How To: Windows 8.1 Security Hardening

1. ________.__ _______ __
2. / _____/| |__ \ _ \ _______/ |_ ___________
3. / \ ___| | \/ /_\ \ / ___/\ __\/ __ \_ __ \
4. \ \_\ \ Y \ \_/ \\___ \ | | \ ___/| | \/
5. \______ /___| /\_____ /____ > |__| \___ >__|
6. \/ \/ \/ \/ \/
7.  
8.  
9. / DISCLAIMER: I personally do not use Windows, I wrote this guide to help #OpNewBlood,
10. #Anonymous and everyone who is concerned about their online privacy. If I am missing
11. anything, do not hesitate to contact me and I will glady add them to this document.
12. I personally take no responsibility for what you or any else does with this information.
13. This tutorial took me a long time to complete but I believe that all information
14. deserves to be FREE. So feel free to reproduce, copy, save, or edit this document to
15. what you see fit.
16.  
17.  
18. Windows 8.1 Secure Installation and Security Hardening Guide:
19. =================================================================
20.  
21. Requirements:
22. - A Computer.
23. - A Brain.
24. - A Windows 8.1 .iso file with a serial key.
25. - x2 4GB USB Drives and/or x2 4GB DVDs.
26. - A backup hard drive of important files.
27.  
28. So, let's begin!
29. =================================================================
30. [01] Preparations:
31.  
32. / Go ahead and backup all your important files now on a separate USB drive or
33. external hard drive.
34.  
35. / Put your Windows 8.1 .iso file onto a 4GB USB drive or a DVD.
36.  
37. / Download the latest version of Ubuntu Linux form here: http://www.ubuntu.com/
38.  
39. / After the Ubuntu .iso file is downloaded, completely disconnect from the
40. Internet/Blutooth/NFC, ect. Plug in your USB drive.
41.  
42. / Open up a command line [cmd.exe] and type: >diskpart
43. >list disk
44. >select disk [Insert drive letter]
45. >clean
46. >create partition primary
47. >select partition 1
48. >format fs=fat32
49. >active
50. >assign
51.  
52. / Unpack the Ubuntu .iso file by highlighting all the files, right click,
53. click on properties and set the read-only flag to ENABLE.
54.  
55. / Highlight all the .iso files again and copy/paste them onto the newly
56. prepared USB drive. After this is finished, rename the USB drive to something
57. like "Ubuntu_Linux" or something of that sort.
58.  
59. =================================================================
60. [02] Preparing DBAN Data Destruction:
61.  
62. / Download DBAN: http://www.dban.org/download
63.  
64. / Burn the DBAN .iso file onto a DVD or make a bootable USB drive by placing
65. all of the DBAN files onto the USB drive.
66.  
67. / Restart the computer and press either ESC/DEL/F2/F10/F11/F12 to enter your BIOS.
68.  
69. / Set the boot order option in your BIOS to boot from your USB drive or DVD
70. with the DBAN .iso
71.  
72. / If you BIOS is running UEFI BIOS, you will need to disable the "Secure Boot"
73. option.
74.  
75. / Boot up DBAN
76.  
77. / Select the Department of Defense Standards Data Destruction option and allow
78. it to completely wipe your hard drive with 7 passes. Effectively and
79. irrecoverably wiping your hard drive to all "0"'s.
80.  
81. / WARNING!!: THIS WILL DESTROY ALL DATA ON THE DRIVE MAKING IT IRRECOVERABLE!
82. IT WILL ALSO TAKE 24+ HOURS TO COMPLETE DEPENDING ON DRIVE CAPACITY!! 1TB = ~26hrs.
83.  
84. =================================================================
85. [03] Preparing Hard Drive for Installation:
86.  
87. / After DBAN is finished running, boot up the Ubuntu Live USB and open up a
88. program called "GParted".
89.  
90. / Start Gparted and select hda. Delete all partitions on your hard drive,
91. create a new partition to NTFS, format and click "Apply All Operations".
92.  
93. =================================================================
94. [04] Preparing Windows 8.1 For Installation:
95.  
96. / Insert your USB drive with the Windows 8.1 .iso files on it. Unpack it to
97. the desktop.
98.  
99. / Open up GParted again and select the USB drive, delete all partitions,
100. create the primary partition, format to FAT32 and click "Apply All
101. Operations".
102.  
103. / Right click the partition and click "Manage Flags" and enable to "Boot" flag
104. and click "Apply"
105.  
106. / Copy the contents of the mounted Windows 8.1 .iso file onto the newly
107. created USB drive.
108.  
109. / Now safely eject the USB drive from the computer.
110.  
111. =================================================================
112. [05] Gathering Software and Hardware Drivers:
113.  
114. / While still on the Ubuntu Live OS, you are going to need to download all of
115. your hardware drivers. You can do this by looking up your specific hardware on
116. the manufacturers website and download the newest up-to-date drivers. Place
117. these files on another means of storage, either on your external hard drive
118. where you kept your backup, or on another USB drive.
119.  
120. / If your BIOS does not have an "Update" or a "Flashing" option, you most
121. likely have to download your up-to-date BIOS flashing kit right from your
122. motherboards manufacturers website by looking up your motherboard or prebuilt
123. computers serial number, usually located on the bottom of your computer or in
124. the manual for your hardware. Installing a new BIOS version will eliminate
125. well coded RATs and other malware such as a bootkit that can hide in your BIOS
126. ROM chip on your motherboard, these malicious programs can re-install
127. themselves every time you power up your computer. After the BIOS flashing kit
128. is downloaded, place these files on another means of storage, either on your
129. external hard drive where you kept your backup, or on another USB drive.
130.  
131. / If you can flash your BIOS from the Unbuntu live OS, do that now. If you
132. cannot, you are going to need to wait until after you install Windows 8.1.
133.  
134. / Now go ahead and head over to your hardware manufacturers website and
135. download all of your hardware drivers. You will need to install then in the
136. later steps.
137.  
138. / Now we can start to gather the installers for the software you will be using
139. to harden your Windows 8.1 OS.
140.  
141. / Download the all of the following programs:
142. - MalwareBytes Offline Installer with up-to-date malware database.
143. Download: https://www.malwarebytes.org/mwb-download/
144. Discription: A decent anti-malware program that offers daily malware database updates.
145. Serial Key: MC3ZJ-D2NBW-ZF4PG-23784
146.  
147. - ClassicShell Start Menu.
148. Download: http://www.classicshell.net/downloads/
149. Description: Makes your Windows 8.1 skip the metro screen and replaces it
150. with the good old Windows 7 start menu. Allows for full customization.
151.  
152. - Mozilla Firefox Offline Installer. [See below for installation guide].
153. Download: https://www.mozilla.org/en-US/firefox/all/
154. Description: Offers superior security and a way larger addon repo then any
155. other of the mainstream browsers. Allows for full customization.
156.  
157. - Microsoft Enhanced Mitigation Experience Toolkit [EMET].
158. Download: https://www.microsoft.com/en-us/download/details.aspx?id=43714
159. Description: EMET uses 12 specific mitigation techniques that seek to
160. prevent exploits related to memory corruption, making it
161. harder for attackers to find and exploit vulnerabilities,
162. Including:
163. - Data execution prevention -> A security feature that helps
164. prevents code in system memory from being used incorrectly.
165. - Mandatory address space layout randomization -> A technology
166. that makes it difficult for exploits to find specific addresses
167. in a system's memory.
168. - Structured exception handler overwrite protection -> A mitigation that blocks
169. exploits that attempt to exploit stack overflows.
170. - Export address table access filtering -> A technology that blocks an exploit's
171. ability to find the location of a function.
172. - Anti-Return Oriented Programming -> A mitigation technique that prevents
173. hackers from bypassing DEP.
174. - SSL/TLS certificate trust pinning -> A feature that helps detect
175. man-in-the-middle attacks leveraging the public key infrastructure.
176.  
177. - Piriform CCleaner.
178. Download: https://www.piriform.com/ccleaner/download
179. Description: Stands for Crap Cleaner, it has the ability to securely
180. destroy data, temporary files and unused registry keys.
181.  
182. - KeePass Password Database [Not necessary if you can remember long complex passwords].
183. Download: http://keepass.info/
184. Discription: This software creates very long and randomly generated mixed
185. ASCII characters and numbers. It also stores them in a nice
186. layout for you. You can use these randomly generated passwords for all of the
187. Anonymous accounts that you create.
188.  
189. - Software Update Monitor [SUMo].
190. Download: http://www.kcsoftwares.com/?sumo
191. Description: SUMo keeps your PC up-to-date and safe by using the most
192. recent version of your favorite software. Unlike built-in auto
193. update features, SUMo tells you if updates are available
194. before you need to use your software.
195.  
196. - OpenDNS Crypt.
197. Download: https://github.com/opendns/dnscrypt-win-client
198. Description: DNSCrypt is a piece of lightweight software that everyone
199. should use to boost online privacy and security. It works by
200. encrypting all DNS traffic between the user and OpenDNS,
201. preventing any spying, spoofing or man-in-the-middle attacks.
202.  
203. - Piriform Speccy.
204. Download: https://www.piriform.com/speccy
205. Description: Displays detailed information about your computer hardware
206. and external devices. Comes in handy when trying to gather your system
207. information.
208.  
209. - VeraCrypt.
210. Download: https://veracrypt.codeplex.com/
211. Description: VeraCrypt is encryption software, designed from the outdated
212. TrueCrypt. It allows you to create hidden and encrypted volumes so you
213. have full deniability if you get v& [Arrested] and/or get your computer
214. seized.
215.  
216. / Download all of the installers for the software that you plan on using now.
217. Like audio players, video players, image viewers, photo and video editors,
218. ect. Make sure these installers are downloaded DIRECTLY from the software
219. manufacturers website. DO NOT download from torrent sites, third-party sites,
220. YouTube, forums, ect!
221.  
222. =================================================================
223. [06] BIOS Configuration:
224.  
225. / Reboot the computer and press either ESC/DEL/F2/F10/F11/F12 to enter your
226. BIOS.
227.  
228. / Place a password on your BIOS and as well as your hard drive if you have the
229. option.
230.  
231. / Enable the following options [If you have them]:
232. - Enable Secure Boot.
233. - Enable Fast Boot.
234. - Install Default Secure Boot keys.
235.  
236. / Set the first boot option to the Windows 8.1 USB bootloader you created
237. earlier. Save changes and exit.
238.  
239. =================================================================
240. [07] Windows 8.1 Installation:
241.  
242. / Boot up the Windows 8.1 USB bootloader. Set your timezone, language,
243. keyboard layout, ect.
244.  
245. / When you get to the storage settings screen, you are going to want to click
246. on "Delete All Partitions". Then click "New", create the primary partition and
247. make it 128GB - 256GB depending on your storage capabilities [This is where
248. the Windows 8.1 OS will be installed].
249.  
250. / Next, click on "New" and create a the secondary partition with the rest of
251. the storage space. Or another hard drive depending on your computer
252. configuration.
253.  
254. / Be sure for format each partition and/or hard drive at least 3 times in a
255. row. This is important for consistency.
256.  
257. / Next, install the Windows 8.1 OS onto the 128GB-256GB partition you just
258. created.
259.  
260. / Wait until your computer loads the Windows 8.1 installation. Then select
261. your language, timezone and currency format, and your keyboard input. Click
262. "Next" and then click "Install Now".
263.  
264. / Now you are going to need to put in your Windows 8.1 serial key. If you do
265. not have a serial key, then you are going to need to find one online. There
266. are a lot of websites out there dedicated to the free release of Windows OS
267. serial keys. I would recommend https://www.serials.ws/. DON'T BE DUMB, DO NOT
268. DOWNLOAD ANYTHING. It should be a plain-text serial key.
269.  
270. / Now create your administrator account. Its recommended that you do not name
271. it something such as your screen names, real name, aliases, admin, ect. Name
272. it something simple such as "Primary" or "SuperUser" or "Root". Next, give
273. your new account a STRONG password. At least 10 characters is recommended.
274.  
275. / Disable ALL of the options that invade your privacy, Which is pretty much
276. all of them. Make sure you enable the "Do Not Track" and the "Smart Screen
277. Filter" options.
278.  
279. / After the Windows 8.1 OS is installed, completely disconnect from the
280. internet. Insert the USB drive or external hard drive where you stored all of
281. your software installations, hardware drivers and BIOS flashing kit. [If you
282. were able to flash your BIOS from the Ubuntu Live OS or directly from your
283. BIOS configuration, you may skip the next step].
284.  
285. / If you could not flash your BIOS from the Ubuntu Live OS or directly from
286. your BIOS, do that now by running the BIOS flashing executable. After its
287. installed, you are going to have to reboot your computer to the Ubuntu Live OS
288. again and wipe your hard drive again [Refer to step 03]. After this is
289. finished you are going to have to re-install Windows 8.1 and re-configure
290. everything again [Refer to step 07]. I know this is a huge pain, but doing
291. this will insure that there is no malware hiding out on your BIOS ROM chip.
292.  
293. / Install the .NET 4.0 and .NET 4.5 framework by pressing the Windows key + X,
294. click on "Command Prompt (Admin)" and run the following command:
295. DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:x:\sources\sxs.
296. [Replace x:\ with the drive letter of your Windows 8.1 installation media is assigned].
297.  
298. / Connect to the internet.
299.  
300. / Next, press the Windows key and search "Update" and open "Window Update".
301. You are going to want to do a FULL update. Excluding anything to do with
302. Windows 10 [Because Windows 10 is basically government spyware]. Do not do
303. anything else on your computer, simply just allow the updates to download and
304. install, then reboot your computer.
305.  
306. / Now you can go ahead and install all of your hardware drivers.
307.  
308. / Update DirectX by downloading and running this package:
309. https://www.microsoft.com/en-us/download/details.aspx?id=17431
310.  
311. / Open a command prompt with administrator privileges by pressing the Windows
312. key + X and click on "Command Prompt: Administrator" and run the following
313. command: SFC /SCANNOW. You should get a response back after it is finished
314. scanning that reads "File Integrity Check completed and no errors were found".
315.  
316. / While still in the administrative command prompt, you are going to copy and
317. paste all of the following commands [This will UNINSTALL everything to do with
318. Microsoft's spy updates]:
319.  
320. @echo off
321.  
322. echo
323.  
324. echo Delete KB3075249 (telemetry for Win7/8.1)
325. start /w wusa.exe /uninstall /kb:3075249
326. echo Delete KB3080149 (telemetry for Win7/8.1)
327. start /w wusa.exe /uninstall /kb:3080149
328. echo Delete KB3021917 (telemetry for Win7)
329. start /w wusa.exe /uninstall /kb:3021917
330. echo Delete KB3022345 (telemetry)
331. start /w wusa.exe /uninstall /kb:3022345
332. echo Delete KB3068708 (telemetry)
333. start /w wusa.exe /uninstall /kb:3068708
334. echo Delete KB3044374 (Get Windows 10 for Win8.1)
335. start /w wusa.exe /uninstall /kb:3044374
336. echo Delete KB3035583 (Get Windows 10 for Win7sp1/8.1)
337. start /w wusa.exe /uninstall /kb:3035583
338. echo Delete KB2990214 (Get Windows 10 for Win7 without sp1)
339. start /w wusa.exe /uninstall /kb:2990214
340. echo Delete KB2990214 (Get Windows 10 for Win7)
341. start /w wusa.exe /uninstall /kb:2990214
342. echo Delete KB2952664 (Get Windows 10 assistant)
343. start /w wusa.exe /uninstall /kb:2952664
344. echo Delete KB3075853 (update for "Windows Update" on Win8.1/Server 2012R2)
345. start /w wusa.exe /uninstall /kb:3075853
346. echo Delete KB3065987 (update for "Windows Update" on Win7/Server 2008R2)
347. start /w wusa.exe /uninstall /kb:3065987
348. echo Delete KB3050265 (update for "Windows Update" on Win7)
349. start /w wusa.exe /uninstall /kb:3050265
350. echo Delete KB971033 (license validation)
351. start /w wusa.exe /uninstall /kb:971033
352. echo Delete KB2902907 (description not available)
353. start /w wusa.exe /uninstall /kb:2902907
354. echo Delete KB2976987 (description not available)
355. start /w wusa.exe /uninstall /kb:2976987
356.  
357. echo Step 2: Blocking Routes…
358.  
359. route -p add 23.218.212.69 MASK 255.255.255.255 0.0.0.0
360. route -p add 65.55.108.23 MASK 255.255.255.255 0.0.0.0
361. route -p add 65.39.117.230 MASK 255.255.255.255 0.0.0.0
362. route -p add 134.170.30.202 MASK 255.255.255.255 0.0.0.0
363. route -p add 137.116.81.24 MASK 255.255.255.255 0.0.0.0
364. route -p add 204.79.197.200 MASK 255.255.255.255 0.0.0.0
365.  
366. Part 2
367.  
368. echo Step 3: Disabling tasks…
369.  
370. schtasks /Change /TN "\Microsoft\Windows\Application Experience\AitAgent"
371. /DISABLE
372. schtasks /Change /TN "\Microsoft\Windows\Application Experience\Microsoft
373. Compatibility Appraiser" /DISABLE
374. schtasks /Change /TN "\Microsoft\Windows\Application Experience
375. \ProgramDataUpdater" /DISABLE
376. schtasks /Change /TN "\Microsoft\Windows\Autochk\Proxy" /DISABLE
377. schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement
378. Program\Consolidator" /DISABLE
379. schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement
380. Program\KernelCeipTask" /DISABLE
381. schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement
382. Program\UsbCeip" /DISABLE
383. schtasks /Change /TN "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-
384. DiskDiagnosticDataCollector" /DISABLE
385. schtasks /Change /TN "\Microsoft\Windows\Maintenance\WinSAT" /DISABLE
386. schtasks /Change /TN "\Microsoft\Windows\Media Center\ActivateWindowsSearch"
387. /DISABLE
388. schtasks /Change /TN "\Microsoft\Windows\Media Center
389. \ConfigureInternetTimeService" /DISABLE
390. schtasks /Change /TN "\Microsoft\Windows\Media Center\DispatchRecoveryTasks"
391. /DISABLE
392. schtasks /Change /TN "\Microsoft\Windows\Media Center\ehDRMInit" /DISABLE
393. schtasks /Change /TN "\Microsoft\Windows\Media Center\InstallPlayReady"
394. /DISABLE
395. schtasks /Change /TN "\Microsoft\Windows\Media Center\mcupdate" /DISABLE
396. schtasks /Change /TN "\Microsoft\Windows\Media Center\MediaCenterRecoveryTask"
397. /DISABLE
398. schtasks /Change /TN "\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask"
399. /DISABLE
400. schtasks /Change /TN "\Microsoft\Windows\Media Center\OCURActivate" /DISABLE
401. schtasks /Change /TN "\Microsoft\Windows\Media Center\OCURDiscovery" /DISABLE
402. schtasks /Change /TN "\Microsoft\Windows\Media Center\PBDADiscovery" /DISABLE
403. schtasks /Change /TN "\Microsoft\Windows\Media Center\PBDADiscoveryW1"
404. /DISABLE
405. schtasks /Change /TN "\Microsoft\Windows\Media Center\PBDADiscoveryW2"
406. /DISABLE
407. schtasks /Change /TN "\Microsoft\Windows\Media Center\PvrRecoveryTask"
408. /DISABLE
409. schtasks /Change /TN "\Microsoft\Windows\Media Center\PvrScheduleTask"
410. /DISABLE
411. schtasks /Change /TN "\Microsoft\Windows\Media Center\RegisterSearch" /DISABLE
412. schtasks /Change /TN "\Microsoft\Windows\Media Center\ReindexSearchRoot"
413. /DISABLE
414. schtasks /Change /TN "\Microsoft\Windows\Media Center\SqlLiteRecoveryTask"
415. /DISABLE
416. schtasks /Change /TN "\Microsoft\Windows\Media Center\UpdateRecordPath"
417. /DISABLE
418.  
419. echo Step 4: Killing Diagtrack-service (if it still exists)…
420.  
421. sc stop Diagtrack
422. sc delete Diagtrack
423. echo Final Step: Stop remoteregistry-service (if it still exists)…
424. sc config remoteregistry start= disabled
425. sc stop remoteregistry
426.  
427. echo All done, go to reboot!
428.  
429. pause
430.  
431.  
432. / Reboot your computer.
433.  
434. =================================================================
435. [08] Creating an Organized Software File System:
436.  
437. / It is always a good idea to have a secure and organized file structure so
438. you can find files with ease.
439.  
440. / Usually on a Windows OS, when you install new software on your computer, it
441. defaults to "C:\Program Files" or "C:\Program Files (x86)". You are going to
442. need to right click on both of these files, click "Properties", click on the
443. "Security" tab, then click on "Edit". Now modify the permissions to "Read,
444. Write and Execute" ONLY for the Administrator or Super User account. For
445. normal users, the permissions should be only "Read and Execute".
446.  
447. / Create a new folder called "Applications" under "C:\Program Files" and "C:
448. \Program Files (x86)".
449.  
450. / Under the new "Applications" folders, create some sub-folders for your
451. software. Name them in an organized way like "Audio", "Graphics", "Internet",
452. "Tools", "Video", ect.
453.  
454. / Now whenever you install new software, you may install them to these
455. directories. Whenever you install new software, be 100% sure that the software
456. is genuine and was downloaded directly from the manufacturers website. NEVER
457. download anything from a third-party source like torrents, YouTube, IRC,
458. Forums, ect.
459.  
460. =================================================================
461. [09] System Configuration:
462.  
463. / Right click on your taskbar and then click "Properties". In the "Taskbar"
464. tab and disable the "Use peek to preview the desktop" option. Click on the
465. "Jump Lists" tab set the "Number or recent items to display in Jump Lists"
466. option to 0. Now disable both the "Store recently opened programs" and "Store
467. and display recently opened items in Jump Lists" options.
468.  
469. / Press the Windows key + X and click on "System", then click "Advanced
470. Settings". Click on the "Advanced" tab and then in the performance box, click
471. on "Settings". Click on the "Visual Effects" tab and enable the "Adjust for
472. best performance" option and enable ONLY the "Show thumbnails instead of
473. icons: option.
474.  
475. / Next, click on the "Advanced" tab that is next to the "Visual Effects" tab,
476. under "Adjust for best performance", select the "Programs" option. Now under
477. the "Virtual Memory" box, click "Change" and disable the "Automatically manage
478. paging file size for all drives". Now click on your C:\ drive and enable the
479. "No paging file" option. Do this for all drive letters. Then click "Set" and
480. then click on "Yes", then click "OK" to close the popup window.
481.  
482. / Click on the "Data Execution Prevention" tab and enable the "Turn on DEP for
483. all programs and services except those I select". Then click "OK" to return to
484. the "System Properties" window. Now click on the "System Protection" tab and
485. delete all restore points and turn off system protection. Now click on the
486. "Remote" tab and disable the "Allow Remote Assistance connections to this
487. computer" and enable the "Don't allow remote connections to this computer"
488. option. Click on the "Computer Name" tab and give your computer a name and
489. change your WORKGROUP to "YourComputerName-WORKGROUP".
490.  
491. / Now goto your C:\ drive on your file explorer and create a new folder called
492. "Temporary". Now go back to the "System Properties" window and click on
493. "Environment Variables" and set both the TMP and TEMP variables to "C:
494. \Temporary" [You will have to do this for every user account that you create].
495. Go back to "C:\Temporary" and right click on this file, set the permissions to
496. Read, Write and Execute ONLY for Administrators and Read and Execute for
497. normal users.
498.  
499. / Press the Windows key + R and type ncpa.cpl to open your network
500. connections. Right click on you network adapters and click on "Properties" and
501. disable all of the options except for IPv4 [And IPv6 if you use that].
502. Highlight the IPv4 option and click on "Properties", then click on "Advanced"
503. near the bottom of the popup window. Click on the "DNS" tab and disable the
504. "Register this connections address in DNS" option. Click on the "WINS" tab and
505. disable the "Enable LMHOSTS lookup". Now under the NetBIOS box, enable the
506. "Disable NetBIOS over TCP/IP" option, then click "OK". Repeat this step on ALL
507. of your network adapters. This includes the Virtual TAP adapters that are
508. installed with any OpenVPN client.
509.  
510. / Press the Windows key + X and click on "Programs and Features" then click on
511. "Turn Windows features on or off" and disable the "Internet Explorer 10",
512. "Windows Identity Foundation", "Windows Location Provider" and "Windows
513. Process Activation Service" options. Now enable the "Telnet Client" option,
514. because chances are you are going to need it. Reboot your computer.
515.  
516. / After your computer boots back up, open the Control Panel by pressing the
517. Windows key + X and clicking on "Control Panel". Click on "Display" and enable
518. the "ClearType Text" option. Go back to the Control Panel and click on "File
519. History" and disable ALL file history. Click on "Folder Options" and disable
520. the "Hide Extensions for Known File Types" option.
521.  
522. / Now click on "Internet Options" and configure the following settings:
523. - Click the "General" tab, click on "Settings", then click "Temporary
524. Internet Files" tab and set the "Check for newer versions of stored
525. pages" to "Every time I visit the webpage". Now set the "Disk space to
526. use" option to 8MB.
527. - Click on the "History" tab and set the "Days to keep pages in history" to 0.
528. - Go to the "Caches and Databases" tab and disable the "Allow website caches
529. and databases" option. Press "OK".
530.  
531. / Click on the "Security" tab and set the security level to "High". Do this
532. for all zones [Internet, Local Intranet, Trusted Sites and Restricted Sites].
533. Then click "Apply".
534.  
535. / Go to the "Privacy" tab and click "Advanced" and enable the "Override
536. automatic cookie handling" option and set both the "First Party" and Third
537. Party" cookies options to "Block". Now disable the "Always allow session
538. cookies" option. Click "OK". Then enable the "Turn on Pop-up Blocker" option
539. then click on the "Settings" button and set the "Blocking Level" to "High:
540. Block all pop-ups (Ctrl+Alt to override)". Click "Close".
541.  
542. / Now in the "Content" tab and click "Settings" next to AutoComplete, disable
543. both the "Forms" and "User names and passwords on forms" options and click on
544. the "Delete AutoComplete history" button and select all of the checkboxes and
545. click "Delete". Click "OK". Now, click on the second "Settings" button that's
546. next to Feeds. Disable the "Automatically check feeds for updates" and the
547. "Turn on feed readin view" options. Click "OK".
548.  
549. / Enter the "Program" tab and click on "Manage Addons" and disable ALL addons
550. in under the "Add-ons that have been used by your browser" drop down menu. Now
551. go to the "Run without permission" option under the drop down menu and disable
552. ALL of the addons. Next, click on the "Downloaded controls" option and disable
553. ALL of the addons there, if you have any.
554.  
555. / Next, click on the "Advanced" tab and DISABLE the "Allow active content from
556. CDs to run on My Computer", "Allow active content to run in files on My
557. Computer", "Allow software to run or install even if the signature is
558. invalid", "Enable DOM storage" and "Use SSL 2.0" options. Now you are going to
559. ENABLE the following options, "Block unsecured images with other mixed
560. content", "Do not save encrypted pages to disk", "Empty Temporary Internet
561. Files folder when browser is closed" and "Send Do Not Track request to sites
562. you visit in Internet Explorer", click "Apply".
563.  
564. / Now head back to the control panel and click on "Location Settings", disable
565. the "Turn on the Windows Location platform" and the "Help improve Microsoft
566. location services" options. Click "Apply".
567.  
568. / If you are using a laptop, go back and click on "Power Options" and choose a
569. power plan that suits your needs. Then click "Choose what closing the lid
570. does", set "When I press the power button" to "Shut down". Now set the "When I
571. press the sleep button" to "Do nothing". Now set the "When I close the lid"
572. option to "Shut down". Next, enable the "Require a password (Recommended)"
573. option, enable the "Turn on fast startup (Recommended)" and the "Lock"
574. options. Click "Save changes". MAKE SURE that both "Hibernation" and "Sleep"
575. modes are completely DISABLED. There is software that can extract your
576. BitLocker encryption key from your RAM. Always shut down your computer after
577. you are finished using it.
578.  
579. / Click on "Windows Defender" and click on the "Update" icon. After that is
580. completed, click on the "Settings" tab and enable the "Turn on real-time
581. protection (Recommended)" option. Click on the "Advanced" option on the left
582. side of the window and enable the "Scan archive files", "Scan removable
583. drives" and "Remove quarantined files after: 1 day". Now click on "MAPS" and
584. enable the "I don't want to join MAPS" option. Now click "Save changes".
585.  
586. / Press the Windows key and search "User Account Control" and change the
587. slider bar to "Always Notify", then click "OK".
588.  
589. =================================================================
590. [10] Software Installation and Configuration:
591.  
592. / Install the following software to the directories you created in the earlier
593. steps and configure them.
594. - Software: SUMo
595. Configuration: Simply run the installer and install it.
596.  
597. - Software: Mozilla Firefox Offline Installer
598. Configuration: Run the installer and install it. Now you can go ahead and
599. configure your Firefox by following the below guide. Things marked with
600. "**" are essential for security and privacy. [This version is condensed,
601. you can read the full Firefox Security Hardening tutorial here:
602. http://pastebin.com/fn7VHwhm
603.  
604. / Extensions:
605. -> **[NoScript]
606. Download: https://addons.mozilla.org/en-us/firefox/addon/noscript/
607. Features: Protects you from XSS and clickjacking attacks, also enables click
608. to load Flash and Java.
609.  
610. -> **[HTTPS-Everywhere]
611. Download: https://www.eff.org/https-everywhere
612. Features: Forces HTTPS whenever possible.
613.  
614. -> **[AdBlock Edge]
615. Download: https://addons.mozilla.org/en-US/firefox/addon/adblock-edge
616. Features: Blocks intrusive and non-intrusive ads on all websites. It also does
617. not have the "Acceptable Ads" feature.
618.  
619. -> **[Random Agent Spoofer]
620. Download: https://addons.mozilla.org/en-US/firefox/addon/random-agent-spoofer
621. Features: Provides many user agent spoofing options. Over 100 different
622. browsers, has the option to send spoofed headers and much more.
623.  
624. -> **[RequestPolicy]
625. Download: https://addons.mozilla.org/en-us/firefox/addon/requestpolicy/
626. Features: Protects you against CSRF attacks and allows you to be in control of
627. all cross-site requests.
628.  
629. -> **[Cookie Controller]
630. Download: https://addons.mozilla.org/en-US/firefox/addon/cookie-controller/
631. Features: Browse, manage and remove cookies from sites.
632.  
633. -> **[FoxyProxy Standard]
634. Download: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard
635. Features: Advanced proxy management tool for Firefox, way better than the one
636. included with Firefox.
637.  
638. -> **[Disconnect]
639. Download: https://addons.mozilla.org/en-US/firefox/addon/disconnect
640. Features: Stops tracking by about 2000 third party websites, makes loading
641. pages about 27% faster.
642.  
643. -> **[Privacy Badger]
644. Download: https://addons.mozilla.org/en-US/firefox/addon/privacy-badger-firefox
645. Features: Protects privacy by blocking spying ads and invisible trackers.
646.  
647. -> **[Modify Headers]
648. Download: https://addons.mozilla.org/En-us/firefox/addon/modify-headers
649. Features: Add/Modify/Filter HTTP headers. Useful for mobile development, HTTP
650. testing and privacy.
651.  
652. -> **[CrytoCat]
653. Download: https://addons.mozilla.org/en-US/firefox/addon/cryptocat
654. Features: Instant encrypted conversations, open source, private, safer
655. communications. Uses the OTR encrypted messaging protocol.
656.  
657. / You can access these configurations by typing in "about:config" in the URL bar.
658.  
659. -> **Turn off Geo-location:
660. geo.enabled => false
661. geo.wifi.uri => 127.0.0.1
662.  
663. -> **Override the useragent to most common useragent [Not needed with UA Switcher]:
664. New > string: general.useragent.override =>
665. Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
666.  
667. -> **Disable DNS prefetching:
668. network.prefetch-next => false
669. network.dns.disablePrefetch => false
670. webgl.disabled => true
671. devtools.cache.disabled => true
672. browser.sessionstore.privacy_level => 2
673.  
674. -> **Disable referer headers:
675. network.http.sendRefererHeader => 0
676. network.http.sendSecureXSiteReferrer => false
677. network.http.referer.XOriginPolicy => 1
678. network.http.referer.spoofSource => true
679. network.http.referer.trimmingPolicy => 2
680.  
681. -> **Enable HTTP pipelineing regularly, on SSL pages, and on proxies, respectively:
682. network.http.pipelining => true
683. network.http.pipelining.ssl => true
684. network.http.proxy.pipelining => true
685. network.http.pipelining.maxrequests => 10
686.  
687. -> **Prevent child windows/tabs from spawning:
688. dom.disable_window_open_feature.resizable => false
689.  
690. -> **Disable insecure RC4 encryption protocol:
691. security.ssl3.ecdhe_ecdsa_rc4_128_sha => false
692. security.ssl3.ecdhe_rsa_rc4_128_sha => false
693. security.ssl3.rsa_rc4_128_md5 => false
694. security.ssl3.rsa_rc4_128_sha => false
695.  
696. -> **Disable Firefox telemetry:
697. toolkit.telemetry.enabled => false
698.  
699. -> **Allow cookies only from the originating server [Not needed with Cookie Manager]:
700. network.cookie.cookieBehavior => 1
701. network.cookie.lifetimePolicy => 2
702.  
703. -> **Reduce RAM usage for Firefox cache feature:
704. browser.sessionhistory.max_total_viewers => 0
705.  
706. -> **Set a "do-not-track" header to tell sites not to track browsing habits:
707. privacy.donottrackheader.enabled => true
708. privacy.donottrackheader.value => 1
709.  
710. -> **Disable Google Blacklists and Safebrowsing:
711. browser.safebrowsing.enabled => false
712. browser.safebrowsing.maleware.enabled => false
713. browser.safebrowsing.appRepURL => blank
714. browser.safebrowsing.downloads.enabled => false
715. browser.safebrowsing.gethashURL => blank
716. browser.safebrowsing.malware.reportURL => blank
717. browser.safebrowsing.reportErrorURL => blank
718. browser.safebrowsing.reportGenericURL => blank
719. browser.safebrowsing.reportMalwareErrorURL => blank
720. browser.safebrowsing.reportMalwareURL => blank
721. browser.safebrowsing.reportPhishURL => blank
722. browser.safebrowsing.reportURL => blank
723. browser.safebrowsing.updateURL => blank
724. services.sync.prefs.sync.browser.safebrowsing.enabled => false
725. services.sync.prefs.sync.browser.safebrowsing.malware.enabled => false
726.  
727. -> **Disable pings:
728. browser.send_pings => false
729. browser.send_pings.require_same_host => true
730.  
731. -> **Disable Firefox health report:
732. datareporting.healthreport.uploadEnabled => flase
733.  
734. -> **Disable DOM storage:
735. dom.storage.enabled => false
736. dom.event.clipboardevents.enabled => false
737.  
738. -> **Disable suggestions on searchbar:
739. browser.search.suggest.enabled => false
740.  
741. -> **Disable keywords:
742. keyword.enabled => false
743.  
744. -> Disable certificates:
745. browser.ssl_override_behavior => 2
746.  
747. -> **Disable DNS proxy bypass:
748. network.proxy.socks_remote_dns => true
749.  
750. -> **Disable crash reporting:
751. breakpad.reportURL => blank
752. In application.ini in the Firefox folder,
753. [Crash Reporter]Enabled=1 => [Crash Reporter]Enabled=0
754.  
755. -> **Disable caching on hard drive:
756. browser.cache.disk.enable => false
757. browser.cache.offline.enable => flase
758. browser.cache.disk.capacity => 0
759. browser.cache.offline.capacity => 0
760.  
761. -> **Do not cache HTTP or HTTPS files:
762. network.http.use-cache => false
763.  
764. -> **Disable navigator.sendBeacon:
765. beacon.enable => flase
766.  
767. -> **Disable WebRTC:
768. media.peerconnection.enabled => false
769.  
770.  
771. - Software: Java.
772. Configuration: Open you Control Panel by pressing the Windows key + X,
773. then click on "Java Options", click on the "General Tab" and then click on
774. "Settings" and disable the "Keep temporary files on my computer"
775. option and then click on "Delete Files" then click "OK". Go to the
776. "Security" tab and uncheck the "Enable Java content in the browser" check
777. box. Click "Apply".
778.  
779. - Software: MalwareBytes Offline Installer with up-to-date Malware Database.
780. Configuration: Run the installer and install the software. Once finished,
781. open MalwareBytes and click on "My Account". Enter this serial key:
782. MC3ZJ-D2NBW-ZF4PG-23784. Now you have the preimium version for life! Next,
783. click on the "Settings" tab and click on "Detection and Protection",
784. enable the "Use Advanced Heuristics Engine [Shuriken]", "Scan for
785. Rootkits" and "Scan within archives" options. Now select "Treat
786. detections as malware" for both the "Potentially Unwanted Program
787. [PUP]" and "Potentially Unwanted Modifications [PUM]" options. Next, click
788. on "History Settings" and disable the "Help fight malware by anonymously
789. providing historical information" option, also enable the "Don't export
790. log information" option [Unless you want MalwareBytes to keep logs, its
791. up to your preferance].
792.  
793. - Software: ClassicShell Start Menu.
794. Configuration: Run the installer and install the software. Optionally, you
795. can download different start buttons for further configurations from
796. DeviantArt.com, heres a pack that I would recommend:
797. http://w1ck3dmatt.deviantart.com/art/Mega-Orb-Pack-150-start-orbs-259940654
798.  
799. - Software: Piriform CCleaner.
800. Configuration: Run the installer and install the software. When the
801. install is finished, click the "Cleaner" button and check all of the check
802. boxes under the "Windows" and "Applications" tabs. Next, click the
803. "Registry" button and enable all of the check boxes. Now click on the
804. "Options" button and click on "Settings". Check the "Automatically check
805. for updates to CCleaner" option. Now, enable the "Secure file
806. deletion [Slower]" and set the drop down menu to "Complex Overwrite [7
807. passes]" and enable the "Wipe Alternate Data Streams", "Wipe Cluster
808. Tips" and "Wipe MFT Free Space" options.
809.  
810. - Software: OpenDNS Crypt.
811. Configuration: Run the installer and install the software. Then open the
812. software and enable the "Enable OpenDNS", "Enable DNSCrypt" and "DNSCrypt
813. over TCP / 443 [slower]" options. If everything is configured correctly
814. then the DNSCrypt icon on the taskbar should be green.
815.  
816. / Install and configure all of your other software that you downloaded in the
817. previous steps now.
818.  
819. - Software: Microsoft Enhanced Mitigation Experience Toolkit [EMET].
820. Configuration: Set everything to "Always On" and reboot your computer.
821. After your computer boots back up, open EMET and click on "Apps", then
822. click "Add Applications". Now navigate to "C:\Program Files" directory
823. and in the search box, type ".exe". Once all of the files have been
824. found, press Ctrl + A to highlight everything and then click "Open".
825. Now reboot your computer again if necessary.
826.  
827. =================================================================
828. [11] Windows Firewall Configuration:
829.  
830. / When it comes to firewall configuration, it is always best practice to
831. disable EVERYTHING and just poke holes in your firewall to allow basic and a
832. few advanced functions. This is exactly what we will be doing.
833.  
834. / Press the Windows key and search "Windows Firewall" and open the "Windows
835. Firewall with Advanced Security".
836.  
837. / Click on "Windows Firewall Properties" and set the "Domain Profile",
838. "Private Profile" and "Public Profile" tabs to "On" and set the "Inbound
839. connections" to "Block all incoming connections" and the "Outbound
840. connections" to "Block". Click "Apply".
841.  
842. / Now click on the "Inbound Rules" table and press Ctrl + A to highlight all
843. of the inbound rules and right click and click "Delete". Always keep the
844. "Inbound Rules" section of your firewall empty, this will insure that no
845. connections are coming into your computer from the outside.
846.  
847. / Next, click on the "Outbound Rules" table and press Ctrl + A to highlight
848. all of the rules, then right click and click "Disable All". Now you are going
849. to enable the entries that are called "Core Networking" that deal with IPv4
850. and IPv6 [If you use IPv6]. Also enable IPHTTPS and DHCP [If you are not using
851. a static IP configuration]. Then delete all other rules.
852.  
853. / This part is going to take some time. You are going to need to manually
854. configure ALL of your software that needs to connect to the Internet. Things
855. like your Firefox, IRC client, ect. You can do this now by clicking on the
856. "Outbound Rules" and clicking on the "New Rule" button, click "Program" then
857. click "Next". Now click on "Browse" and navigate to the directories where your
858. software is installed, it should be a ".exe" file. Click "Next", click on
859. "Allow this connection", click "Next" again and name the rules in an organized
860. way. Such as "Software->Internet->Firefox" or "Software->Security->DNSCrypt"
861. and so on. You will need to do this for all software that needs internet
862. connectivity.
863.  
864. =================================================================
865. [12] VeraCrypt and BitLocker Hard Drive Encryption:
866.  
867. / First off, you are going to need to have VeraCrypt [TrueCrypt successor]
868. installed on your machine. Do this now by running the installation package.
869.  
870. / Now reboot your computer and enter the BIOS. Then change your BIOS to Legacy
871. Mode. Restart your computer and load up the VeraCrypt software.
872.  
873. / When VeraCrypt is open, click on the "System" drop down menu and click on
874. "Encrypt System Partition/Drive". Enter a COMPLEX password, one that you will
875. NOT forget! I would recommend at least 16 characters [Upper case, lower case,
876. numbers and symbols]. Now just wait until for the encryption process to
877. complete. If you forget this password, you will not be able to turn your
878. computer on. Reboot your computer and enter the BIOS again and change it back
879. to UEFI BIOS. Reboot your computer.
880.  
881. / Press the Windows key and type "Group Policy" and open "Edit group policy".
882. Now, navigate to "Computer Configuration" -> "Administrative Templates" ->
883. "Windows Components" -> "BitLocker Drive Encryption". Now click on the "Choose
884. drive encryption method and cipher strength". Change the "Select encryption
885. method" drop down menu to "AES 256-bit" then click "OK".
886.  
887. / Next, you are going to need to determine if your computer has what is called
888. a Trusted Platform Module chip, or a TPM chip. You can find this out by
889. looking up your motherboard model number on the manufactures website and
890. reading the specifications page. You can get your motherboards model number
891. using the Speccy software that you installed earlier.
892.  
893. / If you HAVE a TPM chip on your motherboard, you can enable BitLocker Drive
894. Encryption by opening up your File Explorer and clicking "This PC", now rename
895. your C:\ drive to something like "Windows_8.1", "Windows", "OS", ect. Right
896. click on your C:\ drive and click "Turn On BitLocker". Now enter a VERY
897. COMPLEX password. I would recommend at least 24 to 30 characters [Upper case,
898. lower case, numbers and symbols]. Now save the encrytption key to a USB drive
899. and then securely DELETE it using CCleaner. Never forget this password as you
900. will NOT be able to turn your computer on without it.
901.  
902. / If you DO NOT have a TPM chip you are going to need to open your "Group
903. Policy Editor" again and navigate to "Computer Configuration" ->
904. "Administrative Templates" -> "Windows Components" -> "BitLocker Drive
905. Encryption" -> "Operating System Drives". Now double click on the "Require
906. additional authentication at startup", then click "Enabled", also enable the
907. "Allow BitLocker without a compatible TPM" option. Click "OK". Next, you can
908. enable BitLocker Drive Encryption by opening up your File Explorer and
909. clicking "This PC", now rename your C:\ drive to something like "Windows_8.1",
910. "Windows", "OS", ect. Right click on your C:\ drive and click "Turn On
911. BitLocker". Now enter a VERY COMPLEX password. I would recommend at least 24
912. to 30 characters [Upper case, lower case, numbers and symbols]. Allow the
913. encryption process to finish and save the encryption key to a USB drive and
914. then securely DELETE it using CCleaner. Never forget this password as you will
915. NOT be able to turn your computer on without it!
916.  
917. / Now right click on your second partition[s] and rename it to "Partition_2",
918. "Data_Partition" or something of that sort. Now click on "Turn On BitLocker"
919. and give it a password, make it the same password as your C:\ drive or
920. something different if you wish. DO NOT forget this password!
921.  
922. / If your configurations are correct, you should now have to enter 4 passwords
923. to turn on your computer [Hard drive password, BitLocker password, VeraCrypt
924. password and your username and password]. Doing this will make your hard drive
925. 100% secure and impossible for any government or person to decrypt your
926. drives. :]
927.  
928. =================================================================
929. [13] Local Security Policy Configuration:
930.  
931. / Press the Windows key and search for "Local Security Policies" and open it.
932.  
933. / Click on the "Action" menu at the top, then click on "Export Policies" and
934. save a backup of the default policies. Now click on "Windows Firewall with
935. Advanced Security" and make sure that all firewall profiles are set to "On"
936. and that all inbound connections are set to "Block". Now make sure that the
937. outgoing connections are set to "Outbound connections that do not match a rule
938. are blocked".
939.  
940. / Click on the "Account Policies" table, then click "Password Policy". Now
941. configure the following options:
942. - Enforce password history -> 0 passwords remembered.
943. - Maximum password age -> 42 days.
944. - Minimum password age -> 0 days.
945. - Minimum password length -> 0 characters.
946. - Password must meet complexity requirements -> Disabled.
947. - Store passwords using reversible encryption -> Disabled.
948.  
949. / Now click on "Account Lockout Policy" table and configure the following
950. options:
951. - Account lockout duration -> 10 minutes.
952. - Account lockout threshold -> 3 invalid logon attempts.
953. - Reset account lockout counter after -> 10 minutes.
954.  
955. / Click on the "Local Policies" table and click on "Audit Policy" and
956. configure the following options:
957. - Audit account logon events -> Success, Failure.
958. - Audit account management -> Success, Failure.
959. - Audit directory service access -> Success, Failure.
960. - Audit logon events -> Success, Failure.
961. - Audit object access -> Success, Failure.
962. - Audit policy change -> Success, Failure.
963. - Audit privilege use -> Success, Failure.
964. - Audit process tracking -> Success, Failure.
965. - Audit system events -> Success, Failure.
966.  
967. / Next, click on "User Rights Assignment" and configure the following options:
968. - Access Credential Manager as a trusted caller -> Blank.
969. - Access this computer from the network -> Administrators.
970. - Act as part of the operating system -> Blank.
971. - Add workstations to domain -> Blank.
972. - Adjust memory quotas for a process -> LOCAL SERVICE, NETWORK SERVICE, Administrators.
973. - Allow logon locally -> Administrators, Users.
974. - Allow logon through Remote Desktop Services -> Blank.
975. - Backup files and directories -> Administrators.
976. - Bypass traverse checking -> Everyone, LOCAL SERVICE, NETWORK SERVICE,
977. Administrators, Users, Backup Operators.
978. - Change system time -> LOCAL SERVICE, Administrators.
979. - Change the timezone -> LOCAL SERVICE, Administrators.
980. - Create a pagefile -> Administrators.
981. - Create a token object -> Blank.
982. - Create global objects -> LOCAL SERVICE, NETWORK SERVICE, Administrators, SERVICE.
983. - Create permanent shared objects -> Blank.
984. - Create symbolic links -> Administrators.
985. - Debug programs -> Administrators.
986. - Deny access to this computer from the network -> Guest.
987. - Deny logon as a batch job -> Everyone.
988. - Deny logon as a service -> Everyone.
989. - Deny logon locally -> Guest.
990. - Deny logon through Remote Desktop Services -> Everyone.
991. - Enable computer and user accounts to be trusted for delegation -> Blank.
992. - Force shutdown from a remote system -> Blank.
993. - Generate security audits -> LOCAL SERVICE, NETWORK SERVICE.
994. - Impersonate a client after authentication -> LOCAL SERVICE, NETWORK, SERVICE,
995. Administrators, SERVICE.
996. - Increase a process working set -> Users, Window Manager/Window Manager Group.
997. - Increase scheduling priority -> Administrators.
998. - Load and unload device drivers -> Administrators.
999. - Lock pages in memory -> Blank.
1000. - Logon as a batch job -> Blank.
1001. - Logon as a service -> Blank.
1002. - Manage auditing and security log -> Administrators.
1003. - Modify an object label -> Blank.
1004. - Modify firmware environment values -> Administrators.
1005. - Preform volume maintenance tasks -> Administrators.
1006. - Profile single process -> Administrators.
1007. - Profile system performance -> Administrators, NT SERVICE/WdiServiceHost.
1008. - Remove computer from docking station -> Administrators, Users.
1009. - Replace a process level token -> LOCAL SERVICE, NETWORK SERVICE.
1010. - Restore files and directories -> Administrators, Backup Operators.
1011. - Shutdown the system -> Administrators, Users.
1012. - Synchronize directory service data -> Blank.
1013. - Take ownership of files or other objects -> Administrators.
1014.  
1015. / Click on the "Security Options" table and configure the following options:
1016. - Accounts: Administrator account status -> Disabled.
1017. - Account: Block Microsoft account -> Users can't add or logon with Microsoft account.
1018. - Accounts: Guest account status -> Disabled.
1019. - Accounts: Limit local account use of blank passwords to console logon only -> Enabled.
1020. - Accounts: Rename administrator account -> Administrator.
1021. - Accounts: Rename the guest account -> Guest.
1022. - Audit: Audit the access of global system objects -> Enabled.
1023. - Audit: Audit the use of Backup and Restore privilege -> Enabled.
1024. - Audit: Force audit policy subcatagory settings - Not defined.
1025. - Audit: Shut down system immediately if unable to log security audits -> Enabled.
1026. - DCOM: Machine Access Restrictions in Security Descriptor Definition
1027. Language [SDDL] syntax -> Not defined.
1028. - DCOM: Machine Launch Restrictions in Security Descriptor Definition
1029. Language [SDDL] syntax -> Not defined.
1030. - Devices: Allow undock without having to logon -> Enabled.
1031. - Devices: Allowed to format and eject removable media -> Administrators.
1032. - Devices: Prevent users from installing printer drivers -> Enabled.
1033. - Devices: Restrict CD-ROM access to locally logged-in user only -> Enabled.
1034. - Devices: Restrict floppy access to locally logged-on user only -> Enabled.
1035. - Domain controller: Allow server operators to schedule tasks -> Not defined.
1036. - Domain controller: LDAP server signing requirements -> Not defined.
1037. - Domain controller: Refuse machine account password changes -> Not defined.
1038. - Domain controller: Digitally encrypt or sign secure channel data [always] -> Enabled.
1039. - Domain controller: Digitally sign secure channel data [when possible] -> Enabled.
1040. - Domain controller: Disable machine account password changes -> Disabled.
1041. - Domain controller: Maximum machine account password age -> 30 days.
1042. - Domain controller: Require strong [Windows 2000 or later] session key -> Enabled.
1043. - Interactive logon: Display user information when the session is locked ->
1044. Do not display user information.
1045. - Interactive logon: Do not require CTRL+ALT+DEL -> Disabled.
1046. - Interactive logon: Machine account lockout threshold -> 3 invalid logon attempts.
1047. - Interactive logon: Machine inactivity limit -> 360 seconds.
1048. - Interactive logon: Message text for users attempting to logon -> Blank.
1049. - Interactive logon: Message title for users attempting to logon -> Blank.
1050. - Interactive logon: Number of previous logon to cache -> 10 logons.
1051. - Interactive logon: Prompt user to change password before expiration -> 5 days.
1052. - Interactive logon: Require Domain Controller authentication to unlock workstation -> Disabled.
1053. - Interactive logon: Require smart card -> Disabled.
1054. - Interactive logon: Smart card removal behavior -> No Action.
1055. - Microsoft network client: Digitally sign communications [always] -> Enabled.
1056. - Microsoft network client: Digitally sign communications [if server agrees]
1057. -> Enabled.
1058. - Microsoft network client: Send unencrypted password to third-party SMB
1059. servers -> Disabled.
1060. - Microsoft network server: Amount of idle time required before suspending
1061. session -> 5 minutes.
1062. - Microsoft network server: Attempt S4U2Self to obtain claim information ->
1063. Not defined.
1064. - Microsoft network server: Digitally sign communications [always] ->
1065. Enabled.
1066. - Microsoft network server: Digitally sign communications [if client agrees]
1067. -> Enabled.
1068. - Microsoft network server: Disconnect clients when logon hours expire -> Enabled.
1069. - Microsoft network server: Server SPN target name validation level -> Not defined.
1070. - Network access: Allow anonymous SID/Name translation -> Disabled.
1071. - Network access: Do not allow anonymous enumeration of SAM accounts -> Enabled.
1072. - Network access: Do not allow anonymous enumeration of SAM accounts and
1073. shares -> Enabled.
1074. - Network access: Do not allow storage of passwords and credentials for
1075. network authentication -> Enabled.
1076. - Network access:Let Everyone permissions apply to anonymous users ->
1077. Disabled.
1078. - Network access: Named Pipes that can be accessed anonymously -> Blank.
1079. - Network access: Remotely accessible registry paths -> Blank.
1080. - Network access: Remotely accessible registry paths and sub-paths -> Blank.
1081. - Network access: Restrict anonymous access to Named Pipes and Shared -> Enabled.
1082. - Network access: Shares that can be accessed anonymously -> Not defined.
1083. - Network access: Sharing and security model for local accounts -> Classic -
1084. local users authenticate as themselves.
1085. - Network security: Allow Local System to use computer identity for NTLM ->
1086. Not defined.
1087. - Network security: Allow LocalSystem NULL session fallback -> Not defined.
1088. - Network security: Allow PKU2U authentication requests to this computer to
1089. use online identities -> Not defined.
1090. - Network security: Configure encryption types allowed for Kerberos -> Not
1091. defined.
1092. - Network security: Do not store LAN Manager hash value on next password
1093. change -> Enabled.
1094. - Network security: Force logoff when logon hours expire -> Disabled.
1095. - Network security: LAN Manager authentication level -> Not defined.
1096. - Network security: LDAP client signing requirements -> Negotiate signing.
1097. - Network security: Minimum session security for NTLM SSP based clients ->
1098. Require 128-bit encryption.
1099. - Network security: Minimum session security for NTLM SSP based servers ->
1100. Require 128-bit encryption.
1101. - Network security: Restrict NTLM: Add remote server exceptions for NTLM
1102. authentication -> Not defined.
1103. - Network security: Restrict NTLM: Add server exceptions in this domain ->
1104. Not defined.
1105. - Network security: Restrict NTLM: Audit Incoming NTLM Traffic -> Enable
1106. auditing for all accounts.
1107. - Network security: Restrict NTLM: Audit NTLM authentication in this domain
1108. -> Enable all.
1109. - Network security: Restrict NTLM: Incoming NTLM traffic -> Deny all
1110. accounts.
1111. - Network security: Restrict NTLM: NTLM authentication in this domain -> Not
1112. defined.
1113. - Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers -> Deny all.
1114. - Recovery console: Allow automatic administrative logon -> Disabled.
1115. - Recovery console: Allow floppy copy and access to all drives and all
1116. folders -> Disabled.
1117. - Shutdown: Allow system to be shut down without having to log on -> Enabled.
1118. - Shutdown: Clear all virtual memory pagefile -> Enabled.
1119. - System cryptography: Force strong key protection for user keys stored on
1120. the computer -> Not defined.
1121. - System cryptography: Use FIPS compliant algorithms for encryption,
1122. hashing, and signing -> Disabled.
1123. - System objects: Require case insensitivity for non-Windows subsystems
1124. -> Enabled.
1125. - System objects: Strengthen default permissions of internal system objects
1126. -> Enabled.
1127. - System settings: Optional subsystems -> Posix.
1128. - System settings: Use Certificate Rules on Windows Executables for Software
1129. Restriction Policies -> Disabled.
1130. - User Account Control: Admin Approval Mode for the Built-in Administrator
1131. account -> Enabled.
1132. - User Account Control: Allow UIAccess applications to prompt for elevation
1133. without using the secure desktop -> Disabled.
1134. - User Account Control: Behavior of the elevation prompt for administrators
1135. in Admin Approval Mode -> Prompt for credentials.
1136. - User Account Control: Behavior of the elevation prompt for standard users
1137. -> Prompt for credentials.
1138. - User Account Control: Detect application installations and prompt for
1139. elevation -> Enabled.
1140. - User Account Control: Only elevate executables that are signed and
1141. validated -> Disabled.
1142. - User Account Control: Only elevate UIAccess applications that are
1143. installed in secure locations -> Enabled.
1144. - User Account Control: Run all administrators in Admin Approval Mode ->
1145. Enabled.
1146. - User Account Control: Switch to the secure desktop when prompting for
1147. elevation -> Enabled.
1148. - User Account Control: Virtualize file and registry write failures to per-
1149. user locations -> Enabled.
1150.  
1151. / Now, click on "Advanced Audit Policy Configuration" table and enable logging
1152. of all the options by clicking on them and by setting ALL of the sub keys to
1153. "Success and Failure". Do this for everything except the "Global Object Access
1154. Auditing" table. Doing this will enable you to keep track of all login
1155. attempts and failures, you can access these logs by pressing the Windows key
1156. and searching "View Event Logs".
1157.  
1158. =================================================================
1159. [14] Local Services Policies Configuration:
1160.  
1161. / Press the Windows key and search "Local Services" and open "View Local
1162. Services".
1163.  
1164. / This part will take awhile...
1165.  
1166. / Configure the following options:
1167. - ActiveX Installer [AxInstSV] -> Startup Type = Manual -> Log On As = Local
1168. System.
1169. - App Readiness -> Startup Type = Manual -> Log On As = Local System.
1170. - Application Experience -> Startup Type = Manual [Trigger Start] -> Log On As = System.
1171. - Application Information -> Startup Type = Manual [Trigger Start] -> Log On
1172. As = Local Service.
1173. - Application Layer Gateway Service -> Startup Type = Manual -> Log On As =
1174. Local Service.
1175. - Applications Management -> Startup Type = Manual -> Log On As = Local
1176. System.
1177. - AppX Deployment Service [AppXSVC] -> Startup Type = Manual -> Log On As =
1178. Local System.
1179. - Background Intelligent Transfer Service -> Startup Type = Disabled -> Log On As = Local System.
1180. - Background Tasks Infrastructure Service -> Startup Type = Automatic -> Log
1181. On As = Local System.
1182. - Base Filtering Engine -> Startup Type = Automatic -> Log On As = Local
1183. Service.
1184. - BitLocker Drive Encryption Service -> Startup Type = Manual[Trigger Start]
1185. -> Log On As = Local System.
1186. - Block Level Backup Engine Service -> Startup Type = Manual -> Log On As ->
1187. Local System.
1188. - Bluetooth Support Service -> Startup Type = Disabled -> Log On As = Local
1189. System.
1190. - BranchCache -> Startup Type = Manual -> Log On As = Network Service.
1191. - Certificate Propagation -> Startup Type = Manual -> Log On As = Local
1192. System.
1193. - CNG Key Isolation -> Startup Type = Manual -> Log On As = Local System.
1194. - COM+ Event System -> Startup Type = Automatic -> Log On As = Local System.
1195. - COM+ System Application -> Startup Type = Manual -> Log On As = Local
1196. Service.
1197. - Computer Browser -> Startup Type = Manual[Trigger Start] ->Log On As = Local System.
1198. - Credential Manager -> Startup Type = Manual -> Log On As = Local System.
1199. - Cryptographic Services -> Startup Type = Automatic -> Log On As = Network
1200. Service.
1201. - DCOM Server Process Launcher -> Startup Type = Automatic -> Log On As =
1202. Local System.
1203. - Device Association Service -> Startup Type = Manual[Trigger Start] -> Log
1204. On As = Local System.
1205. - Device Install Service -> Startup Type = Manual[Trigger Start] -> Log On
1206. As = Local System.
1207. - Device Setup Manager -> Startup Type = Manual[Trigger Start] -> Log On As = Local System.
1208. - DHCP Client -> Startup Type = Automatic -> Log On As = Local Service.
1209. - Diagnostic Policy Service -> Startup Type = Automatic -> Log On As = Local
1210. Service.
1211. - Diagnostic Service Host -> Startup Type = Manual -> Log On As = Local
1212. Service.
1213. - Diagnostic System Host -> Startup Type = Manual -> Log On As = Local
1214. System.
1215. - DirMngr -> Startup Type = Automatic -> Log On As = Local System.
1216. - Distributed Link Tracking Client -> Startup Type = Automatic -> Log On As = Local System.
1217. - Distributed Transaction Coordinator -> Startup Type = Manual -> Log On As =
1218. Network Service.
1219. - DNS Client -> Startup Type = Automatic[Trigger Start] -> Log On As =
1220. Network Service.
1221. - Encrypting File System [EFS] -> Startup Type = Manual[Trigger Start] ->
1222. Log On As = Local System.
1223. - Extensible Authentication Protocol -> Startup Type = Manual -> Log On As =
1224. Local System.
1225. - Family Safety -> Startup Type = Manual -> Log On As = Local Service.
1226. - Fax -> Startup Type = Manual -> Log On As = Network Service.
1227. - File History Service -> Startup Type = Disabled -> Log On As = Local
1228. System.
1229. - Function Discovery Provider Host -> Startup Type = Manual -> Log On As =
1230. Local Service.
1231. - Function Discovery Resource Publication -> Startup Type = Manual -> Log On
1232. As = Local Service.
1233. - Group Policy Client -> Startup Type = Automatic[Trigger Start] -> Log On As
1234. = Local System.
1235. - Health Key and Certificate Management -> Startup Type = Manual -> Log On
1236. As = Local System.
1237. - HomeGroup Listener -> Startup Type = Manual -> Log On As = Local System.
1238. - HomeGroup Provider -> Startup Type = Manual[Trigger Start] -> Log On As =
1239. Local System.
1240. - Human Interface Device Service -> Startup Type = Manual[Trigger Start] ->
1241. Log On As = Local System.
1242. - Hyper-V Data Exchange Service -> Startup Type = Manual[Trigger Start] ->
1243. Log On As = Local System.
1244. - Hyper-V Guest Service Interface -> Startup Type = Manual[Trigger Start] ->
1245. Log On As = Local System.
1246. - Hyper-V Guest Shutdown Service -> Startup Type = Manual[Trigger Start] ->
1247. Log On As = Local System.
1248. - Hyper-V Heartbeat Service -> Startup Type = Manual[Trigger Start] -> Log
1249. On As = Local System.
1250. - Hyper-V Remote Desktop Virtualization Service -> Startup Type = Manual
1251. [Trigger Start] -> Log On As = Local System.
1252. - Hyper-V Time Synchronization Service -> Startup Type = Manual[Trigger Start]
1253. -> Log On As = Local Service
1254. - Hyper-V Volume Shadow Copy Requester -> Startup Type = Disabled -> Log On
1255. As = Local System.
1256. - IKE and AuthIP IPSec Keying Modules -> Startup Type = Automatic[Trigger
1257. Start] -> Log On As = Local System.
1258. - Interactive Services Detection -> Startup Type = Manual -> LogOn As =
1259. Local System.
1260. - Internet Connection Sharing [ICS] -> Startup Type = Disabled -> Log On As =
1261. Local System.
1262. - Internet Explorer ETW Collector Service -> Startup Type = Disabled -> Log
1263. On As = Local System.
1264. - IP Helper -> Startup Type = Automatic -> Log On As = Local System.
1265. - IPSec Policy Agent -> Startup Type = Manual[Trigger Start] -> Log On As =
1266. Network Service.
1267. - Link-Layer Topology Discovery Mapper -> Startup Type = Manual -> Log On As
1268. = Local Service.
1269. - Local Session Manager -> Startup Type = Automatic -> Log On As = Local
1270. System.
1271. - Microsoft Account Sigh-in Assistant -> Startup Type = Disabled -> Log On
1272. As = Local System.
1273. - Microsoft EMET Service -> Startup Type = Automatic -> Log On As = Local
1274. System.
1275. - Microsoft iSCSI Initiator Service -> Startup Type = Manual -> Log On As =
1276. Local System.
1277. - Microsoft Keyboard Filter -> Startup Type = Disabled -> Log On As = Local
1278. System.
1279. - Microsoft Software Shadow Copy Provider -> Startup Type = Manual -> Log On As
1280. = Local System.
1281. - Microsoft Storage Spaces SMP -> Startup Type = Manual -> Log On As =
1282. Network Service.
1283. - Mozilla Maintenance Service -> Startup Type = Manual -> Log On As = Local
1284. System.
1285. - Multimedia Class Scheduler -> Startup Type = Automatic -> Log On As =
1286. Local System.
1287. - Net.TCP Port Sharing Service -> Startup Type = Disabled -> Log On As =
1288. Local Service.
1289. - Netlogon -> Startup Type = Manual -> Log On As = Local System.
1290. - Network Access Protection Agent -> Startup Type = Manual -> Log On As =
1291. Network Service.
1292. - Network Connected Devices Auto-Setup -> Startup Type = Manual[Trigger
1293. Start] -> Log On As = Local Service.
1294. - Network Connection Broker -> Startup Type = Manual[Trigger Start] -> Log
1295. On As = Local System.
1296. - Network Connections -> Startup Type = Manual -> Log On As = Local System.
1297. - Network Connectivity Assistant -> Startup Type = Manual[Trigger Start] ->
1298. Log On As = Local System.
1299. - Network List Service -> Startup Type = Manual -> Log On As = Local
1300. Service.
1301. - Network Location Awareness -> Startup Type = Automatic -> Log On As =
1302. Network Service.
1303. - Network Store Interface Service -> Startup Type = Automatic -> Log On As =
1304. Local Service.
1305. - OpenDNSCrypt -> Startup Type = Automatic -> Log On As = Network Service.
1306. - Peer Name Resolution Protocol -> Startup Type = Disabled -> Log On As =
1307. Local Service.
1308. - Peer Networking Grouping -> Startup Type = Disabled -> Log On As = Local
1309. Service.
1310. - Peer Networking Identity Manager -> Startup Type = Disabled -> Log On As =
1311. Local Service.
1312. - Plug and Play -> Startup Type = Manual -> Log On As = Local System.
1313. - PNRP Machine Name Publication Service -> Startup Type = Disabled -> Log On As
1314. = Local Service.
1315. - Print Spooler -> Startup Type = Automatic -> Log On As = Local System.
1316. - Printer Extensions and Notifications -> Manual -> Log On As = Local System.
1317. - Problem Reports adn Solutions Control Panel Support -> Startup Type =
1318. Manual -> Log On As = Local System.
1319. - Program Compatibility Assistant Service -> Startup Type = Automatic -> Log
1320. On As = Local System.
1321. - Remote Access Auto Connection Manager -> Startup Type = Disabled ->Log On
1322. As = Local System.
1323. - Remote Access Connection Manager -> Startup Type = Manual -> Log On As =
1324. Local System.
1325. - Remote Desktop Configuration -> Startup Type = Disabled -> Log On As =
1326. Local System.
1327. - Remote Desktop Services -> Startup Type = Disabled -> Log On As = Network
1328. Service.
1329. - Remote Desktop Services UserMode Port Redirector -. Startup Type =
1330. Disabled -> Log On As = Local System.
1331. - Remote Procedure Call [RPC] -> Startup Type -> Disabled -> Log On As =
1332. Network Service.
1333. - Remote Procedure Call [RPC] Locator -> Startup Type = Disabled -> Log On
1334. As = Network Service.
1335. - Remote Registry -> Startup Type = Disabled -> Log On As = Local Service.
1336. - Routing and Remote Access -> Startup Type = Disabled -> Log On As = Local
1337. System.
1338. - RPC Endpoint Mapper -> Startup Type = Automatic -> Log On As = Network
1339. Service.
1340. - Secondary Logon -> Startup Type = Manual -> Log On As = Local System.
1341. - Secure Socket Tunneling Protocol Service -> Startup Type = Manual -> Log
1342. On As = Local Service.
1343. - Security Accounts Manager -> Startup Type = Automatic -> Log On As = Local
1344. System.
1345. - Security Center -> Startup Type = Automatic -> Log On As = Local Service.
1346. - Server -> Startup Type = Disabled -> Log On As = Local System.
1347. - Shell Hardware Detection -> Startup Type = Automatic -> Log On As = Local
1348. System.
1349. - Smart Card -> Startup Type = Disabled -> Log On As = Local Service.
1350. - Smart Card Device Enumeration Service -> Startup Type = Disabled -> Log On
1351. As = Local System.
1352. - Smart Card Removal Policy -> Startup Type = Disabled -> Log On As = Local
1353. System.
1354. - SNMP Trap -> Startup Type = Manual -> Log On As = Local Service.
1355. - Software Protection -> Startup Type = Automatic -> Log On As = Network
1356. Service.
1357. - SSDP Discovery -> Startup Type = Disabled -> Log On As = Local Service.
1358. - Storage Service -> Startup Type = Manual[Trigger Start] -> Log On As =
1359. Local System.
1360. - System Event Notification Service -> Startup Type = Automatic -> Log On As
1361. = Local System.
1362. - System Events Broker -> Startup Type = Automatic -> Log On As = Local
1363. System.
1364. - TCP/IP NetBIOS Helper -> Startup Type = Disabled -> Log On As = Local
1365. Service.
1366. - Te.Service -> Startup Type = Manual -> Log On As = Local System.
1367. - Telephony -> Startup Type = Manual -> Log On As = Network Service.
1368. - UPnP Device Host -> Startup Type = Disabled -> Log On As = Local Service.
1369. - User Profile Service -> Startup Type = Automatic -> Log On As = Local
1370. System.
1371. - Virtual Disk -> Startup Type = Manual -> Log On As = Local System.
1372. - Volume Shadow Copy -> Startup Type = Disabled -> Log On As = Local System.
1373. - Windows Error Reporting Service -> Startup Type = Disabled -> Log On As =
1374. Local System.
1375. - Windows Remote Management [WS-Management] -> Startup Type = Disabled -> Log
1376. On As = Network Service.
1377. - Workstation -> Startup Type = Disabled -> Log On As = Network Service.
1378.  
1379. =================================================================
1380. [15] Local Group Policy Configuration:
1381.  
1382. / Press the Windows key and search "Group Policy" and click on "Edit group
1383. policy".
1384.  
1385. / Next, navigate to the following tables and set them as follows:
1386. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1387. Components" -> ActiveX Installer Service" -> "Disabled".
1388. - "Computer Configuration" -> "Administrative Templates" -> "System" ->
1389. "Early Launch Antimalware" -> "Enabled".
1390. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1391. Components" -> "Application Compatibility" -> "Turn off Application
1392. Telemetry" -> "Enabled".
1393. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1394. Components" -> "AutoPlay Policies" -> Change all settings to "Enabled".
1395. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1396. Components" -> "Biometrics" -> Change all settings to "Disabled.
1397. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1398. Components" -> "Credential User Interface" -> "Do not display the
1399. password reveal button" -> "Enabled".
1400. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1401. Components" -> "Desktop Gadgets" -> Change all settings to "Enabled".
1402. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1403. Components" -> "Digital Locker" -> "Enabled".
1404. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1405. Components" -> "Family Safety" -> "Disabled".
1406. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1407. Components" -> "File Explorer" -> "Show sleep in the power options menu"
1408. -> "Disabled".
1409. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1410. Components" -> "File Explorer" -> "Show hibernate in the power options
1411. menu" -> "Disabled".
1412. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1413. Components" -> "File History" -> "Turn off File History" -> "Enabled".
1414. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1415. Components" -> "Game Explorer" -> Change all settings to "Enabled".
1416. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1417. Components" -> "HomeGroup" -> "Prevent the computer from joining a
1418. homegroup" -> "Enabled".
1419. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1420. Components" -> "Internet Explorer" -> Change all settings to "Disabled".
1421. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1422. Components" -> "Location and Sensors" -> Change all settings to "Enabled".
1423. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1424. Components" -> "NetMeeting" -> "Disable remote Desktop sharing" -> "Enabled".
1425. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1426. Components" -> "OneDrive" -> "Save documents to OneDrive by default" ->
1427. "Disabled".
1428. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1429. Components" -> "OneDrive" -> "Prevent OneDrive files from syncing over
1430. metered connections" -> "Enabled".
1431. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1432. Components" -> "OneDrive" -> "Prevent the usage of OneDrive" -> "Enabled".
1433. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1434. Components" -> "Online Assistance" -> Turn off Active Help" -> "Enabled".
1435. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1436. Components" -> "Remote Desktop Services" -> Change all settings to
1437. "Disabled".
1438. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1439. Components" -> "Shutdown Options" -> "Turn off legacy remote shutdown
1440. interface" -> "Enabled".
1441. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1442. Components" -> "Sync your settings" -> Change all settings to "Enabled".
1443. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1444. Components" -> "Windows Customer Experience Improvement Program" ->
1445. Change all settings to "Disabled".
1446. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1447. Components" -> "Windows Remote Shell" -> "Allow Remote Shell Access" ->
1448. "Disabled".
1449. - "Computer Configuration" -> "Administrative Templates" -> "Windows
1450. Components" -> "Windows Update" -> "Turn off the upgrade to the latest
1451. version of Windows through Windows Update" -> "Enabled".
1452.  
1453. =================================================================
1454. [16] Router and/or Modem Configuration:
1455.  
1456. / This step is very important, you will need to determine if you are using a
1457. wireless or wired router.
1458.  
1459. / You are going to have to download a fresh copy of the routers firmware
1460. directly from the manufactures website and you are going to flash your router
1461. and modems firmware. Doing this will eliminate any backdoors/rootkits that
1462. have possibly been installed on your router and/or modem.
1463.  
1464. / Next, you are going to need to access your routers configuration page and
1465. start to configure your security settings. You should have all incoming ports
1466. CLOSED and all outgoing ports CLOSED [Except for the ones you will be using,
1467. 80, 443, 21 ect]. Enable WAN ping blocking, disable DMZ hosting and set your
1468. firewall to the highest security settings. Disable anything else that may
1469. present a security risk. You can also add blocklists to your router for
1470. disabling ads and malware serving hosts, this of course is optional.
1471.  
1472. / Do this for all of your other hardware [Firewalls, modems, switches, VOIP
1473. systems, ect].
1474.  
1475. =================================================================
1476. [17] VPNs:
1477.  
1478. / A Virtual Private Network [VPN] is a connection from your computer to
1479. another network. Setup properly, they can be used by anyone to create a safer
1480. connection to the internet and have the added benefit of disguising your true
1481. location. It encrypts your internet connection. So you can surf the web
1482. securely with no restrictions. It will allow you to visit websites that your
1483. ISP or government has blocked. You can also change your IP whenever you please
1484. by switching servers.
1485.  
1486. / When you are picking out a VPN provider, be sure to read the Terms of
1487. Service [ToS] aswell as the Privacy Policy [PP]. Make sure that the VPN
1488. provider you choose does NOT keep ANY logs.
1489.  
1490. / NEVER use a "Free" VPN!! If you don't have to pay for a product, you are the
1491. product being sold.
1492.  
1493. / First off, you are going to need to purchase TWO different VPN services from
1494. TWO separate VPN providers. NEVER use your own or anyone of your
1495. family/friends credit cards, because they can be backtraced directly to you. It
1496. is highly recommended that you buy a prepaid Mastercard [Or Visa, but it is
1497. NOT recommended]. To do this you are going to need to get about $50-$100 in
1498. cash and head into a high populated store with a lot of foot traffic such as
1499. Walmart, Target, 7-11, ect. Be sure wear something you wouldn't normally wear
1500. when buying this card and make sure your face is hidden from ALL cameras when
1501. making this purchase. ALWAYS pay for this prepaid card with cash and cash
1502. only. Using any other methods of payment such as Interact will completely
1503. compromise your identity.
1504.  
1505. / When you purchase the prepaid card, write down ALL of the information on the
1506. card [Card number, CVV, Expiry date, ect] and the securely dispose of the card
1507. [Either burn the card or cut it into 3-4 pieces and put each piece in separate
1508. trash bins that are in separate locations].
1509.  
1510. / Now you are going to have to activate the prepaid card online. To do this
1511. you are going to need to access the internet through TOR on your cellphone or
1512. any other means by using a free public wifi hotspot. When activating the
1513. prepaid card online, you are going to need a fake name and address. Go to
1514. http://www.fakenamegenerator.com/ and use a random name and address [Remember
1515. to write down the ZIP/Postal code you used, as you may need it in the future].
1516. When you are on the VPN providers website and you are creating your account,
1517. use a throwaway email address that is with any email provider [Mail.com
1518. usually works quite nicely]. Use http://www.fakenamegenerator.com/ again to
1519. fill in random information for the throwaway and in the VPN providers website.
1520.  
1521. =================================================================
1522. [18] Testing Security Configurations:
1523.  
1524. / This step may seem redundant, but it is one of the most valuable. You are
1525. now going to preform a small "Security Audit" of your system and network.
1526.  
1527. / Download the following software:
1528. - Software: NMap
1529. - Download: https://nmap.org/dist/nmap-7.01-setup.exe
1530.  
1531. - Software: Nessus Home
1532. - Download: https://www.tenable.com/products/nessus-home
1533. - Configuration: Enter FAKE details in the "Register for an Activation Code"
1534. section of the Nessus website. Then just download and install. Make sure
1535. that you allow ALL of the Nessus executables through your OUTBOUND
1536. firewall.
1537.  
1538. - Software: WireShark
1539. - Download: https://www.wireshark.org/download.html
1540.  
1541. - Software: TCPView
1542. - Download: https://technet.microsoft.com/en-us/sysinternals/tcpview.aspx
1543.  
1544. / Now open a Command Prompt window with Administrator privilege, then type
1545. this command: "nmap -vvv 192.168.0.1" [Remove the quotation marks and change
1546. the IP address to your routers internal IP address]. If configured correctly,
1547. NMap should not be able to detect any open ports.
1548.  
1549. / Next open Nessus Home and preform a vulnerability scan on the same internal
1550. IP address that is assigned to your router. Again, Nessus should not detect any
1551. open ports or vulnerabilities.
1552.  
1553. / Open Firefox and head over to these web application port scanners:
1554. - Website: https://www.grc.com/x/ne.dll?bh0bkyd2
1555. - Website: http://www.speedguide.net/scan.php
1556.  
1557. / Preform a port scan using BOTH of these web application port scanners. The
1558. results for GRC should be "True Stealth" and the results for speedguide should
1559. be no open ports.
1560.  
1561. / If you have detected any open ports, then you may need to go back to the
1562. previous steps and re-configure these settings.
1563.  
1564. / Now open TCPView, this will show you if there are any suspicious packet
1565. activities that are going through your network. If you find any, remove them
1566. immediately. Now open WireShark and do the same thing, look for any unknown or
1567. suspicious packet activity.
1568.  
1569. / Open up a Command Prompt window with Administrator privileges and type this
1570. command: "netstat -nab" [Remove the quotation marks]. This command will show
1571. you all inbound and outbound connections and details about them like
1572. process, local ip:port, foreign ip:port, protocol and connection status.
1573.  
1574. / Open Firefox again and go to the following websites:
1575. - Website: https://ipleak.net/
1576. - Description: This website will show you what information is being passed
1577. to the websites you visit. This includes your IP address, DNS addresses,
1578. WebRTC, Geolocation, User Agent, System Information, Plugins, MIME
1579. type, ect. If configured correctly, everything should be disabled
1580. and/or spoofed. You should check this website EVERY TIME YOU GO ONLINE
1581. for DNS leaks and to make sure that everything is secure before you login
1582. to anything.
1583.  
1584. - Website: https://www.dnsleaktest.com/
1585. - Description: This site will detect any DNS leaks from your network. If
1586. configurations were done correctly, all of the DNS addresses should be
1587. "OpenDNS, LLC".
1588.  
1589. =================================================================
1590. [19] Peer Filtering:
1591.  
1592. / Peer filtering will automatically block certain IP ranges from accessing
1593. your computer from the internet. These include: Advertisement companies,
1594. Government and Federal agencies, Law Enforcement agencies, Educational
1595. Intitutions and Analytic Services and so on.
1596.  
1597. / Download this peer filtering software:
1598. - Software: PeerBlock
1599. - Download: http://www.peerblock.com/releases
1600.  
1601. / Now install PeerBlock and allow peerblock.exe through you firewall's
1602. outgoing table. Now open PeerBlock and click on the "List Manager" button,
1603. click "Add". Now open up Firefox and go to https://www.iblocklist.com/lists
1604. for free blocklists. Copy and paste the "Update URL" into PeerBlock and there
1605. you have it.
1606.  
1607. / There are many websites on the internet that offer free blocklists, you may
1608. find them by doing a quick search on the internet. You can then load them into
1609. PeerBlock as explained above.
1610.  
1611. =================================================================
1612. [20] TOR, I2P and FreeNet Configuration:
1613.  
1614. / Download and configure the following software:
1615. - Software: The Onion Router [TOR] Browser Bundle
1616. - Download: https://www.torproject.org/projects/torbrowser.html.en
1617. - Description: Tor is free software for enabling anonymous communication.
1618. The name is an acronym derived from the original software project name
1619. The Onion Router, Tor directs Internet traffic through a free, worldwide, volunteer
1620. network consisting of more than seven thousand relays[9] to conceal a user's location
1621. and usage from anyone conducting network surveillance or traffic analysis.
1622. Optionally, You can download the TOR Expert bundle here:
1623. https://www.torproject.org/download/download
1624. - Configuration: Run the installer and allow TOR though your firewall.
1625. You can now route your internet traffic through The Onion Router by binding your
1626. applications to Socks5 host @ 127.0.0.1 on port 9050 through the applications
1627. proxy settings.
1628.  
1629. - Software: I2P
1630. - Download: https://geti2p.net/en/
1631. - Description: 2P is an anonymous overlay network, a network within a network.
1632. It is intended to protect communication from dragnet surveillance and monitoring
1633. by third parties such as ISPs.
1634. - Configuration: Run the installer and install the software. Open your firewall
1635. and local all of the executables in the I2P installation directory and allow them
1636. all though the firewalls outgoing table. Now, allow the JaveSEBinary.exe though
1637. the inbound table. Now open a Command Prompt with administrator privilege and type
1638. the following command:
1639. i2psvc -c wrapper.config
1640. I2P should start and load everything, now open firefox and type "http://127.0.0.1:7657" into
1641. the URL bar to configure all of the additional options. You can now configure your
1642. applications to use the I2P network by configuring the applications proxy settings to
1643. Socks5 host @ 127.0.0.1 on port 4445.
1644.  
1645. - Software: FreeNet
1646. - Download: https://freenetproject.org/download.html
1647. - Description: Freenet is a platform for censorship-resistant communication and publishing.
1648. It helps you to remain anonymous, and communicate without fear.
1649. - Configuration: Run the installer and install the software. Now allow the FreeNet.exe,
1650. FreeNetWrapper.exe and the FreeNetLauncher.exe though the outgoing table, now allow the
1651. JavaSEBinary.exe [This one was installed with FreeNet] though the outbound firewall table.
1652. Open a Command Prompt with administrator privilage and run the following command: FreeNet.
1653. FreeNet should start and load everything, now open firefox and enter "http://127.0.0.1:8888"
1654. into the URL bar and configure the FreeNet settings.
1655.  
1656. =================================================================
1657. [21] Secure Social Media Communications:
1658.  
1659. / You are going to download the following software to allow the secure communications
1660. over mainstream social media sites, XMPP, IRC and other protocols.
1661. - Software: Pidgin
1662. - Download: https://pidgin.im/download/
1663. - Configuration: Run the installer and install the software. Allow pidgin.exe file
1664. though your firewalls outgoing table.
1665.  
1666. - Software: Off The Record Plugin
1667. - Download: https://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.1.zip
1668. - Configuration: Run the installer and install the software. Now allow all of the OTR
1669. executables through your firewalls outgoing table.
1670.  
1671. / Now open Pidign and enable the OTR plugin. You may now add your accounts
1672. into Pidgin. Now click on the "Tools" drop down menu and click "Preferences", now
1673. click the "Proxy" tab and select "Tor/Privacy (SOCKS5)" from the proxy type drop down
1674. menu. Now enter "127.0.0.1" in the "Host" field and change the port to "9050". Doing this will
1675. ensure that you are not being connected to your accounts unless your connection is binded and
1676. anonymized though TOR.
1677.  
1678. / Optionally, you can install the Skype4Pidgin plugin [If you even use Skype] from here:
1679. https://github.com/eionrobb/skype4pidgin
1680.  
1681. =================================================================
1682. [22] Application Proxy Configuration:
1683.  
1684. / This step will show you how to add an extra layer of security while
1685. using your applications and software. You can find large lists of proxies
1686. by just doing a simple search. I would AVOID using HideMyAss.com because they
1687. are known to give up user data to the feds.
1688.  
1689. / Once you have the proxy IPs, you can now locate the proxy settings that should
1690. be within the settings page of your applications. You can now bind your software to
1691. your already encrypted and secure connection [VPN, TOR and I2P], thus adding an extra
1692. layer of security. Try to use different proxies for different applications to make sure
1693. your connection is completely anonymized.
1694.  
1695. =================================================================
1696. [23] Secure Virtualization Configuration:
1697.  
1698. / In this step we will be securely installing a virtual machine [VM]
1699. Download and install the following software:
1700. - Software: VirtualBox
1701. - Download: https://www.virtualbox.org/wiki/Downloads
1702. - Configuration: Run the installer and install the software, be sure to allow
1703. this software though your firewall.
1704.  
1705. / Now open VeraCrypt and click the "Volumes" drop down menu, then click on
1706. "Create New Volume". Select the "Create an encrypted file container", click "Next".
1707. Now select "Hidden VeraCrypt Volume" and click "Next", select "Normal Mode", click
1708. "Next". Now click on the "Select File" button and locate a directory that is some what
1709. hidden deep within your file system and name it something like "Test.txt" or "VM.txt".
1710. Be sure to save this file as a .txt file and NOT .vc, because a .vc file makes is very
1711. obvious that there is something hidden inside. Make sure that the "Never Save History"
1712. check box is checked. Click "Next".
1713.  
1714. / You should now be creating the "Outer Volume" of your hidden and encrypted container.
1715. Click "Next". For the encryption algorithm, select "AES(Twofish(Serpent))" from the drop down
1716. menu, then make sure that "SHA-512" is selected for the hash algorithm, then click "Next".
1717. Now enter the size of the file you want in GB, I would recommend for it to be at least 15-25GB in
1718. size. Click "Next". Now you should be prompted for the outer volume password. Make this password
1719. whatever you want, just make sure that you remember it! Now the next screen you will have to move
1720. you cursor around for about 5 minutes, doing this for a long time will increase the strength of the
1721. encryption. Next, click on "Format". You may now open your outer volume [It should be mounted as the
1722. Z:\ drive] and place a few sensitive looking files that you DO NOT actually want to hide
1723. [Doing this will allow for full deniability if v& and forced to disclose your password,
1724. if they demand a password, give them the one for outer volume]. Click "Next".
1725.  
1726. / Now you can create the hidden volume, again make sure that the encryption algorithm is set to
1727. "AES(Twofish(Serpent))" and that "SHA-512" is selected for the hash algorithm, click "Next".
1728. Now select the file size in GBs, make it about 1-2GB smaller than the outer volume. Click "Next".
1729. Set a password that is DIFFERENT from the one you used above! Make it as long and complex as possible
1730. [Add numbers, upper case, lower case and symbols] The goal with this password it to make it 100%
1731. uncrackable by any super computer, I would recommend 64+ characters in length. Click "Next".
1732. Again, you are going to want to move your cursor as randomly as possible. This time do it for about
1733. 10 minutes or more, then click on "Format".
1734.  
1735. / Open VeraCrypt and click the "Select File" button and locate the .txt file that you just created,
1736. then select a drive letter and click "Mount" and enter your password for the HIDDEN container.
1737.  
1738. / For this VM we will be using Ubuntu Linux. Click "New" and give your VM a name like "Ubuntu" or
1739. something along those lines. Set the "Memory Size" [RAM] to whatever your computer can handle.
1740. 1GB = 1024MB, 2GB = 2048MB and 4GB = 4096MB and so on. Click "Create". Now for the "File Location"
1741. you are going to navigate to the hidden volume that you created earlier. Set the "File Size" to 15-20GB
1742. then click "Create". Next, boot up the new Ubuntu VM and navigate to where you saved the Ubuntu.iso file.
1743. Allow the VM to boot up and you can then configure the Ubuntu VM with encryption, TOR, VPNs, proxies and
1744. other security measures. I am not going to include a Ubuntu Linux security hardening guide here, you can
1745. however find hundereds of tutorials and guides with a simple search.
1746.  
1747. / You will need to open VeraCrypt and enter the password for the hidden container everytime you want to
1748. boot this Ubuntu Linux virtual machine. Make sure that you DISMOUNT this volume everytime you step away
1749. from your computer.
1750.  
1751. =================================================================
1752. [24] Anonymous Identities:
1753.  
1754. / The first thing you should do is create a nickname that you will use as one of
1755. your alter-egos. This one should ONLY be used for connecting IRC Networks/Email/Facebook
1756. Services and so fourth. This screen name should be completely different from your Anonymous
1757. screen name and should NEVER be related to one another and should always be separate.
1758. One slip with these screen names could seal your fate in the corrupt federal prison system.
1759.  
1760. / You are going to now create an Anonymous screen name. This will be your second alter-ego for
1761. use with other things such as Email/Hacking/Chatting with other Anons and so on.
1762.  
1763. / Create a back story that is believable to use alongside your Anonymous screen names,
1764. preferably with supporting evidence [Use a common name, a school in the city of your choosing,
1765. choose a place in the same city where your fake alias works]. NEVER contaminate this back story
1766. with real personal information.
1767.  
1768. / When creating your Anonymous screen names, do so through TOR as well as a VPN layered on top.
1769. This will guarantee that all account creation details remain anonymous and untraceable.
1770.  
1771. =================================================================
1772. [25] Conclusion:
1773.  
1774. / There you have it, if you followed the all of the steps correctly. You should now have
1775. a completely secure and encrypted installation of Windows 8.1 and you have installed and configured
1776. all of the necessary security tools and applications to ensure that your internet connection is
1777. encrypted. You have configured all of your software that needs internet connectivity though your strict
1778. firewall settings and you have configured your software to specifically bind the connection
1779. they use to connect to the internet though a VPN, TOR, aswell as proxies. You have created
1780. anonymous nicknames and identities. You may do things of questionable legality assuming you
1781. take full responsibility and know what your going and the feds will have an extremely hard time
1782. finding you :]. Happy hacking #NewBloods!
1783.  
1784. / This is one of my gifts to the internet, Anonymous and humanity itself. Also to the corrupt
1785. governments of this world; You cannot arrest an idea.
1786.  
1787. =================================================================
1788.  
1789. .-.
1790. ( " )
1791. /\_.' '._/\
1792. | |
1793. \ /
1794. \ /`
1795. .(__) /
1796. `.__.' @Gh0sterSec