Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ________.__ _______ __
- / _____/| |__ \ _ \ _______/ |_ ___________
- / \ ___| | \/ /_\ \ / ___/\ __\/ __ \_ __ \
- \ \_\ \ Y \ \_/ \\___ \ | | \ ___/| | \/
- \______ /___| /\_____ /____ > |__| \___ >__|
- \/ \/ \/ \/ \/
- / DISCLAIMER: I personally do not use Windows, I wrote this guide to help #OpNewBlood,
- #Anonymous and everyone who is concerned about their online privacy. If I am missing
- anything, do not hesitate to contact me and I will glady add them to this document.
- I personally take no responsibility for what you or any else does with this information.
- This tutorial took me a long time to complete but I believe that all information
- deserves to be FREE. So feel free to reproduce, copy, save, or edit this document to
- what you see fit.
- Windows 8.1 Secure Installation and Security Hardening Guide:
- =================================================================
- Requirements:
- - A Computer.
- - A Brain.
- - A Windows 8.1 .iso file with a serial key.
- - x2 4GB USB Drives and/or x2 4GB DVDs.
- - A backup hard drive of important files.
- So, let's begin!
- =================================================================
- [01] Preparations:
- / Go ahead and backup all your important files now on a separate USB drive or
- external hard drive.
- / Put your Windows 8.1 .iso file onto a 4GB USB drive or a DVD.
- / Download the latest version of Ubuntu Linux form here: http://www.ubuntu.com/
- / After the Ubuntu .iso file is downloaded, completely disconnect from the
- Internet/Blutooth/NFC, ect. Plug in your USB drive.
- / Open up a command line [cmd.exe] and type: >diskpart
- >list disk
- >select disk [Insert drive letter]
- >clean
- >create partition primary
- >select partition 1
- >format fs=fat32
- >active
- >assign
- / Unpack the Ubuntu .iso file by highlighting all the files, right click,
- click on properties and set the read-only flag to ENABLE.
- / Highlight all the .iso files again and copy/paste them onto the newly
- prepared USB drive. After this is finished, rename the USB drive to something
- like "Ubuntu_Linux" or something of that sort.
- =================================================================
- [02] Preparing DBAN Data Destruction:
- / Download DBAN: http://www.dban.org/download
- / Burn the DBAN .iso file onto a DVD or make a bootable USB drive by placing
- all of the DBAN files onto the USB drive.
- / Restart the computer and press either ESC/DEL/F2/F10/F11/F12 to enter your BIOS.
- / Set the boot order option in your BIOS to boot from your USB drive or DVD
- with the DBAN .iso
- / If you BIOS is running UEFI BIOS, you will need to disable the "Secure Boot"
- option.
- / Boot up DBAN
- / Select the Department of Defense Standards Data Destruction option and allow
- it to completely wipe your hard drive with 7 passes. Effectively and
- irrecoverably wiping your hard drive to all "0"'s.
- / WARNING!!: THIS WILL DESTROY ALL DATA ON THE DRIVE MAKING IT IRRECOVERABLE!
- IT WILL ALSO TAKE 24+ HOURS TO COMPLETE DEPENDING ON DRIVE CAPACITY!! 1TB = ~26hrs.
- =================================================================
- [03] Preparing Hard Drive for Installation:
- / After DBAN is finished running, boot up the Ubuntu Live USB and open up a
- program called "GParted".
- / Start Gparted and select hda. Delete all partitions on your hard drive,
- create a new partition to NTFS, format and click "Apply All Operations".
- =================================================================
- [04] Preparing Windows 8.1 For Installation:
- / Insert your USB drive with the Windows 8.1 .iso files on it. Unpack it to
- the desktop.
- / Open up GParted again and select the USB drive, delete all partitions,
- create the primary partition, format to FAT32 and click "Apply All
- Operations".
- / Right click the partition and click "Manage Flags" and enable to "Boot" flag
- and click "Apply"
- / Copy the contents of the mounted Windows 8.1 .iso file onto the newly
- created USB drive.
- / Now safely eject the USB drive from the computer.
- =================================================================
- [05] Gathering Software and Hardware Drivers:
- / While still on the Ubuntu Live OS, you are going to need to download all of
- your hardware drivers. You can do this by looking up your specific hardware on
- the manufacturers website and download the newest up-to-date drivers. Place
- these files on another means of storage, either on your external hard drive
- where you kept your backup, or on another USB drive.
- / If your BIOS does not have an "Update" or a "Flashing" option, you most
- likely have to download your up-to-date BIOS flashing kit right from your
- motherboards manufacturers website by looking up your motherboard or prebuilt
- computers serial number, usually located on the bottom of your computer or in
- the manual for your hardware. Installing a new BIOS version will eliminate
- well coded RATs and other malware such as a bootkit that can hide in your BIOS
- ROM chip on your motherboard, these malicious programs can re-install
- themselves every time you power up your computer. After the BIOS flashing kit
- is downloaded, place these files on another means of storage, either on your
- external hard drive where you kept your backup, or on another USB drive.
- / If you can flash your BIOS from the Unbuntu live OS, do that now. If you
- cannot, you are going to need to wait until after you install Windows 8.1.
- / Now go ahead and head over to your hardware manufacturers website and
- download all of your hardware drivers. You will need to install then in the
- later steps.
- / Now we can start to gather the installers for the software you will be using
- to harden your Windows 8.1 OS.
- / Download the all of the following programs:
- - MalwareBytes Offline Installer with up-to-date malware database.
- Download: https://www.malwarebytes.org/mwb-download/
- Discription: A decent anti-malware program that offers daily malware database updates.
- Serial Key: MC3ZJ-D2NBW-ZF4PG-23784
- - ClassicShell Start Menu.
- Download: http://www.classicshell.net/downloads/
- Description: Makes your Windows 8.1 skip the metro screen and replaces it
- with the good old Windows 7 start menu. Allows for full customization.
- - Mozilla Firefox Offline Installer. [See below for installation guide].
- Download: https://www.mozilla.org/en-US/firefox/all/
- Description: Offers superior security and a way larger addon repo then any
- other of the mainstream browsers. Allows for full customization.
- - Microsoft Enhanced Mitigation Experience Toolkit [EMET].
- Download: https://www.microsoft.com/en-us/download/details.aspx?id=43714
- Description: EMET uses 12 specific mitigation techniques that seek to
- prevent exploits related to memory corruption, making it
- harder for attackers to find and exploit vulnerabilities,
- Including:
- - Data execution prevention -> A security feature that helps
- prevents code in system memory from being used incorrectly.
- - Mandatory address space layout randomization -> A technology
- that makes it difficult for exploits to find specific addresses
- in a system's memory.
- - Structured exception handler overwrite protection -> A mitigation that blocks
- exploits that attempt to exploit stack overflows.
- - Export address table access filtering -> A technology that blocks an exploit's
- ability to find the location of a function.
- - Anti-Return Oriented Programming -> A mitigation technique that prevents
- hackers from bypassing DEP.
- - SSL/TLS certificate trust pinning -> A feature that helps detect
- man-in-the-middle attacks leveraging the public key infrastructure.
- - Piriform CCleaner.
- Download: https://www.piriform.com/ccleaner/download
- Description: Stands for Crap Cleaner, it has the ability to securely
- destroy data, temporary files and unused registry keys.
- - KeePass Password Database [Not necessary if you can remember long complex passwords].
- Download: http://keepass.info/
- Discription: This software creates very long and randomly generated mixed
- ASCII characters and numbers. It also stores them in a nice
- layout for you. You can use these randomly generated passwords for all of the
- Anonymous accounts that you create.
- - Software Update Monitor [SUMo].
- Download: http://www.kcsoftwares.com/?sumo
- Description: SUMo keeps your PC up-to-date and safe by using the most
- recent version of your favorite software. Unlike built-in auto
- update features, SUMo tells you if updates are available
- before you need to use your software.
- - OpenDNS Crypt.
- Download: https://github.com/opendns/dnscrypt-win-client
- Description: DNSCrypt is a piece of lightweight software that everyone
- should use to boost online privacy and security. It works by
- encrypting all DNS traffic between the user and OpenDNS,
- preventing any spying, spoofing or man-in-the-middle attacks.
- - Piriform Speccy.
- Download: https://www.piriform.com/speccy
- Description: Displays detailed information about your computer hardware
- and external devices. Comes in handy when trying to gather your system
- information.
- - VeraCrypt.
- Download: https://veracrypt.codeplex.com/
- Description: VeraCrypt is encryption software, designed from the outdated
- TrueCrypt. It allows you to create hidden and encrypted volumes so you
- have full deniability if you get v& [Arrested] and/or get your computer
- seized.
- / Download all of the installers for the software that you plan on using now.
- Like audio players, video players, image viewers, photo and video editors,
- ect. Make sure these installers are downloaded DIRECTLY from the software
- manufacturers website. DO NOT download from torrent sites, third-party sites,
- YouTube, forums, ect!
- =================================================================
- [06] BIOS Configuration:
- / Reboot the computer and press either ESC/DEL/F2/F10/F11/F12 to enter your
- BIOS.
- / Place a password on your BIOS and as well as your hard drive if you have the
- option.
- / Enable the following options [If you have them]:
- - Enable Secure Boot.
- - Enable Fast Boot.
- - Install Default Secure Boot keys.
- / Set the first boot option to the Windows 8.1 USB bootloader you created
- earlier. Save changes and exit.
- =================================================================
- [07] Windows 8.1 Installation:
- / Boot up the Windows 8.1 USB bootloader. Set your timezone, language,
- keyboard layout, ect.
- / When you get to the storage settings screen, you are going to want to click
- on "Delete All Partitions". Then click "New", create the primary partition and
- make it 128GB - 256GB depending on your storage capabilities [This is where
- the Windows 8.1 OS will be installed].
- / Next, click on "New" and create a the secondary partition with the rest of
- the storage space. Or another hard drive depending on your computer
- configuration.
- / Be sure for format each partition and/or hard drive at least 3 times in a
- row. This is important for consistency.
- / Next, install the Windows 8.1 OS onto the 128GB-256GB partition you just
- created.
- / Wait until your computer loads the Windows 8.1 installation. Then select
- your language, timezone and currency format, and your keyboard input. Click
- "Next" and then click "Install Now".
- / Now you are going to need to put in your Windows 8.1 serial key. If you do
- not have a serial key, then you are going to need to find one online. There
- are a lot of websites out there dedicated to the free release of Windows OS
- serial keys. I would recommend https://www.serials.ws/. DON'T BE DUMB, DO NOT
- DOWNLOAD ANYTHING. It should be a plain-text serial key.
- / Now create your administrator account. Its recommended that you do not name
- it something such as your screen names, real name, aliases, admin, ect. Name
- it something simple such as "Primary" or "SuperUser" or "Root". Next, give
- your new account a STRONG password. At least 10 characters is recommended.
- / Disable ALL of the options that invade your privacy, Which is pretty much
- all of them. Make sure you enable the "Do Not Track" and the "Smart Screen
- Filter" options.
- / After the Windows 8.1 OS is installed, completely disconnect from the
- internet. Insert the USB drive or external hard drive where you stored all of
- your software installations, hardware drivers and BIOS flashing kit. [If you
- were able to flash your BIOS from the Ubuntu Live OS or directly from your
- BIOS configuration, you may skip the next step].
- / If you could not flash your BIOS from the Ubuntu Live OS or directly from
- your BIOS, do that now by running the BIOS flashing executable. After its
- installed, you are going to have to reboot your computer to the Ubuntu Live OS
- again and wipe your hard drive again [Refer to step 03]. After this is
- finished you are going to have to re-install Windows 8.1 and re-configure
- everything again [Refer to step 07]. I know this is a huge pain, but doing
- this will insure that there is no malware hiding out on your BIOS ROM chip.
- / Install the .NET 4.0 and .NET 4.5 framework by pressing the Windows key + X,
- click on "Command Prompt (Admin)" and run the following command:
- DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:x:\sources\sxs.
- [Replace x:\ with the drive letter of your Windows 8.1 installation media is assigned].
- / Connect to the internet.
- / Next, press the Windows key and search "Update" and open "Window Update".
- You are going to want to do a FULL update. Excluding anything to do with
- Windows 10 [Because Windows 10 is basically government spyware]. Do not do
- anything else on your computer, simply just allow the updates to download and
- install, then reboot your computer.
- / Now you can go ahead and install all of your hardware drivers.
- / Update DirectX by downloading and running this package:
- https://www.microsoft.com/en-us/download/details.aspx?id=17431
- / Open a command prompt with administrator privileges by pressing the Windows
- key + X and click on "Command Prompt: Administrator" and run the following
- command: SFC /SCANNOW. You should get a response back after it is finished
- scanning that reads "File Integrity Check completed and no errors were found".
- / While still in the administrative command prompt, you are going to copy and
- paste all of the following commands [This will UNINSTALL everything to do with
- Microsoft's spy updates]:
- @echo off
- echo
- echo Delete KB3075249 (telemetry for Win7/8.1)
- start /w wusa.exe /uninstall /kb:3075249
- echo Delete KB3080149 (telemetry for Win7/8.1)
- start /w wusa.exe /uninstall /kb:3080149
- echo Delete KB3021917 (telemetry for Win7)
- start /w wusa.exe /uninstall /kb:3021917
- echo Delete KB3022345 (telemetry)
- start /w wusa.exe /uninstall /kb:3022345
- echo Delete KB3068708 (telemetry)
- start /w wusa.exe /uninstall /kb:3068708
- echo Delete KB3044374 (Get Windows 10 for Win8.1)
- start /w wusa.exe /uninstall /kb:3044374
- echo Delete KB3035583 (Get Windows 10 for Win7sp1/8.1)
- start /w wusa.exe /uninstall /kb:3035583
- echo Delete KB2990214 (Get Windows 10 for Win7 without sp1)
- start /w wusa.exe /uninstall /kb:2990214
- echo Delete KB2990214 (Get Windows 10 for Win7)
- start /w wusa.exe /uninstall /kb:2990214
- echo Delete KB2952664 (Get Windows 10 assistant)
- start /w wusa.exe /uninstall /kb:2952664
- echo Delete KB3075853 (update for "Windows Update" on Win8.1/Server 2012R2)
- start /w wusa.exe /uninstall /kb:3075853
- echo Delete KB3065987 (update for "Windows Update" on Win7/Server 2008R2)
- start /w wusa.exe /uninstall /kb:3065987
- echo Delete KB3050265 (update for "Windows Update" on Win7)
- start /w wusa.exe /uninstall /kb:3050265
- echo Delete KB971033 (license validation)
- start /w wusa.exe /uninstall /kb:971033
- echo Delete KB2902907 (description not available)
- start /w wusa.exe /uninstall /kb:2902907
- echo Delete KB2976987 (description not available)
- start /w wusa.exe /uninstall /kb:2976987
- echo Step 2: Blocking Routes…
- route -p add 23.218.212.69 MASK 255.255.255.255 0.0.0.0
- route -p add 65.55.108.23 MASK 255.255.255.255 0.0.0.0
- route -p add 65.39.117.230 MASK 255.255.255.255 0.0.0.0
- route -p add 134.170.30.202 MASK 255.255.255.255 0.0.0.0
- route -p add 137.116.81.24 MASK 255.255.255.255 0.0.0.0
- route -p add 204.79.197.200 MASK 255.255.255.255 0.0.0.0
- Part 2
- echo Step 3: Disabling tasks…
- schtasks /Change /TN "\Microsoft\Windows\Application Experience\AitAgent"
- /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Application Experience\Microsoft
- Compatibility Appraiser" /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Application Experience
- \ProgramDataUpdater" /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Autochk\Proxy" /DISABLE
- schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement
- Program\Consolidator" /DISABLE
- schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement
- Program\KernelCeipTask" /DISABLE
- schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement
- Program\UsbCeip" /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-
- DiskDiagnosticDataCollector" /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Maintenance\WinSAT" /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\ActivateWindowsSearch"
- /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center
- \ConfigureInternetTimeService" /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\DispatchRecoveryTasks"
- /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\ehDRMInit" /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\InstallPlayReady"
- /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\mcupdate" /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\MediaCenterRecoveryTask"
- /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask"
- /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\OCURActivate" /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\OCURDiscovery" /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\PBDADiscovery" /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\PBDADiscoveryW1"
- /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\PBDADiscoveryW2"
- /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\PvrRecoveryTask"
- /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\PvrScheduleTask"
- /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\RegisterSearch" /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\ReindexSearchRoot"
- /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\SqlLiteRecoveryTask"
- /DISABLE
- schtasks /Change /TN "\Microsoft\Windows\Media Center\UpdateRecordPath"
- /DISABLE
- echo Step 4: Killing Diagtrack-service (if it still exists)…
- sc stop Diagtrack
- sc delete Diagtrack
- echo Final Step: Stop remoteregistry-service (if it still exists)…
- sc config remoteregistry start= disabled
- sc stop remoteregistry
- echo All done, go to reboot!
- pause
- / Reboot your computer.
- =================================================================
- [08] Creating an Organized Software File System:
- / It is always a good idea to have a secure and organized file structure so
- you can find files with ease.
- / Usually on a Windows OS, when you install new software on your computer, it
- defaults to "C:\Program Files" or "C:\Program Files (x86)". You are going to
- need to right click on both of these files, click "Properties", click on the
- "Security" tab, then click on "Edit". Now modify the permissions to "Read,
- Write and Execute" ONLY for the Administrator or Super User account. For
- normal users, the permissions should be only "Read and Execute".
- / Create a new folder called "Applications" under "C:\Program Files" and "C:
- \Program Files (x86)".
- / Under the new "Applications" folders, create some sub-folders for your
- software. Name them in an organized way like "Audio", "Graphics", "Internet",
- "Tools", "Video", ect.
- / Now whenever you install new software, you may install them to these
- directories. Whenever you install new software, be 100% sure that the software
- is genuine and was downloaded directly from the manufacturers website. NEVER
- download anything from a third-party source like torrents, YouTube, IRC,
- Forums, ect.
- =================================================================
- [09] System Configuration:
- / Right click on your taskbar and then click "Properties". In the "Taskbar"
- tab and disable the "Use peek to preview the desktop" option. Click on the
- "Jump Lists" tab set the "Number or recent items to display in Jump Lists"
- option to 0. Now disable both the "Store recently opened programs" and "Store
- and display recently opened items in Jump Lists" options.
- / Press the Windows key + X and click on "System", then click "Advanced
- Settings". Click on the "Advanced" tab and then in the performance box, click
- on "Settings". Click on the "Visual Effects" tab and enable the "Adjust for
- best performance" option and enable ONLY the "Show thumbnails instead of
- icons: option.
- / Next, click on the "Advanced" tab that is next to the "Visual Effects" tab,
- under "Adjust for best performance", select the "Programs" option. Now under
- the "Virtual Memory" box, click "Change" and disable the "Automatically manage
- paging file size for all drives". Now click on your C:\ drive and enable the
- "No paging file" option. Do this for all drive letters. Then click "Set" and
- then click on "Yes", then click "OK" to close the popup window.
- / Click on the "Data Execution Prevention" tab and enable the "Turn on DEP for
- all programs and services except those I select". Then click "OK" to return to
- the "System Properties" window. Now click on the "System Protection" tab and
- delete all restore points and turn off system protection. Now click on the
- "Remote" tab and disable the "Allow Remote Assistance connections to this
- computer" and enable the "Don't allow remote connections to this computer"
- option. Click on the "Computer Name" tab and give your computer a name and
- change your WORKGROUP to "YourComputerName-WORKGROUP".
- / Now goto your C:\ drive on your file explorer and create a new folder called
- "Temporary". Now go back to the "System Properties" window and click on
- "Environment Variables" and set both the TMP and TEMP variables to "C:
- \Temporary" [You will have to do this for every user account that you create].
- Go back to "C:\Temporary" and right click on this file, set the permissions to
- Read, Write and Execute ONLY for Administrators and Read and Execute for
- normal users.
- / Press the Windows key + R and type ncpa.cpl to open your network
- connections. Right click on you network adapters and click on "Properties" and
- disable all of the options except for IPv4 [And IPv6 if you use that].
- Highlight the IPv4 option and click on "Properties", then click on "Advanced"
- near the bottom of the popup window. Click on the "DNS" tab and disable the
- "Register this connections address in DNS" option. Click on the "WINS" tab and
- disable the "Enable LMHOSTS lookup". Now under the NetBIOS box, enable the
- "Disable NetBIOS over TCP/IP" option, then click "OK". Repeat this step on ALL
- of your network adapters. This includes the Virtual TAP adapters that are
- installed with any OpenVPN client.
- / Press the Windows key + X and click on "Programs and Features" then click on
- "Turn Windows features on or off" and disable the "Internet Explorer 10",
- "Windows Identity Foundation", "Windows Location Provider" and "Windows
- Process Activation Service" options. Now enable the "Telnet Client" option,
- because chances are you are going to need it. Reboot your computer.
- / After your computer boots back up, open the Control Panel by pressing the
- Windows key + X and clicking on "Control Panel". Click on "Display" and enable
- the "ClearType Text" option. Go back to the Control Panel and click on "File
- History" and disable ALL file history. Click on "Folder Options" and disable
- the "Hide Extensions for Known File Types" option.
- / Now click on "Internet Options" and configure the following settings:
- - Click the "General" tab, click on "Settings", then click "Temporary
- Internet Files" tab and set the "Check for newer versions of stored
- pages" to "Every time I visit the webpage". Now set the "Disk space to
- use" option to 8MB.
- - Click on the "History" tab and set the "Days to keep pages in history" to 0.
- - Go to the "Caches and Databases" tab and disable the "Allow website caches
- and databases" option. Press "OK".
- / Click on the "Security" tab and set the security level to "High". Do this
- for all zones [Internet, Local Intranet, Trusted Sites and Restricted Sites].
- Then click "Apply".
- / Go to the "Privacy" tab and click "Advanced" and enable the "Override
- automatic cookie handling" option and set both the "First Party" and Third
- Party" cookies options to "Block". Now disable the "Always allow session
- cookies" option. Click "OK". Then enable the "Turn on Pop-up Blocker" option
- then click on the "Settings" button and set the "Blocking Level" to "High:
- Block all pop-ups (Ctrl+Alt to override)". Click "Close".
- / Now in the "Content" tab and click "Settings" next to AutoComplete, disable
- both the "Forms" and "User names and passwords on forms" options and click on
- the "Delete AutoComplete history" button and select all of the checkboxes and
- click "Delete". Click "OK". Now, click on the second "Settings" button that's
- next to Feeds. Disable the "Automatically check feeds for updates" and the
- "Turn on feed readin view" options. Click "OK".
- / Enter the "Program" tab and click on "Manage Addons" and disable ALL addons
- in under the "Add-ons that have been used by your browser" drop down menu. Now
- go to the "Run without permission" option under the drop down menu and disable
- ALL of the addons. Next, click on the "Downloaded controls" option and disable
- ALL of the addons there, if you have any.
- / Next, click on the "Advanced" tab and DISABLE the "Allow active content from
- CDs to run on My Computer", "Allow active content to run in files on My
- Computer", "Allow software to run or install even if the signature is
- invalid", "Enable DOM storage" and "Use SSL 2.0" options. Now you are going to
- ENABLE the following options, "Block unsecured images with other mixed
- content", "Do not save encrypted pages to disk", "Empty Temporary Internet
- Files folder when browser is closed" and "Send Do Not Track request to sites
- you visit in Internet Explorer", click "Apply".
- / Now head back to the control panel and click on "Location Settings", disable
- the "Turn on the Windows Location platform" and the "Help improve Microsoft
- location services" options. Click "Apply".
- / If you are using a laptop, go back and click on "Power Options" and choose a
- power plan that suits your needs. Then click "Choose what closing the lid
- does", set "When I press the power button" to "Shut down". Now set the "When I
- press the sleep button" to "Do nothing". Now set the "When I close the lid"
- option to "Shut down". Next, enable the "Require a password (Recommended)"
- option, enable the "Turn on fast startup (Recommended)" and the "Lock"
- options. Click "Save changes". MAKE SURE that both "Hibernation" and "Sleep"
- modes are completely DISABLED. There is software that can extract your
- BitLocker encryption key from your RAM. Always shut down your computer after
- you are finished using it.
- / Click on "Windows Defender" and click on the "Update" icon. After that is
- completed, click on the "Settings" tab and enable the "Turn on real-time
- protection (Recommended)" option. Click on the "Advanced" option on the left
- side of the window and enable the "Scan archive files", "Scan removable
- drives" and "Remove quarantined files after: 1 day". Now click on "MAPS" and
- enable the "I don't want to join MAPS" option. Now click "Save changes".
- / Press the Windows key and search "User Account Control" and change the
- slider bar to "Always Notify", then click "OK".
- =================================================================
- [10] Software Installation and Configuration:
- / Install the following software to the directories you created in the earlier
- steps and configure them.
- - Software: SUMo
- Configuration: Simply run the installer and install it.
- - Software: Mozilla Firefox Offline Installer
- Configuration: Run the installer and install it. Now you can go ahead and
- configure your Firefox by following the below guide. Things marked with
- "**" are essential for security and privacy. [This version is condensed,
- you can read the full Firefox Security Hardening tutorial here:
- http://pastebin.com/fn7VHwhm
- / Extensions:
- -> **[NoScript]
- Download: https://addons.mozilla.org/en-us/firefox/addon/noscript/
- Features: Protects you from XSS and clickjacking attacks, also enables click
- to load Flash and Java.
- -> **[HTTPS-Everywhere]
- Download: https://www.eff.org/https-everywhere
- Features: Forces HTTPS whenever possible.
- -> **[AdBlock Edge]
- Download: https://addons.mozilla.org/en-US/firefox/addon/adblock-edge
- Features: Blocks intrusive and non-intrusive ads on all websites. It also does
- not have the "Acceptable Ads" feature.
- -> **[Random Agent Spoofer]
- Download: https://addons.mozilla.org/en-US/firefox/addon/random-agent-spoofer
- Features: Provides many user agent spoofing options. Over 100 different
- browsers, has the option to send spoofed headers and much more.
- -> **[RequestPolicy]
- Download: https://addons.mozilla.org/en-us/firefox/addon/requestpolicy/
- Features: Protects you against CSRF attacks and allows you to be in control of
- all cross-site requests.
- -> **[Cookie Controller]
- Download: https://addons.mozilla.org/en-US/firefox/addon/cookie-controller/
- Features: Browse, manage and remove cookies from sites.
- -> **[FoxyProxy Standard]
- Download: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard
- Features: Advanced proxy management tool for Firefox, way better than the one
- included with Firefox.
- -> **[Disconnect]
- Download: https://addons.mozilla.org/en-US/firefox/addon/disconnect
- Features: Stops tracking by about 2000 third party websites, makes loading
- pages about 27% faster.
- -> **[Privacy Badger]
- Download: https://addons.mozilla.org/en-US/firefox/addon/privacy-badger-firefox
- Features: Protects privacy by blocking spying ads and invisible trackers.
- -> **[Modify Headers]
- Download: https://addons.mozilla.org/En-us/firefox/addon/modify-headers
- Features: Add/Modify/Filter HTTP headers. Useful for mobile development, HTTP
- testing and privacy.
- -> **[CrytoCat]
- Download: https://addons.mozilla.org/en-US/firefox/addon/cryptocat
- Features: Instant encrypted conversations, open source, private, safer
- communications. Uses the OTR encrypted messaging protocol.
- / You can access these configurations by typing in "about:config" in the URL bar.
- -> **Turn off Geo-location:
- geo.enabled => false
- geo.wifi.uri => 127.0.0.1
- -> **Override the useragent to most common useragent [Not needed with UA Switcher]:
- New > string: general.useragent.override =>
- Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
- -> **Disable DNS prefetching:
- network.prefetch-next => false
- network.dns.disablePrefetch => false
- webgl.disabled => true
- devtools.cache.disabled => true
- browser.sessionstore.privacy_level => 2
- -> **Disable referer headers:
- network.http.sendRefererHeader => 0
- network.http.sendSecureXSiteReferrer => false
- network.http.referer.XOriginPolicy => 1
- network.http.referer.spoofSource => true
- network.http.referer.trimmingPolicy => 2
- -> **Enable HTTP pipelineing regularly, on SSL pages, and on proxies, respectively:
- network.http.pipelining => true
- network.http.pipelining.ssl => true
- network.http.proxy.pipelining => true
- network.http.pipelining.maxrequests => 10
- -> **Prevent child windows/tabs from spawning:
- dom.disable_window_open_feature.resizable => false
- -> **Disable insecure RC4 encryption protocol:
- security.ssl3.ecdhe_ecdsa_rc4_128_sha => false
- security.ssl3.ecdhe_rsa_rc4_128_sha => false
- security.ssl3.rsa_rc4_128_md5 => false
- security.ssl3.rsa_rc4_128_sha => false
- -> **Disable Firefox telemetry:
- toolkit.telemetry.enabled => false
- -> **Allow cookies only from the originating server [Not needed with Cookie Manager]:
- network.cookie.cookieBehavior => 1
- network.cookie.lifetimePolicy => 2
- -> **Reduce RAM usage for Firefox cache feature:
- browser.sessionhistory.max_total_viewers => 0
- -> **Set a "do-not-track" header to tell sites not to track browsing habits:
- privacy.donottrackheader.enabled => true
- privacy.donottrackheader.value => 1
- -> **Disable Google Blacklists and Safebrowsing:
- browser.safebrowsing.enabled => false
- browser.safebrowsing.maleware.enabled => false
- browser.safebrowsing.appRepURL => blank
- browser.safebrowsing.downloads.enabled => false
- browser.safebrowsing.gethashURL => blank
- browser.safebrowsing.malware.reportURL => blank
- browser.safebrowsing.reportErrorURL => blank
- browser.safebrowsing.reportGenericURL => blank
- browser.safebrowsing.reportMalwareErrorURL => blank
- browser.safebrowsing.reportMalwareURL => blank
- browser.safebrowsing.reportPhishURL => blank
- browser.safebrowsing.reportURL => blank
- browser.safebrowsing.updateURL => blank
- services.sync.prefs.sync.browser.safebrowsing.enabled => false
- services.sync.prefs.sync.browser.safebrowsing.malware.enabled => false
- -> **Disable pings:
- browser.send_pings => false
- browser.send_pings.require_same_host => true
- -> **Disable Firefox health report:
- datareporting.healthreport.uploadEnabled => flase
- -> **Disable DOM storage:
- dom.storage.enabled => false
- dom.event.clipboardevents.enabled => false
- -> **Disable suggestions on searchbar:
- browser.search.suggest.enabled => false
- -> **Disable keywords:
- keyword.enabled => false
- -> Disable certificates:
- browser.ssl_override_behavior => 2
- -> **Disable DNS proxy bypass:
- network.proxy.socks_remote_dns => true
- -> **Disable crash reporting:
- breakpad.reportURL => blank
- In application.ini in the Firefox folder,
- [Crash Reporter]Enabled=1 => [Crash Reporter]Enabled=0
- -> **Disable caching on hard drive:
- browser.cache.disk.enable => false
- browser.cache.offline.enable => flase
- browser.cache.disk.capacity => 0
- browser.cache.offline.capacity => 0
- -> **Do not cache HTTP or HTTPS files:
- network.http.use-cache => false
- -> **Disable navigator.sendBeacon:
- beacon.enable => flase
- -> **Disable WebRTC:
- media.peerconnection.enabled => false
- - Software: Java.
- Configuration: Open you Control Panel by pressing the Windows key + X,
- then click on "Java Options", click on the "General Tab" and then click on
- "Settings" and disable the "Keep temporary files on my computer"
- option and then click on "Delete Files" then click "OK". Go to the
- "Security" tab and uncheck the "Enable Java content in the browser" check
- box. Click "Apply".
- - Software: MalwareBytes Offline Installer with up-to-date Malware Database.
- Configuration: Run the installer and install the software. Once finished,
- open MalwareBytes and click on "My Account". Enter this serial key:
- MC3ZJ-D2NBW-ZF4PG-23784. Now you have the preimium version for life! Next,
- click on the "Settings" tab and click on "Detection and Protection",
- enable the "Use Advanced Heuristics Engine [Shuriken]", "Scan for
- Rootkits" and "Scan within archives" options. Now select "Treat
- detections as malware" for both the "Potentially Unwanted Program
- [PUP]" and "Potentially Unwanted Modifications [PUM]" options. Next, click
- on "History Settings" and disable the "Help fight malware by anonymously
- providing historical information" option, also enable the "Don't export
- log information" option [Unless you want MalwareBytes to keep logs, its
- up to your preferance].
- - Software: ClassicShell Start Menu.
- Configuration: Run the installer and install the software. Optionally, you
- can download different start buttons for further configurations from
- DeviantArt.com, heres a pack that I would recommend:
- http://w1ck3dmatt.deviantart.com/art/Mega-Orb-Pack-150-start-orbs-259940654
- - Software: Piriform CCleaner.
- Configuration: Run the installer and install the software. When the
- install is finished, click the "Cleaner" button and check all of the check
- boxes under the "Windows" and "Applications" tabs. Next, click the
- "Registry" button and enable all of the check boxes. Now click on the
- "Options" button and click on "Settings". Check the "Automatically check
- for updates to CCleaner" option. Now, enable the "Secure file
- deletion [Slower]" and set the drop down menu to "Complex Overwrite [7
- passes]" and enable the "Wipe Alternate Data Streams", "Wipe Cluster
- Tips" and "Wipe MFT Free Space" options.
- - Software: OpenDNS Crypt.
- Configuration: Run the installer and install the software. Then open the
- software and enable the "Enable OpenDNS", "Enable DNSCrypt" and "DNSCrypt
- over TCP / 443 [slower]" options. If everything is configured correctly
- then the DNSCrypt icon on the taskbar should be green.
- / Install and configure all of your other software that you downloaded in the
- previous steps now.
- - Software: Microsoft Enhanced Mitigation Experience Toolkit [EMET].
- Configuration: Set everything to "Always On" and reboot your computer.
- After your computer boots back up, open EMET and click on "Apps", then
- click "Add Applications". Now navigate to "C:\Program Files" directory
- and in the search box, type ".exe". Once all of the files have been
- found, press Ctrl + A to highlight everything and then click "Open".
- Now reboot your computer again if necessary.
- =================================================================
- [11] Windows Firewall Configuration:
- / When it comes to firewall configuration, it is always best practice to
- disable EVERYTHING and just poke holes in your firewall to allow basic and a
- few advanced functions. This is exactly what we will be doing.
- / Press the Windows key and search "Windows Firewall" and open the "Windows
- Firewall with Advanced Security".
- / Click on "Windows Firewall Properties" and set the "Domain Profile",
- "Private Profile" and "Public Profile" tabs to "On" and set the "Inbound
- connections" to "Block all incoming connections" and the "Outbound
- connections" to "Block". Click "Apply".
- / Now click on the "Inbound Rules" table and press Ctrl + A to highlight all
- of the inbound rules and right click and click "Delete". Always keep the
- "Inbound Rules" section of your firewall empty, this will insure that no
- connections are coming into your computer from the outside.
- / Next, click on the "Outbound Rules" table and press Ctrl + A to highlight
- all of the rules, then right click and click "Disable All". Now you are going
- to enable the entries that are called "Core Networking" that deal with IPv4
- and IPv6 [If you use IPv6]. Also enable IPHTTPS and DHCP [If you are not using
- a static IP configuration]. Then delete all other rules.
- / This part is going to take some time. You are going to need to manually
- configure ALL of your software that needs to connect to the Internet. Things
- like your Firefox, IRC client, ect. You can do this now by clicking on the
- "Outbound Rules" and clicking on the "New Rule" button, click "Program" then
- click "Next". Now click on "Browse" and navigate to the directories where your
- software is installed, it should be a ".exe" file. Click "Next", click on
- "Allow this connection", click "Next" again and name the rules in an organized
- way. Such as "Software->Internet->Firefox" or "Software->Security->DNSCrypt"
- and so on. You will need to do this for all software that needs internet
- connectivity.
- =================================================================
- [12] VeraCrypt and BitLocker Hard Drive Encryption:
- / First off, you are going to need to have VeraCrypt [TrueCrypt successor]
- installed on your machine. Do this now by running the installation package.
- / Now reboot your computer and enter the BIOS. Then change your BIOS to Legacy
- Mode. Restart your computer and load up the VeraCrypt software.
- / When VeraCrypt is open, click on the "System" drop down menu and click on
- "Encrypt System Partition/Drive". Enter a COMPLEX password, one that you will
- NOT forget! I would recommend at least 16 characters [Upper case, lower case,
- numbers and symbols]. Now just wait until for the encryption process to
- complete. If you forget this password, you will not be able to turn your
- computer on. Reboot your computer and enter the BIOS again and change it back
- to UEFI BIOS. Reboot your computer.
- / Press the Windows key and type "Group Policy" and open "Edit group policy".
- Now, navigate to "Computer Configuration" -> "Administrative Templates" ->
- "Windows Components" -> "BitLocker Drive Encryption". Now click on the "Choose
- drive encryption method and cipher strength". Change the "Select encryption
- method" drop down menu to "AES 256-bit" then click "OK".
- / Next, you are going to need to determine if your computer has what is called
- a Trusted Platform Module chip, or a TPM chip. You can find this out by
- looking up your motherboard model number on the manufactures website and
- reading the specifications page. You can get your motherboards model number
- using the Speccy software that you installed earlier.
- / If you HAVE a TPM chip on your motherboard, you can enable BitLocker Drive
- Encryption by opening up your File Explorer and clicking "This PC", now rename
- your C:\ drive to something like "Windows_8.1", "Windows", "OS", ect. Right
- click on your C:\ drive and click "Turn On BitLocker". Now enter a VERY
- COMPLEX password. I would recommend at least 24 to 30 characters [Upper case,
- lower case, numbers and symbols]. Now save the encrytption key to a USB drive
- and then securely DELETE it using CCleaner. Never forget this password as you
- will NOT be able to turn your computer on without it.
- / If you DO NOT have a TPM chip you are going to need to open your "Group
- Policy Editor" again and navigate to "Computer Configuration" ->
- "Administrative Templates" -> "Windows Components" -> "BitLocker Drive
- Encryption" -> "Operating System Drives". Now double click on the "Require
- additional authentication at startup", then click "Enabled", also enable the
- "Allow BitLocker without a compatible TPM" option. Click "OK". Next, you can
- enable BitLocker Drive Encryption by opening up your File Explorer and
- clicking "This PC", now rename your C:\ drive to something like "Windows_8.1",
- "Windows", "OS", ect. Right click on your C:\ drive and click "Turn On
- BitLocker". Now enter a VERY COMPLEX password. I would recommend at least 24
- to 30 characters [Upper case, lower case, numbers and symbols]. Allow the
- encryption process to finish and save the encryption key to a USB drive and
- then securely DELETE it using CCleaner. Never forget this password as you will
- NOT be able to turn your computer on without it!
- / Now right click on your second partition[s] and rename it to "Partition_2",
- "Data_Partition" or something of that sort. Now click on "Turn On BitLocker"
- and give it a password, make it the same password as your C:\ drive or
- something different if you wish. DO NOT forget this password!
- / If your configurations are correct, you should now have to enter 4 passwords
- to turn on your computer [Hard drive password, BitLocker password, VeraCrypt
- password and your username and password]. Doing this will make your hard drive
- 100% secure and impossible for any government or person to decrypt your
- drives. :]
- =================================================================
- [13] Local Security Policy Configuration:
- / Press the Windows key and search for "Local Security Policies" and open it.
- / Click on the "Action" menu at the top, then click on "Export Policies" and
- save a backup of the default policies. Now click on "Windows Firewall with
- Advanced Security" and make sure that all firewall profiles are set to "On"
- and that all inbound connections are set to "Block". Now make sure that the
- outgoing connections are set to "Outbound connections that do not match a rule
- are blocked".
- / Click on the "Account Policies" table, then click "Password Policy". Now
- configure the following options:
- - Enforce password history -> 0 passwords remembered.
- - Maximum password age -> 42 days.
- - Minimum password age -> 0 days.
- - Minimum password length -> 0 characters.
- - Password must meet complexity requirements -> Disabled.
- - Store passwords using reversible encryption -> Disabled.
- / Now click on "Account Lockout Policy" table and configure the following
- options:
- - Account lockout duration -> 10 minutes.
- - Account lockout threshold -> 3 invalid logon attempts.
- - Reset account lockout counter after -> 10 minutes.
- / Click on the "Local Policies" table and click on "Audit Policy" and
- configure the following options:
- - Audit account logon events -> Success, Failure.
- - Audit account management -> Success, Failure.
- - Audit directory service access -> Success, Failure.
- - Audit logon events -> Success, Failure.
- - Audit object access -> Success, Failure.
- - Audit policy change -> Success, Failure.
- - Audit privilege use -> Success, Failure.
- - Audit process tracking -> Success, Failure.
- - Audit system events -> Success, Failure.
- / Next, click on "User Rights Assignment" and configure the following options:
- - Access Credential Manager as a trusted caller -> Blank.
- - Access this computer from the network -> Administrators.
- - Act as part of the operating system -> Blank.
- - Add workstations to domain -> Blank.
- - Adjust memory quotas for a process -> LOCAL SERVICE, NETWORK SERVICE, Administrators.
- - Allow logon locally -> Administrators, Users.
- - Allow logon through Remote Desktop Services -> Blank.
- - Backup files and directories -> Administrators.
- - Bypass traverse checking -> Everyone, LOCAL SERVICE, NETWORK SERVICE,
- Administrators, Users, Backup Operators.
- - Change system time -> LOCAL SERVICE, Administrators.
- - Change the timezone -> LOCAL SERVICE, Administrators.
- - Create a pagefile -> Administrators.
- - Create a token object -> Blank.
- - Create global objects -> LOCAL SERVICE, NETWORK SERVICE, Administrators, SERVICE.
- - Create permanent shared objects -> Blank.
- - Create symbolic links -> Administrators.
- - Debug programs -> Administrators.
- - Deny access to this computer from the network -> Guest.
- - Deny logon as a batch job -> Everyone.
- - Deny logon as a service -> Everyone.
- - Deny logon locally -> Guest.
- - Deny logon through Remote Desktop Services -> Everyone.
- - Enable computer and user accounts to be trusted for delegation -> Blank.
- - Force shutdown from a remote system -> Blank.
- - Generate security audits -> LOCAL SERVICE, NETWORK SERVICE.
- - Impersonate a client after authentication -> LOCAL SERVICE, NETWORK, SERVICE,
- Administrators, SERVICE.
- - Increase a process working set -> Users, Window Manager/Window Manager Group.
- - Increase scheduling priority -> Administrators.
- - Load and unload device drivers -> Administrators.
- - Lock pages in memory -> Blank.
- - Logon as a batch job -> Blank.
- - Logon as a service -> Blank.
- - Manage auditing and security log -> Administrators.
- - Modify an object label -> Blank.
- - Modify firmware environment values -> Administrators.
- - Preform volume maintenance tasks -> Administrators.
- - Profile single process -> Administrators.
- - Profile system performance -> Administrators, NT SERVICE/WdiServiceHost.
- - Remove computer from docking station -> Administrators, Users.
- - Replace a process level token -> LOCAL SERVICE, NETWORK SERVICE.
- - Restore files and directories -> Administrators, Backup Operators.
- - Shutdown the system -> Administrators, Users.
- - Synchronize directory service data -> Blank.
- - Take ownership of files or other objects -> Administrators.
- / Click on the "Security Options" table and configure the following options:
- - Accounts: Administrator account status -> Disabled.
- - Account: Block Microsoft account -> Users can't add or logon with Microsoft account.
- - Accounts: Guest account status -> Disabled.
- - Accounts: Limit local account use of blank passwords to console logon only -> Enabled.
- - Accounts: Rename administrator account -> Administrator.
- - Accounts: Rename the guest account -> Guest.
- - Audit: Audit the access of global system objects -> Enabled.
- - Audit: Audit the use of Backup and Restore privilege -> Enabled.
- - Audit: Force audit policy subcatagory settings - Not defined.
- - Audit: Shut down system immediately if unable to log security audits -> Enabled.
- - DCOM: Machine Access Restrictions in Security Descriptor Definition
- Language [SDDL] syntax -> Not defined.
- - DCOM: Machine Launch Restrictions in Security Descriptor Definition
- Language [SDDL] syntax -> Not defined.
- - Devices: Allow undock without having to logon -> Enabled.
- - Devices: Allowed to format and eject removable media -> Administrators.
- - Devices: Prevent users from installing printer drivers -> Enabled.
- - Devices: Restrict CD-ROM access to locally logged-in user only -> Enabled.
- - Devices: Restrict floppy access to locally logged-on user only -> Enabled.
- - Domain controller: Allow server operators to schedule tasks -> Not defined.
- - Domain controller: LDAP server signing requirements -> Not defined.
- - Domain controller: Refuse machine account password changes -> Not defined.
- - Domain controller: Digitally encrypt or sign secure channel data [always] -> Enabled.
- - Domain controller: Digitally sign secure channel data [when possible] -> Enabled.
- - Domain controller: Disable machine account password changes -> Disabled.
- - Domain controller: Maximum machine account password age -> 30 days.
- - Domain controller: Require strong [Windows 2000 or later] session key -> Enabled.
- - Interactive logon: Display user information when the session is locked ->
- Do not display user information.
- - Interactive logon: Do not require CTRL+ALT+DEL -> Disabled.
- - Interactive logon: Machine account lockout threshold -> 3 invalid logon attempts.
- - Interactive logon: Machine inactivity limit -> 360 seconds.
- - Interactive logon: Message text for users attempting to logon -> Blank.
- - Interactive logon: Message title for users attempting to logon -> Blank.
- - Interactive logon: Number of previous logon to cache -> 10 logons.
- - Interactive logon: Prompt user to change password before expiration -> 5 days.
- - Interactive logon: Require Domain Controller authentication to unlock workstation -> Disabled.
- - Interactive logon: Require smart card -> Disabled.
- - Interactive logon: Smart card removal behavior -> No Action.
- - Microsoft network client: Digitally sign communications [always] -> Enabled.
- - Microsoft network client: Digitally sign communications [if server agrees]
- -> Enabled.
- - Microsoft network client: Send unencrypted password to third-party SMB
- servers -> Disabled.
- - Microsoft network server: Amount of idle time required before suspending
- session -> 5 minutes.
- - Microsoft network server: Attempt S4U2Self to obtain claim information ->
- Not defined.
- - Microsoft network server: Digitally sign communications [always] ->
- Enabled.
- - Microsoft network server: Digitally sign communications [if client agrees]
- -> Enabled.
- - Microsoft network server: Disconnect clients when logon hours expire -> Enabled.
- - Microsoft network server: Server SPN target name validation level -> Not defined.
- - Network access: Allow anonymous SID/Name translation -> Disabled.
- - Network access: Do not allow anonymous enumeration of SAM accounts -> Enabled.
- - Network access: Do not allow anonymous enumeration of SAM accounts and
- shares -> Enabled.
- - Network access: Do not allow storage of passwords and credentials for
- network authentication -> Enabled.
- - Network access:Let Everyone permissions apply to anonymous users ->
- Disabled.
- - Network access: Named Pipes that can be accessed anonymously -> Blank.
- - Network access: Remotely accessible registry paths -> Blank.
- - Network access: Remotely accessible registry paths and sub-paths -> Blank.
- - Network access: Restrict anonymous access to Named Pipes and Shared -> Enabled.
- - Network access: Shares that can be accessed anonymously -> Not defined.
- - Network access: Sharing and security model for local accounts -> Classic -
- local users authenticate as themselves.
- - Network security: Allow Local System to use computer identity for NTLM ->
- Not defined.
- - Network security: Allow LocalSystem NULL session fallback -> Not defined.
- - Network security: Allow PKU2U authentication requests to this computer to
- use online identities -> Not defined.
- - Network security: Configure encryption types allowed for Kerberos -> Not
- defined.
- - Network security: Do not store LAN Manager hash value on next password
- change -> Enabled.
- - Network security: Force logoff when logon hours expire -> Disabled.
- - Network security: LAN Manager authentication level -> Not defined.
- - Network security: LDAP client signing requirements -> Negotiate signing.
- - Network security: Minimum session security for NTLM SSP based clients ->
- Require 128-bit encryption.
- - Network security: Minimum session security for NTLM SSP based servers ->
- Require 128-bit encryption.
- - Network security: Restrict NTLM: Add remote server exceptions for NTLM
- authentication -> Not defined.
- - Network security: Restrict NTLM: Add server exceptions in this domain ->
- Not defined.
- - Network security: Restrict NTLM: Audit Incoming NTLM Traffic -> Enable
- auditing for all accounts.
- - Network security: Restrict NTLM: Audit NTLM authentication in this domain
- -> Enable all.
- - Network security: Restrict NTLM: Incoming NTLM traffic -> Deny all
- accounts.
- - Network security: Restrict NTLM: NTLM authentication in this domain -> Not
- defined.
- - Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers -> Deny all.
- - Recovery console: Allow automatic administrative logon -> Disabled.
- - Recovery console: Allow floppy copy and access to all drives and all
- folders -> Disabled.
- - Shutdown: Allow system to be shut down without having to log on -> Enabled.
- - Shutdown: Clear all virtual memory pagefile -> Enabled.
- - System cryptography: Force strong key protection for user keys stored on
- the computer -> Not defined.
- - System cryptography: Use FIPS compliant algorithms for encryption,
- hashing, and signing -> Disabled.
- - System objects: Require case insensitivity for non-Windows subsystems
- -> Enabled.
- - System objects: Strengthen default permissions of internal system objects
- -> Enabled.
- - System settings: Optional subsystems -> Posix.
- - System settings: Use Certificate Rules on Windows Executables for Software
- Restriction Policies -> Disabled.
- - User Account Control: Admin Approval Mode for the Built-in Administrator
- account -> Enabled.
- - User Account Control: Allow UIAccess applications to prompt for elevation
- without using the secure desktop -> Disabled.
- - User Account Control: Behavior of the elevation prompt for administrators
- in Admin Approval Mode -> Prompt for credentials.
- - User Account Control: Behavior of the elevation prompt for standard users
- -> Prompt for credentials.
- - User Account Control: Detect application installations and prompt for
- elevation -> Enabled.
- - User Account Control: Only elevate executables that are signed and
- validated -> Disabled.
- - User Account Control: Only elevate UIAccess applications that are
- installed in secure locations -> Enabled.
- - User Account Control: Run all administrators in Admin Approval Mode ->
- Enabled.
- - User Account Control: Switch to the secure desktop when prompting for
- elevation -> Enabled.
- - User Account Control: Virtualize file and registry write failures to per-
- user locations -> Enabled.
- / Now, click on "Advanced Audit Policy Configuration" table and enable logging
- of all the options by clicking on them and by setting ALL of the sub keys to
- "Success and Failure". Do this for everything except the "Global Object Access
- Auditing" table. Doing this will enable you to keep track of all login
- attempts and failures, you can access these logs by pressing the Windows key
- and searching "View Event Logs".
- =================================================================
- [14] Local Services Policies Configuration:
- / Press the Windows key and search "Local Services" and open "View Local
- Services".
- / This part will take awhile...
- / Configure the following options:
- - ActiveX Installer [AxInstSV] -> Startup Type = Manual -> Log On As = Local
- System.
- - App Readiness -> Startup Type = Manual -> Log On As = Local System.
- - Application Experience -> Startup Type = Manual [Trigger Start] -> Log On As = System.
- - Application Information -> Startup Type = Manual [Trigger Start] -> Log On
- As = Local Service.
- - Application Layer Gateway Service -> Startup Type = Manual -> Log On As =
- Local Service.
- - Applications Management -> Startup Type = Manual -> Log On As = Local
- System.
- - AppX Deployment Service [AppXSVC] -> Startup Type = Manual -> Log On As =
- Local System.
- - Background Intelligent Transfer Service -> Startup Type = Disabled -> Log On As = Local System.
- - Background Tasks Infrastructure Service -> Startup Type = Automatic -> Log
- On As = Local System.
- - Base Filtering Engine -> Startup Type = Automatic -> Log On As = Local
- Service.
- - BitLocker Drive Encryption Service -> Startup Type = Manual[Trigger Start]
- -> Log On As = Local System.
- - Block Level Backup Engine Service -> Startup Type = Manual -> Log On As ->
- Local System.
- - Bluetooth Support Service -> Startup Type = Disabled -> Log On As = Local
- System.
- - BranchCache -> Startup Type = Manual -> Log On As = Network Service.
- - Certificate Propagation -> Startup Type = Manual -> Log On As = Local
- System.
- - CNG Key Isolation -> Startup Type = Manual -> Log On As = Local System.
- - COM+ Event System -> Startup Type = Automatic -> Log On As = Local System.
- - COM+ System Application -> Startup Type = Manual -> Log On As = Local
- Service.
- - Computer Browser -> Startup Type = Manual[Trigger Start] ->Log On As = Local System.
- - Credential Manager -> Startup Type = Manual -> Log On As = Local System.
- - Cryptographic Services -> Startup Type = Automatic -> Log On As = Network
- Service.
- - DCOM Server Process Launcher -> Startup Type = Automatic -> Log On As =
- Local System.
- - Device Association Service -> Startup Type = Manual[Trigger Start] -> Log
- On As = Local System.
- - Device Install Service -> Startup Type = Manual[Trigger Start] -> Log On
- As = Local System.
- - Device Setup Manager -> Startup Type = Manual[Trigger Start] -> Log On As = Local System.
- - DHCP Client -> Startup Type = Automatic -> Log On As = Local Service.
- - Diagnostic Policy Service -> Startup Type = Automatic -> Log On As = Local
- Service.
- - Diagnostic Service Host -> Startup Type = Manual -> Log On As = Local
- Service.
- - Diagnostic System Host -> Startup Type = Manual -> Log On As = Local
- System.
- - DirMngr -> Startup Type = Automatic -> Log On As = Local System.
- - Distributed Link Tracking Client -> Startup Type = Automatic -> Log On As = Local System.
- - Distributed Transaction Coordinator -> Startup Type = Manual -> Log On As =
- Network Service.
- - DNS Client -> Startup Type = Automatic[Trigger Start] -> Log On As =
- Network Service.
- - Encrypting File System [EFS] -> Startup Type = Manual[Trigger Start] ->
- Log On As = Local System.
- - Extensible Authentication Protocol -> Startup Type = Manual -> Log On As =
- Local System.
- - Family Safety -> Startup Type = Manual -> Log On As = Local Service.
- - Fax -> Startup Type = Manual -> Log On As = Network Service.
- - File History Service -> Startup Type = Disabled -> Log On As = Local
- System.
- - Function Discovery Provider Host -> Startup Type = Manual -> Log On As =
- Local Service.
- - Function Discovery Resource Publication -> Startup Type = Manual -> Log On
- As = Local Service.
- - Group Policy Client -> Startup Type = Automatic[Trigger Start] -> Log On As
- = Local System.
- - Health Key and Certificate Management -> Startup Type = Manual -> Log On
- As = Local System.
- - HomeGroup Listener -> Startup Type = Manual -> Log On As = Local System.
- - HomeGroup Provider -> Startup Type = Manual[Trigger Start] -> Log On As =
- Local System.
- - Human Interface Device Service -> Startup Type = Manual[Trigger Start] ->
- Log On As = Local System.
- - Hyper-V Data Exchange Service -> Startup Type = Manual[Trigger Start] ->
- Log On As = Local System.
- - Hyper-V Guest Service Interface -> Startup Type = Manual[Trigger Start] ->
- Log On As = Local System.
- - Hyper-V Guest Shutdown Service -> Startup Type = Manual[Trigger Start] ->
- Log On As = Local System.
- - Hyper-V Heartbeat Service -> Startup Type = Manual[Trigger Start] -> Log
- On As = Local System.
- - Hyper-V Remote Desktop Virtualization Service -> Startup Type = Manual
- [Trigger Start] -> Log On As = Local System.
- - Hyper-V Time Synchronization Service -> Startup Type = Manual[Trigger Start]
- -> Log On As = Local Service
- - Hyper-V Volume Shadow Copy Requester -> Startup Type = Disabled -> Log On
- As = Local System.
- - IKE and AuthIP IPSec Keying Modules -> Startup Type = Automatic[Trigger
- Start] -> Log On As = Local System.
- - Interactive Services Detection -> Startup Type = Manual -> LogOn As =
- Local System.
- - Internet Connection Sharing [ICS] -> Startup Type = Disabled -> Log On As =
- Local System.
- - Internet Explorer ETW Collector Service -> Startup Type = Disabled -> Log
- On As = Local System.
- - IP Helper -> Startup Type = Automatic -> Log On As = Local System.
- - IPSec Policy Agent -> Startup Type = Manual[Trigger Start] -> Log On As =
- Network Service.
- - Link-Layer Topology Discovery Mapper -> Startup Type = Manual -> Log On As
- = Local Service.
- - Local Session Manager -> Startup Type = Automatic -> Log On As = Local
- System.
- - Microsoft Account Sigh-in Assistant -> Startup Type = Disabled -> Log On
- As = Local System.
- - Microsoft EMET Service -> Startup Type = Automatic -> Log On As = Local
- System.
- - Microsoft iSCSI Initiator Service -> Startup Type = Manual -> Log On As =
- Local System.
- - Microsoft Keyboard Filter -> Startup Type = Disabled -> Log On As = Local
- System.
- - Microsoft Software Shadow Copy Provider -> Startup Type = Manual -> Log On As
- = Local System.
- - Microsoft Storage Spaces SMP -> Startup Type = Manual -> Log On As =
- Network Service.
- - Mozilla Maintenance Service -> Startup Type = Manual -> Log On As = Local
- System.
- - Multimedia Class Scheduler -> Startup Type = Automatic -> Log On As =
- Local System.
- - Net.TCP Port Sharing Service -> Startup Type = Disabled -> Log On As =
- Local Service.
- - Netlogon -> Startup Type = Manual -> Log On As = Local System.
- - Network Access Protection Agent -> Startup Type = Manual -> Log On As =
- Network Service.
- - Network Connected Devices Auto-Setup -> Startup Type = Manual[Trigger
- Start] -> Log On As = Local Service.
- - Network Connection Broker -> Startup Type = Manual[Trigger Start] -> Log
- On As = Local System.
- - Network Connections -> Startup Type = Manual -> Log On As = Local System.
- - Network Connectivity Assistant -> Startup Type = Manual[Trigger Start] ->
- Log On As = Local System.
- - Network List Service -> Startup Type = Manual -> Log On As = Local
- Service.
- - Network Location Awareness -> Startup Type = Automatic -> Log On As =
- Network Service.
- - Network Store Interface Service -> Startup Type = Automatic -> Log On As =
- Local Service.
- - OpenDNSCrypt -> Startup Type = Automatic -> Log On As = Network Service.
- - Peer Name Resolution Protocol -> Startup Type = Disabled -> Log On As =
- Local Service.
- - Peer Networking Grouping -> Startup Type = Disabled -> Log On As = Local
- Service.
- - Peer Networking Identity Manager -> Startup Type = Disabled -> Log On As =
- Local Service.
- - Plug and Play -> Startup Type = Manual -> Log On As = Local System.
- - PNRP Machine Name Publication Service -> Startup Type = Disabled -> Log On As
- = Local Service.
- - Print Spooler -> Startup Type = Automatic -> Log On As = Local System.
- - Printer Extensions and Notifications -> Manual -> Log On As = Local System.
- - Problem Reports adn Solutions Control Panel Support -> Startup Type =
- Manual -> Log On As = Local System.
- - Program Compatibility Assistant Service -> Startup Type = Automatic -> Log
- On As = Local System.
- - Remote Access Auto Connection Manager -> Startup Type = Disabled ->Log On
- As = Local System.
- - Remote Access Connection Manager -> Startup Type = Manual -> Log On As =
- Local System.
- - Remote Desktop Configuration -> Startup Type = Disabled -> Log On As =
- Local System.
- - Remote Desktop Services -> Startup Type = Disabled -> Log On As = Network
- Service.
- - Remote Desktop Services UserMode Port Redirector -. Startup Type =
- Disabled -> Log On As = Local System.
- - Remote Procedure Call [RPC] -> Startup Type -> Disabled -> Log On As =
- Network Service.
- - Remote Procedure Call [RPC] Locator -> Startup Type = Disabled -> Log On
- As = Network Service.
- - Remote Registry -> Startup Type = Disabled -> Log On As = Local Service.
- - Routing and Remote Access -> Startup Type = Disabled -> Log On As = Local
- System.
- - RPC Endpoint Mapper -> Startup Type = Automatic -> Log On As = Network
- Service.
- - Secondary Logon -> Startup Type = Manual -> Log On As = Local System.
- - Secure Socket Tunneling Protocol Service -> Startup Type = Manual -> Log
- On As = Local Service.
- - Security Accounts Manager -> Startup Type = Automatic -> Log On As = Local
- System.
- - Security Center -> Startup Type = Automatic -> Log On As = Local Service.
- - Server -> Startup Type = Disabled -> Log On As = Local System.
- - Shell Hardware Detection -> Startup Type = Automatic -> Log On As = Local
- System.
- - Smart Card -> Startup Type = Disabled -> Log On As = Local Service.
- - Smart Card Device Enumeration Service -> Startup Type = Disabled -> Log On
- As = Local System.
- - Smart Card Removal Policy -> Startup Type = Disabled -> Log On As = Local
- System.
- - SNMP Trap -> Startup Type = Manual -> Log On As = Local Service.
- - Software Protection -> Startup Type = Automatic -> Log On As = Network
- Service.
- - SSDP Discovery -> Startup Type = Disabled -> Log On As = Local Service.
- - Storage Service -> Startup Type = Manual[Trigger Start] -> Log On As =
- Local System.
- - System Event Notification Service -> Startup Type = Automatic -> Log On As
- = Local System.
- - System Events Broker -> Startup Type = Automatic -> Log On As = Local
- System.
- - TCP/IP NetBIOS Helper -> Startup Type = Disabled -> Log On As = Local
- Service.
- - Te.Service -> Startup Type = Manual -> Log On As = Local System.
- - Telephony -> Startup Type = Manual -> Log On As = Network Service.
- - UPnP Device Host -> Startup Type = Disabled -> Log On As = Local Service.
- - User Profile Service -> Startup Type = Automatic -> Log On As = Local
- System.
- - Virtual Disk -> Startup Type = Manual -> Log On As = Local System.
- - Volume Shadow Copy -> Startup Type = Disabled -> Log On As = Local System.
- - Windows Error Reporting Service -> Startup Type = Disabled -> Log On As =
- Local System.
- - Windows Remote Management [WS-Management] -> Startup Type = Disabled -> Log
- On As = Network Service.
- - Workstation -> Startup Type = Disabled -> Log On As = Network Service.
- =================================================================
- [15] Local Group Policy Configuration:
- / Press the Windows key and search "Group Policy" and click on "Edit group
- policy".
- / Next, navigate to the following tables and set them as follows:
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> ActiveX Installer Service" -> "Disabled".
- - "Computer Configuration" -> "Administrative Templates" -> "System" ->
- "Early Launch Antimalware" -> "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Application Compatibility" -> "Turn off Application
- Telemetry" -> "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "AutoPlay Policies" -> Change all settings to "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Biometrics" -> Change all settings to "Disabled.
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Credential User Interface" -> "Do not display the
- password reveal button" -> "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Desktop Gadgets" -> Change all settings to "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Digital Locker" -> "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Family Safety" -> "Disabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "File Explorer" -> "Show sleep in the power options menu"
- -> "Disabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "File Explorer" -> "Show hibernate in the power options
- menu" -> "Disabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "File History" -> "Turn off File History" -> "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Game Explorer" -> Change all settings to "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "HomeGroup" -> "Prevent the computer from joining a
- homegroup" -> "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Internet Explorer" -> Change all settings to "Disabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Location and Sensors" -> Change all settings to "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "NetMeeting" -> "Disable remote Desktop sharing" -> "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "OneDrive" -> "Save documents to OneDrive by default" ->
- "Disabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "OneDrive" -> "Prevent OneDrive files from syncing over
- metered connections" -> "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "OneDrive" -> "Prevent the usage of OneDrive" -> "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Online Assistance" -> Turn off Active Help" -> "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Remote Desktop Services" -> Change all settings to
- "Disabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Shutdown Options" -> "Turn off legacy remote shutdown
- interface" -> "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Sync your settings" -> Change all settings to "Enabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Windows Customer Experience Improvement Program" ->
- Change all settings to "Disabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Windows Remote Shell" -> "Allow Remote Shell Access" ->
- "Disabled".
- - "Computer Configuration" -> "Administrative Templates" -> "Windows
- Components" -> "Windows Update" -> "Turn off the upgrade to the latest
- version of Windows through Windows Update" -> "Enabled".
- =================================================================
- [16] Router and/or Modem Configuration:
- / This step is very important, you will need to determine if you are using a
- wireless or wired router.
- / You are going to have to download a fresh copy of the routers firmware
- directly from the manufactures website and you are going to flash your router
- and modems firmware. Doing this will eliminate any backdoors/rootkits that
- have possibly been installed on your router and/or modem.
- / Next, you are going to need to access your routers configuration page and
- start to configure your security settings. You should have all incoming ports
- CLOSED and all outgoing ports CLOSED [Except for the ones you will be using,
- 80, 443, 21 ect]. Enable WAN ping blocking, disable DMZ hosting and set your
- firewall to the highest security settings. Disable anything else that may
- present a security risk. You can also add blocklists to your router for
- disabling ads and malware serving hosts, this of course is optional.
- / Do this for all of your other hardware [Firewalls, modems, switches, VOIP
- systems, ect].
- =================================================================
- [17] VPNs:
- / A Virtual Private Network [VPN] is a connection from your computer to
- another network. Setup properly, they can be used by anyone to create a safer
- connection to the internet and have the added benefit of disguising your true
- location. It encrypts your internet connection. So you can surf the web
- securely with no restrictions. It will allow you to visit websites that your
- ISP or government has blocked. You can also change your IP whenever you please
- by switching servers.
- / When you are picking out a VPN provider, be sure to read the Terms of
- Service [ToS] aswell as the Privacy Policy [PP]. Make sure that the VPN
- provider you choose does NOT keep ANY logs.
- / NEVER use a "Free" VPN!! If you don't have to pay for a product, you are the
- product being sold.
- / First off, you are going to need to purchase TWO different VPN services from
- TWO separate VPN providers. NEVER use your own or anyone of your
- family/friends credit cards, because they can be backtraced directly to you. It
- is highly recommended that you buy a prepaid Mastercard [Or Visa, but it is
- NOT recommended]. To do this you are going to need to get about $50-$100 in
- cash and head into a high populated store with a lot of foot traffic such as
- Walmart, Target, 7-11, ect. Be sure wear something you wouldn't normally wear
- when buying this card and make sure your face is hidden from ALL cameras when
- making this purchase. ALWAYS pay for this prepaid card with cash and cash
- only. Using any other methods of payment such as Interact will completely
- compromise your identity.
- / When you purchase the prepaid card, write down ALL of the information on the
- card [Card number, CVV, Expiry date, ect] and the securely dispose of the card
- [Either burn the card or cut it into 3-4 pieces and put each piece in separate
- trash bins that are in separate locations].
- / Now you are going to have to activate the prepaid card online. To do this
- you are going to need to access the internet through TOR on your cellphone or
- any other means by using a free public wifi hotspot. When activating the
- prepaid card online, you are going to need a fake name and address. Go to
- http://www.fakenamegenerator.com/ and use a random name and address [Remember
- to write down the ZIP/Postal code you used, as you may need it in the future].
- When you are on the VPN providers website and you are creating your account,
- use a throwaway email address that is with any email provider [Mail.com
- usually works quite nicely]. Use http://www.fakenamegenerator.com/ again to
- fill in random information for the throwaway and in the VPN providers website.
- =================================================================
- [18] Testing Security Configurations:
- / This step may seem redundant, but it is one of the most valuable. You are
- now going to preform a small "Security Audit" of your system and network.
- / Download the following software:
- - Software: NMap
- - Download: https://nmap.org/dist/nmap-7.01-setup.exe
- - Software: Nessus Home
- - Download: https://www.tenable.com/products/nessus-home
- - Configuration: Enter FAKE details in the "Register for an Activation Code"
- section of the Nessus website. Then just download and install. Make sure
- that you allow ALL of the Nessus executables through your OUTBOUND
- firewall.
- - Software: WireShark
- - Download: https://www.wireshark.org/download.html
- - Software: TCPView
- - Download: https://technet.microsoft.com/en-us/sysinternals/tcpview.aspx
- / Now open a Command Prompt window with Administrator privilege, then type
- this command: "nmap -vvv 192.168.0.1" [Remove the quotation marks and change
- the IP address to your routers internal IP address]. If configured correctly,
- NMap should not be able to detect any open ports.
- / Next open Nessus Home and preform a vulnerability scan on the same internal
- IP address that is assigned to your router. Again, Nessus should not detect any
- open ports or vulnerabilities.
- / Open Firefox and head over to these web application port scanners:
- - Website: https://www.grc.com/x/ne.dll?bh0bkyd2
- - Website: http://www.speedguide.net/scan.php
- / Preform a port scan using BOTH of these web application port scanners. The
- results for GRC should be "True Stealth" and the results for speedguide should
- be no open ports.
- / If you have detected any open ports, then you may need to go back to the
- previous steps and re-configure these settings.
- / Now open TCPView, this will show you if there are any suspicious packet
- activities that are going through your network. If you find any, remove them
- immediately. Now open WireShark and do the same thing, look for any unknown or
- suspicious packet activity.
- / Open up a Command Prompt window with Administrator privileges and type this
- command: "netstat -nab" [Remove the quotation marks]. This command will show
- you all inbound and outbound connections and details about them like
- process, local ip:port, foreign ip:port, protocol and connection status.
- / Open Firefox again and go to the following websites:
- - Website: https://ipleak.net/
- - Description: This website will show you what information is being passed
- to the websites you visit. This includes your IP address, DNS addresses,
- WebRTC, Geolocation, User Agent, System Information, Plugins, MIME
- type, ect. If configured correctly, everything should be disabled
- and/or spoofed. You should check this website EVERY TIME YOU GO ONLINE
- for DNS leaks and to make sure that everything is secure before you login
- to anything.
- - Website: https://www.dnsleaktest.com/
- - Description: This site will detect any DNS leaks from your network. If
- configurations were done correctly, all of the DNS addresses should be
- "OpenDNS, LLC".
- =================================================================
- [19] Peer Filtering:
- / Peer filtering will automatically block certain IP ranges from accessing
- your computer from the internet. These include: Advertisement companies,
- Government and Federal agencies, Law Enforcement agencies, Educational
- Intitutions and Analytic Services and so on.
- / Download this peer filtering software:
- - Software: PeerBlock
- - Download: http://www.peerblock.com/releases
- / Now install PeerBlock and allow peerblock.exe through you firewall's
- outgoing table. Now open PeerBlock and click on the "List Manager" button,
- click "Add". Now open up Firefox and go to https://www.iblocklist.com/lists
- for free blocklists. Copy and paste the "Update URL" into PeerBlock and there
- you have it.
- / There are many websites on the internet that offer free blocklists, you may
- find them by doing a quick search on the internet. You can then load them into
- PeerBlock as explained above.
- =================================================================
- [20] TOR, I2P and FreeNet Configuration:
- / Download and configure the following software:
- - Software: The Onion Router [TOR] Browser Bundle
- - Download: https://www.torproject.org/projects/torbrowser.html.en
- - Description: Tor is free software for enabling anonymous communication.
- The name is an acronym derived from the original software project name
- The Onion Router, Tor directs Internet traffic through a free, worldwide, volunteer
- network consisting of more than seven thousand relays[9] to conceal a user's location
- and usage from anyone conducting network surveillance or traffic analysis.
- Optionally, You can download the TOR Expert bundle here:
- https://www.torproject.org/download/download
- - Configuration: Run the installer and allow TOR though your firewall.
- You can now route your internet traffic through The Onion Router by binding your
- applications to Socks5 host @ 127.0.0.1 on port 9050 through the applications
- proxy settings.
- - Software: I2P
- - Download: https://geti2p.net/en/
- - Description: 2P is an anonymous overlay network, a network within a network.
- It is intended to protect communication from dragnet surveillance and monitoring
- by third parties such as ISPs.
- - Configuration: Run the installer and install the software. Open your firewall
- and local all of the executables in the I2P installation directory and allow them
- all though the firewalls outgoing table. Now, allow the JaveSEBinary.exe though
- the inbound table. Now open a Command Prompt with administrator privilege and type
- the following command:
- i2psvc -c wrapper.config
- I2P should start and load everything, now open firefox and type "http://127.0.0.1:7657" into
- the URL bar to configure all of the additional options. You can now configure your
- applications to use the I2P network by configuring the applications proxy settings to
- Socks5 host @ 127.0.0.1 on port 4445.
- - Software: FreeNet
- - Download: https://freenetproject.org/download.html
- - Description: Freenet is a platform for censorship-resistant communication and publishing.
- It helps you to remain anonymous, and communicate without fear.
- - Configuration: Run the installer and install the software. Now allow the FreeNet.exe,
- FreeNetWrapper.exe and the FreeNetLauncher.exe though the outgoing table, now allow the
- JavaSEBinary.exe [This one was installed with FreeNet] though the outbound firewall table.
- Open a Command Prompt with administrator privilage and run the following command: FreeNet.
- FreeNet should start and load everything, now open firefox and enter "http://127.0.0.1:8888"
- into the URL bar and configure the FreeNet settings.
- =================================================================
- [21] Secure Social Media Communications:
- / You are going to download the following software to allow the secure communications
- over mainstream social media sites, XMPP, IRC and other protocols.
- - Software: Pidgin
- - Download: https://pidgin.im/download/
- - Configuration: Run the installer and install the software. Allow pidgin.exe file
- though your firewalls outgoing table.
- - Software: Off The Record Plugin
- - Download: https://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.1.zip
- - Configuration: Run the installer and install the software. Now allow all of the OTR
- executables through your firewalls outgoing table.
- / Now open Pidign and enable the OTR plugin. You may now add your accounts
- into Pidgin. Now click on the "Tools" drop down menu and click "Preferences", now
- click the "Proxy" tab and select "Tor/Privacy (SOCKS5)" from the proxy type drop down
- menu. Now enter "127.0.0.1" in the "Host" field and change the port to "9050". Doing this will
- ensure that you are not being connected to your accounts unless your connection is binded and
- anonymized though TOR.
- / Optionally, you can install the Skype4Pidgin plugin [If you even use Skype] from here:
- https://github.com/eionrobb/skype4pidgin
- =================================================================
- [22] Application Proxy Configuration:
- / This step will show you how to add an extra layer of security while
- using your applications and software. You can find large lists of proxies
- by just doing a simple search. I would AVOID using HideMyAss.com because they
- are known to give up user data to the feds.
- / Once you have the proxy IPs, you can now locate the proxy settings that should
- be within the settings page of your applications. You can now bind your software to
- your already encrypted and secure connection [VPN, TOR and I2P], thus adding an extra
- layer of security. Try to use different proxies for different applications to make sure
- your connection is completely anonymized.
- =================================================================
- [23] Secure Virtualization Configuration:
- / In this step we will be securely installing a virtual machine [VM]
- Download and install the following software:
- - Software: VirtualBox
- - Download: https://www.virtualbox.org/wiki/Downloads
- - Configuration: Run the installer and install the software, be sure to allow
- this software though your firewall.
- / Now open VeraCrypt and click the "Volumes" drop down menu, then click on
- "Create New Volume". Select the "Create an encrypted file container", click "Next".
- Now select "Hidden VeraCrypt Volume" and click "Next", select "Normal Mode", click
- "Next". Now click on the "Select File" button and locate a directory that is some what
- hidden deep within your file system and name it something like "Test.txt" or "VM.txt".
- Be sure to save this file as a .txt file and NOT .vc, because a .vc file makes is very
- obvious that there is something hidden inside. Make sure that the "Never Save History"
- check box is checked. Click "Next".
- / You should now be creating the "Outer Volume" of your hidden and encrypted container.
- Click "Next". For the encryption algorithm, select "AES(Twofish(Serpent))" from the drop down
- menu, then make sure that "SHA-512" is selected for the hash algorithm, then click "Next".
- Now enter the size of the file you want in GB, I would recommend for it to be at least 15-25GB in
- size. Click "Next". Now you should be prompted for the outer volume password. Make this password
- whatever you want, just make sure that you remember it! Now the next screen you will have to move
- you cursor around for about 5 minutes, doing this for a long time will increase the strength of the
- encryption. Next, click on "Format". You may now open your outer volume [It should be mounted as the
- Z:\ drive] and place a few sensitive looking files that you DO NOT actually want to hide
- [Doing this will allow for full deniability if v& and forced to disclose your password,
- if they demand a password, give them the one for outer volume]. Click "Next".
- / Now you can create the hidden volume, again make sure that the encryption algorithm is set to
- "AES(Twofish(Serpent))" and that "SHA-512" is selected for the hash algorithm, click "Next".
- Now select the file size in GBs, make it about 1-2GB smaller than the outer volume. Click "Next".
- Set a password that is DIFFERENT from the one you used above! Make it as long and complex as possible
- [Add numbers, upper case, lower case and symbols] The goal with this password it to make it 100%
- uncrackable by any super computer, I would recommend 64+ characters in length. Click "Next".
- Again, you are going to want to move your cursor as randomly as possible. This time do it for about
- 10 minutes or more, then click on "Format".
- / Open VeraCrypt and click the "Select File" button and locate the .txt file that you just created,
- then select a drive letter and click "Mount" and enter your password for the HIDDEN container.
- / For this VM we will be using Ubuntu Linux. Click "New" and give your VM a name like "Ubuntu" or
- something along those lines. Set the "Memory Size" [RAM] to whatever your computer can handle.
- 1GB = 1024MB, 2GB = 2048MB and 4GB = 4096MB and so on. Click "Create". Now for the "File Location"
- you are going to navigate to the hidden volume that you created earlier. Set the "File Size" to 15-20GB
- then click "Create". Next, boot up the new Ubuntu VM and navigate to where you saved the Ubuntu.iso file.
- Allow the VM to boot up and you can then configure the Ubuntu VM with encryption, TOR, VPNs, proxies and
- other security measures. I am not going to include a Ubuntu Linux security hardening guide here, you can
- however find hundereds of tutorials and guides with a simple search.
- / You will need to open VeraCrypt and enter the password for the hidden container everytime you want to
- boot this Ubuntu Linux virtual machine. Make sure that you DISMOUNT this volume everytime you step away
- from your computer.
- =================================================================
- [24] Anonymous Identities:
- / The first thing you should do is create a nickname that you will use as one of
- your alter-egos. This one should ONLY be used for connecting IRC Networks/Email/Facebook
- Services and so fourth. This screen name should be completely different from your Anonymous
- screen name and should NEVER be related to one another and should always be separate.
- One slip with these screen names could seal your fate in the corrupt federal prison system.
- / You are going to now create an Anonymous screen name. This will be your second alter-ego for
- use with other things such as Email/Hacking/Chatting with other Anons and so on.
- / Create a back story that is believable to use alongside your Anonymous screen names,
- preferably with supporting evidence [Use a common name, a school in the city of your choosing,
- choose a place in the same city where your fake alias works]. NEVER contaminate this back story
- with real personal information.
- / When creating your Anonymous screen names, do so through TOR as well as a VPN layered on top.
- This will guarantee that all account creation details remain anonymous and untraceable.
- =================================================================
- [25] Conclusion:
- / There you have it, if you followed the all of the steps correctly. You should now have
- a completely secure and encrypted installation of Windows 8.1 and you have installed and configured
- all of the necessary security tools and applications to ensure that your internet connection is
- encrypted. You have configured all of your software that needs internet connectivity though your strict
- firewall settings and you have configured your software to specifically bind the connection
- they use to connect to the internet though a VPN, TOR, aswell as proxies. You have created
- anonymous nicknames and identities. You may do things of questionable legality assuming you
- take full responsibility and know what your going and the feds will have an extremely hard time
- finding you :]. Happy hacking #NewBloods!
- / This is one of my gifts to the internet, Anonymous and humanity itself. Also to the corrupt
- governments of this world; You cannot arrest an idea.
- =================================================================
- .-.
- ( " )
- /\_.' '._/\
- | |
- \ /
- \ /`
- .(__) /
- `.__.' @Gh0sterSec
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement