDo backup.free.
Encrypted with random password.

Goodsync
Integrity of recovery plan
Tasks performed
    • Working from home
    • Browsing the web
    • Receiving, sending and opening email attachments
    • Buying goods from online stores, entering card details and addresses
    • Logging into personal banking to check statements and payments
    • Downloading software from reputable sites
    • Sharing and receiving files and torrents
    • PC games, mods and cloud-based gaming
    • Watching movies and TV series via subscriptions
Computer specs
Feedback response

I am not satisfied. Critical feedback is greatly appreciated, to make drastic changes to my overall security / privacy and it’s settings.

Thales

Level 14
Thread author
Verified
Top poster
Well-known
Nov 26, 2017
653
You are using the Free version. In my case, this program had problems restoring partitions. That's why I don't use it. But that was a few years ago. Maybe it's different now.
How does it work now?
I barely remember but maybe it failed me one time only.
I'm not sure that with Easus to do backup or something else requires to turn Bitlocker off before you can restore to an encrypted partition.
Free version allow me to encrypt the backup and it is fast.
 

Asterixpl

Level 10
Verified
Mar 19, 2022
473
I barely remember but maybe it failed me one time only.
I'm not sure that with Easus to do backup or something else requires to turn Bitlocker off before you can restore to an encrypted partition.
Free version allow me to encrypt the backup and it is fast.

And have you tried Macrium Reflect Free ?. It has saved my life more than once. It hasn't let me down yet and I have confidence in it.
 

Thales

Level 14
Thread author
Verified
Top poster
Well-known
Nov 26, 2017
653
And have you tried Macrium Reflect Free ?. It has saved my life more than once. It hasn't let me down yet and I have confidence in it.
Yes, I have used it for awhile.
The free version doesn't allow me to encrypt the backup.
Also I just discovered paragon has backup and restore software (password protected AES 256) with Win PE option (which is standard nowadays) and if EasUs ToDo failes me again I'm gonna switch.
 

Guilhermesene

Level 7
Verified
Well-known
Jun 1, 2019
313
How does this issue of a random password protected backup work? If it is random, when you will restore the image is it necessary to enter this password? (Sorry for the questions maybe even silly, but I never got to use this option)

I have Macrium Reflect Home (paid) and I say that it is the best software I have bought besides KTS to date.
 

Thales

Level 14
Thread author
Verified
Top poster
Well-known
Nov 26, 2017
653
How does this issue of a random password protected backup work? If it is random, when you will restore the image is it necessary to enter this password? (Sorry for the questions maybe even silly, but I never got to use this option)

I have Macrium Reflect Home (paid) and I say that it is the best software I have bought besides KTS to date.
It works as a normal password protected file. When you make the backup you enter your chosen password which will protect your backup.
The restoring process works the same way. The program ask your password before restoring your drive/files.
 

Thales

Level 14
Thread author
Verified
Top poster
Well-known
Nov 26, 2017
653
Changed my Bitlocker and SRP Settings. Here is the detailed list. :D
More changes are coming!

BitLocker Drive Encryption
Choose drive encryption method and cipher strength

Select the encryption method for operating system drives: XTS AES 256-bit​
Select the encryption method for fixed data drives: XTS AES 256-bit​
Select the encryption method for removable data drives: AES-CBC 256-bit​
Disable new DMA devices when this computer is locked Enabled
Prevent memory overwrite on restart Disabled


Fixed Data Drives
Choose how BitLocker-protected removable drives can be recovered Enabled

Allow data recovery agent​
Allow 48-digit recovery password​
Allow 256-bit recovery key​
Omit recovery options from the BitLocker setup wizard​
Save BitLocker recovery information to AD DS for operating system drives​
Backup recovery passwords and key packages​
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives​
Configure use of passwords for fixed data drives Enabled
Allow password complexity
Minimum password length for fixed data drive: 14
Operating System Drives
Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. Disabled
Allow Secure Boot for integrity validation Enabled
Choose how BitLocker-protected operating system drives can be recovered Enabled

Allow data recovery agent​
Allow 48-digit recovery password​
Allow 256-bit recovery key​
Omit recovery options from the BitLocker setup wizard
Save BitLocker recovery information to AD DS for operating system drives​
Store recovery passwords and key packages​
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives
Configure minimum PIN length for startup Enabled
Minimum characters: 14​
Configure use of passwords for operating system drives Enabled
Allow password complexity​
Minimum password length for operating system drive: 14​
Disallow standard users from changing the PIN or password Enabled
Require additional authentication at startup Enabled

UNCHECKED Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)​
Allow TPM​
Allow startup PIN with TPM​
Allow startup key with TPM​
Allow startup key and PIN with TPM​
Reset platform validation data after BitLocker recovery Enabled

Removable Data Drives

Choose how BitLocker-protected removable drives can be recovered Enabled
Allow data recovery agent​
Allow 48-digit recovery password​
Allow 256-bit recovery key​
Omit recovery options from the BitLocker setup wizard​
Save BitLocker recovery information to AD DS for operating system drives​
Backup recovery passwords and key packages​
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives​
Configure use of passwords for fixed data drives Enabled
Allow password complexity
Minimum password length for fixed data drive: 14
Control use of BitLocker on removable drives Enabled
Allow users to apply BitLocker protection on removable data drives​
Allow users to suspend and decrypt BitLocker on removable data drives​

SRP
DISALLOWED list
%localAppData%\*.exe
%localAppData%\*\*.exe
%localAppData%\Temp\*.zip\*.exe
%localAppData%\Temp\7z*\*.exe
%localAppData%\Temp\Rar*\*.exe
%localAppData%\Temp\wz*\*.exe
%Temp%\*\*.exe
%Temp%\*.exe
powershell_ise.exe
powershell.exe
 
Last edited by a moderator:

Thales

Level 14
Thread author
Verified
Top poster
Well-known
Nov 26, 2017
653
I bought Norton 360 license again.
I've changed a few settings only.

Antivirus
Boot Time Protection - Normal
SONAR Advanced Mode - Aggressive

Firewall
Notifications - OFF

Administrative Settings
Performance Monitoring - OFF
 

Thales

Level 14
Thread author
Verified
Top poster
Well-known
Nov 26, 2017
653
Why did you choose Norton? This is a question just out of curiosity 🙂
It took days. I was struggling between the big names. I checked the malware hub, price, reviews especually reviews by @Shadowra (thank you for your work. ❤️)
The remaining two was GDATA and Norton. Same price but Norton gives me more control, it is cheap and I already know how it performs.
 

Guilhermesene

Level 7
Verified
Well-known
Jun 1, 2019
313
It took days. I was struggling between the big names. I checked the malware hub, price, reviews especually reviews by @Shadowra (thank you for your work. ❤️)
The remaining two was GDATA and Norton. Same price but Norton gives me more control, it is cheap and I already know how it performs.

Thanks for the answer 🙂

Glad it was a well-thought-out choice, the most important thing is to use the product that you feel safest and that best fits your system.
 

Thales

Level 14
Thread author
Verified
Top poster
Well-known
Nov 26, 2017
653
Never gonna use Boxcryptor again. Back to Veracrypt.
I made a serious mistake. I uploaded my password database, backup codes, notes, recovery codes and everything without encryption.
Boxcryptor was password protected (local folder) and closed, so the files should have been encrypted but they wasn't. I noticed the mistake shortly and I deleted everything from 3 clouds but you know "there is no cloud just someone else's computer". I've changed all important passwords, 2FA, recovery codes in the last hours and it is ok now.

My system works but I should have never switched from veracrypt. It was my mistake.
 

L0ckJaw

Level 19
Content Creator
Well-known
Feb 17, 2018
904
I bought Norton 360 license again.
I've changed a few settings only.

Antivirus
Boot Time Protection - Normal
SONAR Advanced Mode - Aggressive

Firewall
Notifications - OFF

Administrative Settings
Performance Monitoring - OFF
Here are mine Firewall settings :
1653475834539.png


I have boot time protection to Aggressive ( no slowdowns )
I use it in combination with Simple Windows Hardening ( new version 2.0 )
 

Thales

Level 14
Thread author
Verified
Top poster
Well-known
Nov 26, 2017
653
I've changed a lot of passwords.
Fixed my short passwords and raised them to 20+ characters.
Changed from passwords to passphrases. It is easier to type in if I have to.

I generated 60 ok-ish and 90 strong (200+ bit) passphrases with Keepass

Like this:
the9*Tykes0*Chimes*across7*from*That9*Fanfare
passtimes Might7 Sneak Abreast9 Of the9 bird
slits0 hack0 The6 Lip0

but if you don't have this option you can use this website.

 
Last edited:

Thales

Level 14
Thread author
Verified
Top poster
Well-known
Nov 26, 2017
653
New Windows

Main AV: Avast Free
Gpedit: Hardened Bitlocker
2nd Layer: OSA (mostly with default settings and more comfortable than gpedit)
Browser: NextDNS and one extension only
Password manager: KeepassXC (I still love it except the browser extension. It has improved but... meh)
Backup: EasUs ToDo and FreeFileSync
 

Thales

Level 14
Thread author
Verified
Top poster
Well-known
Nov 26, 2017
653
Snyc: I bought GoodSync for 1 year. I really needed this and it is the cheapest and best alternative of Syncbackpro. I enjoy this fully automated sync :D
Browser: from chrome to Edge (chrome is good but whatever Edge is also good)
Password Manager: also switched from KeepassXC to Keepass

A little recap: Avast is running fine. No bloat, no slowdowns. Rarely gives me pop-ups.
 
Last edited:

Thales

Level 14
Thread author
Verified
Top poster
Well-known
Nov 26, 2017
653
Switched back to WD. (I had no problem with Avast free. Recommended)

I made significant changes in GPO and provided detailed information in my first post.

Side note:
Edge settings in GPO are not applying. I found a lot of complaints about this, so it is not just me.
I don't know but probably whitelist is better than blacklist in SRP. :unsure:
 
Last edited: