-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathintructions.txt
245 lines (207 loc) · 12.2 KB
/
intructions.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
********************************************************
Straightforward Training™
Windows 7 Ultimate Security Setup (Paranoid Mode)
Author: Saulo S. Ortiz
Date: 20180107
Updated: 20200802
Contact: thetiredretired@gmail[.]com
********************************************************
Copyright ©2018-2020 Saulo S. Ortiz. All Rights Reserved!
********************************************************
*** No reproduction/modification of this guide is allowed for commercial purposes without explicit written permission from the author! ***
DISCLAIMER:
-----------------------------------------
I have been perfecting these steps since Windows 7 came out and through trial and error I've come up with the best way to modify and secure
Windows 7. With that said, I am NOT responsible for any data corruption or any damage these steps may cause. I have not had any damaged hardware
if you're wondering, but I've had data corruption so BACK-UP what you don't want to lose.
I've tried these steps under Windows 7, 8 and 8.1 but NOT Windows 10.
INTRODUCTION:
-----------------------------------------
These steps will help you latch down Windows 7 in a way that will seem overly paranoid. If you're planning to stream from the computer
you're going to do these changes to, then know that streaming will not work after these steps are set. These steps are for a brand new
Windows installation that has no security updates or patches. Additionally, these steps will lock down all automatic updates. I do this
because updates not only "fix" problems but also create new security holes making remote connectivity and data siphoning easier for
government agencies to do.
DOWNLOADS:
-----------------------------------------
1. Firefox (no higher than 56.0 if you plan to torrent).
2. NoScript add-on for Firefox.
3. Bluhell add-on for Firefox.
4. Self-destructing cookies add-on for Firefox.
5. Better-privacy add-on for Firefox.
6. Avast A/V downloads from Swedish website also get the latest signature file.
7. Glasswire 1.2 or latest.
8. Track Eraser Pro (oldie but goodie...not free).
9. CCleaner v5.10.5373…from China but we’ll block it.
10. Wise Registry cleaner…also from China.
11. BleachBit.
12. Keyscrambler for Firefox (not add-on...Filehippo.com).
13. *ToolwizTimerFreeze 2017 (do not install this one until EVERYTHING else has been done!)
NOTES:
1. All installations must be done OFFLINE!...disconnect your cat5 cable, turn of your NIC through the Taskbar or Control Panel > Network Sharing.
2. Every time Glasswire alerts you, you need to stop the connection by clicking on the FIRE icon next to the program that is calling out.
3. In Glasswire do not block:
a. Host Process for Windows Services
b. Firefox
c. Spooler SubSystem App
4. These steps will modify the Windows Firewall rules, Firefox and Windows startup services.
5. *Shadow Defender 1.4.0 is better than ToolwizTimerFreeze if you can find a free version
-----------------------------------------
SETUP (OFFLINE):
-----------------------------------------
1. Make sure you are OFFLINE!!! I cannot stress this enough!
2. Start installing software but NOT AT THE SAME TIME...some programs will require rebooting. DO NOT INSTALL ToolwizTimerFreeze YET!
Note: If you have another Anti-virus then leave it or replace it with Avast but DO NOT HAVE TWO!
3. Run Avast and under UPDATE cancel all automatic updates and under SETTINGS select MANUAL UPDATE. You will need to update manually by downloading
the signature files yourself. Do this every month or so. Also get them from the Swedish website or any European website where files are more secure due
to stronger privacy laws.
4. Several things need to happen in CCleaner:
a. Go to OPTIONS > SETTINGS and UNCHECK "Run CCleaner when the computer starts" and also "Automatically check for updates."
b. While there go to MONITORING and UNCHECK "Enable system monitoring" and also UNCHECK "Enable Active Monitoring."
c. Go to TOOLS > STARTUP, click on ENABLE to sort it by YES and NO and DISABLE all programs like Adobe, MS Office, iTunes, etc. DO NOT DISABLE:
1. Glasswire
2. Sidebar
3. Avast or other A/V
4. Keyscrambler
5. Track Eraser (not free)
6. ToolwizTimerFreeze (install last!!!)
7. Any other programs you really want running after bootup
d. Go to REGISTRY and run a SCAN FOR ISSUES then FIX any issues...close CCleaner from the Taskbar
5. Run Firefox and type "about:config"...we'll install the updates once we're back ONLINE!
a. Select "I accept the risk" and continue
b. Search for PEER and change it to "FALSE"
c. Search for NAV and also change it to "FALSE"
d. Search for UPDATE and change all to "FALSE"
Note:
a. Do not use Chrome...you can change the settings just like Firefox but its too intrusive and retains all your searches under your gmail/google account.
b. If you have trouble watching online videos then tinker with the NAV or PEER settings.
6. In Windows go to:
a. CONTROL PANEL > WINDOWS FIREWALL > ADVANCE SETTINGS
b. Select OUTBOUND RULES
c. Click on the PROFILE column to sort by PROFILES
d. Select all DOMAIN and click on DISABLE RULES
e. Select all PUBLIC and click on DISABLE RULES
f. Under PRIVATE and disable
1. NETWORK DISCOVERY
2. REMOTE ASSISTANCE
3. WINDOWS MEDIA PLAYER
4. CONNECT TO A NETWORK PROJECTOR
5. Any ICMPv6
g. Under "ALL" look for any of the above mentioned and DISABLE:
1. WINDOWS PORTABLE DEVICES
2. WINDOWS PEER TO PEER COLLABORATION
3. WINDOWS MEDIA PLAYER
h. If you have an NVIDIA card DISABLE "SHIELD" if you don't own one
7. While in FIREWALL:
a. Select INBOUND RULES
b. Click on the PROFILE column to sort by PROFILES
c. Select all DOMAIN and click on DISABLE RULES
d. Select all PUBLIC and click on DISABLE RULES
e. Under PRIVATE DISABLE:
1. All of the same from above
2. iSCSI Service
3. Anything that reads RPC
4. Distributed Transaction Coordinator
5. SNMP Trap Services
6. Windows Management Instrumentation
7. Performance Logs and Alerts
8. Windows Firewall Remote Management
9. Routing and Remote Access
10. Remote Service Management
11. Remote Volume Management
Note: DISABLE anything that reads REMOTE (RPC).
8. Create Firewall rules to block ports commonly used by hackers:
a. 445
b. 135-139
c. 1900
d. Google for additional ports and use nmap to check what ports are still open after all is done
Note: You can make a single rule with all the ports you need closed.
FIREFOX RULES (Optional)
9. If you want to keep an older version of Firefox for Torrent purposes then add the following rules to the OUTBOUND
Rules in the Firewall, Block the following files in c:\Program Files:
a. Updater
b. Ping Sender
c. Mini Dump Analyzer
d. Maintenance Installer
e. Maintenance Services
f. Crash Reporter
10. Before we close Firewall RIGHT CLICK on Windows Firewall with Advance Security on Local Computer then "EXPORT POLICY..." and save the file somewhere else.
Note: Every time you want a program blocked or a port closed or you block a program using Glasswire, you will have to export the profile. Then commonly
inconvenience is that the profile will NOT be saved as long as ToolwizTimerFreeze is running. Therefore you will need to turn off ToolwizTimerFreeze
then IMPORT the exported profile and finally TURN ON ToolwizTimerFreeze.
11. At the WINDOWS SEARCH PROMPT type "services" and select SERVICES and sort by STARTUP TYPE. DISABLE the following:
a. Adobe Acrobat
b. ASP .NET
c. Fax
d. Internet Connection Sharing
e. Media Center Extender
f. Microsoft .NET Framework
g. Net.Msmq Listener Adapter
h. Net.Pipe Listener Adapter
i. Net.Tcp Listener Adapter
j. NVIDIA Telemetry
k. Offline files
l. Parental Controls
m. Any REMOTE (RPC) services you find (there's two you cannot disable)
n. Routing and Remote Access
o. Secondary Logon
p. Security Center
q. Smart card
r. Table PC Input
s. Telephony
t. Windows Biometric
u. Windows Error Reporting
v. Windows Remote Management
w. Windows Update
Note: Research any other service you think is suspicious or you don't understand. Some of these may be needed for MOBILE computers.
12. Again under WINDOWS SEARCH PROMPT, select the BOOT tab then click on the ADVANCE OPTIONS... button. Make sure all your CORE PROCESSORS are being used and also MAXIMUM memory.
13. While there go to the SERVICES tab and sort by STATUS. Make sure all SERVICES you do not want are STOPPED and UNCHECKED.
14. Go to STARTUP tab and UNCHECK any other services you missed with CCleaner. Create a new FIREWALL RULE and STOP CCleaner from connecting OUTBOUND.
-----------------------------------------
Turn OFF Windows Updates (OFFLINE)
-----------------------------------------
1. While still OFFLINE, go to Control Panel > Windows updates
2. Click on Change SETTINGS
3. Select NEVER CHECK FOR UPDATES
4. Uncheck any boxes
-----------------------------------------
SETUP (ONLINE):
-----------------------------------------
1. Go ONLINE and keep an eye out for Glasswire and ANY alerts. Start blocking outgoing connections you do not want.
Note:
a. PS, If you open WINDOWS EXPLORER and leave it open for a while it will also try to connect to somewhere. BLOCK IT!!!!
b. You will have to block, export Firewall profile and IMPORT again until all programs STOP trying to connect out.
c. FYI...Glasswire will start populating new Firewall rules for you when you block something.
2. Open FIREFOX and go to www.expressvpn.com/webrtc-leak-test and see the results for WebRTC leaks. Changing the PEER and NAV settings should have stopped that. Google what WebRTC leaks are.
3. While in FIREFOX go to SETTINGS > ADD-ONS and search and install the add-one mentioned at the beginning.
a. NoScript
b. Bluhell
c. Self-destructing cookies
d. Better-privacy
4. Right click on the Internet Connection icon on the Taskbar. Then OPEN NETWORK AND SHARING CENTER > CHANGE ADAPTER SETTINGS.
a. Right click on the LOCAL AREA CONNECTION and select CREATE A SHORTCUT to your Desktop
b. Use it to TURN OFF your NIC NOW
5. Now that you're OFFLINE again run:
a. CCleaner REGISTRY CLEANER option and FIX any issues
b. Wise Registry Cleaner and do the same...this one captures more stuff
c. BleachBit and select all BUT NOT FREE DISK SPACE...you may need to LOGOFF or REBOOT
Note: The registry cleaning programs may delete the port rules.
6. Everything at this point should be ready to go. Install ToolwizTimerFreeze and select the directories you DO NOT want "frozen". This way you can add or delete files to them without having to turn
the program off every time.
Note:
a. After ToolwizTimerFreeze is set, you will need to play around with folders and files that you want to keep changing "NOT FREEZE".
b. This is the tricky part. You will also need to SHOW HIDDEN FILES from Control Panel to see certain folders that are hidden.
FINAL NOTE:
a. TURN OFF your NIC...then use ToolwizTimerFreeze to lock everything in its sandbox. You can then turn on your PC and not worry about data going out while its in idle and you don't need to be online.
b. This way you can use your computer but no data will be going out or coming in while you work OFFLINE.
ADDITIONAL NOTES:
-----------------------------------------
1. You will have to turn OFF ToolwizTimerFreeze for any update like in AVAST A/V or installing or removing programs.
2. Updating the A/V is the only thing I do so manually and not through the A/V itself. I download the updated signatures every month or so and do the update OFFLINE with ToolwizTimerFreeze off.
3. If you need to install new software you need to do so OFFLINE and with ToolwizTimerFreeze temporarily OFF.
4. Make sure you install all other software BEFORE ToolwizTimerFreeze is installed.
5. To create Restore Points or do backups do so while OFFLINE and with ToolwizTimerFreeze OFF and removed from the Taskbar. Once backup finishes turn ToolwizTimerFreeze ON again.
6. Do research online for Windows GODMODE. Copy the code line, Create a shortcut and rename it using that code.
7. Create a shortcut of your NIC. I recommend to always work offline.
8. Some folders need to be excluded for updating like My Documents, Picture, Downloads and other folders are hidden like Bookmarks for Firefox in AppData\Roaming.
9. To unhide folders go to Control Panel > Folder Options > View Tab > Show hidden files and folders.