 ________.__    _______            __                
 /  _____/|  |__ \   _  \   _______/  |_  ___________
/   \  ___|  |  \/  /_\  \ /  ___/\   __\/ __ \_  __ \
\    \_\  \   Y  \  \_/   \\___ \  |  | \  ___/|  | \/
 \______  /___|  /\_____  /____  > |__|  \___  >__|  
        \/     \/       \/     \/            \/       


/ DISCLAIMER: I personally do not use Windows, I wrote this guide to help #OpNewBlood, 
#Anonymous and everyone who is concerned about their online privacy. If I am missing
anything, do not hesitate to contact me and I will glady add them to this document.
I personally take no responsibility for what you or any else does with this information. 
This tutorial took me a long time to complete but I believe that all information 
deserves to be FREE. So feel free to reproduce, copy, save, or edit this document to 
what you see fit.


Windows 8.1 Secure Installation and Security Hardening Guide:
=================================================================

Requirements:
- A Computer.
- A Brain.
- A Windows 8.1 .iso file with a serial key.
- x2 4GB USB Drives and/or x2 4GB DVDs.
- A backup hard drive of important files.

So, let's begin!
=================================================================
[01] Preparations:

/ Go ahead and backup all your important files now on a separate USB drive or 
external hard drive.

/ Put your Windows 8.1 .iso file onto a 4GB USB drive or a DVD.

/ Download the latest version of Ubuntu Linux form here: http://www.ubuntu.com/

/ After the Ubuntu .iso file is downloaded, completely disconnect from the 
Internet/Blutooth/NFC, ect. Plug in your USB drive.

/ Open up a command line [cmd.exe] and type: >diskpart
					     >list disk
					     >select disk [Insert drive letter]
				         >clean
					     >create partition primary
					     >select partition 1
					     >format fs=fat32
					     >active
					     >assign

/ Unpack the Ubuntu .iso file by highlighting all the files, right click, 
click on properties and set the read-only flag to ENABLE.

/ Highlight all the .iso files again and copy/paste them onto the newly 
prepared USB drive. After this is finished, rename the USB drive to something 
like "Ubuntu_Linux" or something of that sort.

=================================================================
[02] Preparing DBAN Data Destruction:

/ Download DBAN: http://www.dban.org/download

/ Burn the DBAN .iso file onto a DVD or make a bootable USB drive by placing 
all of the DBAN files onto the USB drive.

/ Restart the computer and press either ESC/DEL/F2/F10/F11/F12 to enter your BIOS.

/ Set the boot order option in your BIOS to boot from your USB drive or DVD 
with the DBAN .iso

/ If you BIOS is running UEFI BIOS, you will need to disable the "Secure Boot" 
option.

/ Boot up DBAN

/ Select the Department of Defense Standards Data Destruction option and allow 
it to completely wipe your hard drive with 7 passes. Effectively and 
irrecoverably wiping your hard drive to all "0"'s.

/ WARNING!!: THIS WILL DESTROY ALL DATA ON THE DRIVE MAKING IT IRRECOVERABLE! 
IT WILL ALSO TAKE 24+ HOURS TO COMPLETE DEPENDING ON DRIVE CAPACITY!! 1TB = ~26hrs.

=================================================================
[03] Preparing Hard Drive for Installation:

/ After DBAN is finished running, boot up the Ubuntu Live USB and open up a 
program called "GParted".

/ Start Gparted and select hda. Delete all partitions on your hard drive, 
create a new partition to NTFS, format and click "Apply All Operations".

=================================================================
[04] Preparing Windows 8.1 For Installation:

/ Insert your USB drive with the Windows 8.1 .iso files on it. Unpack it to 
the desktop.

/ Open up GParted again and select the USB drive, delete all partitions, 
create the primary partition, format to FAT32 and click "Apply All 
Operations".

/ Right click the partition and click "Manage Flags" and enable to "Boot" flag 
and click "Apply"

/ Copy the contents of the mounted Windows 8.1 .iso file onto the newly 
created USB drive.

/ Now safely eject the USB drive from the computer.

=================================================================
[05] Gathering Software and Hardware Drivers:

/ While still on the Ubuntu Live OS, you are going to need to download all of 
your hardware drivers. You can do this by looking up your specific hardware on 
the manufacturers website and download the newest up-to-date drivers. Place 
these files on another means of storage, either on your external hard drive 
where you kept your backup, or on another USB drive.

/ If your BIOS does not have an "Update" or a "Flashing" option, you most 
likely have to download your up-to-date BIOS flashing kit right from your 
motherboards manufacturers website by looking up your motherboard or prebuilt 
computers serial number, usually located on the bottom of your computer or in 
the manual for your hardware. Installing a new BIOS version will eliminate 
well coded RATs and other malware such as a bootkit that can hide in your BIOS 
ROM chip on your motherboard, these malicious programs can re-install 
themselves every time you power up your computer. After the BIOS flashing kit 
is downloaded, place these files on another means of storage, either on your 
external hard drive where you kept your backup, or on another USB drive.

/ If you can flash your BIOS from the Unbuntu live OS, do that now. If you 
cannot, you are going to need to wait until after you install Windows 8.1.

/ Now go ahead and head over to your hardware manufacturers website and 
download all of your hardware drivers. You will need to install then in the 
later steps.

/ Now we can start to gather the installers for the software you will be using 
to harden your Windows 8.1 OS.

/ Download the all of the following programs:
  - MalwareBytes Offline Installer with up-to-date malware database.
    Download: https://www.malwarebytes.org/mwb-download/
    Discription: A decent anti-malware program that offers daily malware database updates.
    Serial Key: MC3ZJ-D2NBW-ZF4PG-23784

  - ClassicShell Start Menu.
    Download: http://www.classicshell.net/downloads/
    Description: Makes your Windows 8.1 skip the metro screen and replaces it  
    with the good old Windows 7 start menu. Allows for full customization.

  - Mozilla Firefox Offline Installer. [See below for installation guide].
    Download: https://www.mozilla.org/en-US/firefox/all/
    Description: Offers superior security and a way larger addon repo then any 
    other of the mainstream browsers. Allows for full customization.

  - Microsoft Enhanced Mitigation Experience Toolkit [EMET].
    Download: https://www.microsoft.com/en-us/download/details.aspx?id=43714
    Description: EMET uses 12 specific mitigation techniques that seek to      
    prevent exploits related to memory corruption, making it     
    harder for attackers to find and exploit vulnerabilities,   
    Including:
    - Data execution prevention -> A security feature that helps  
      prevents code in system memory from being used incorrectly.
    - Mandatory address space layout randomization -> A technology
      that makes it difficult for exploits to find specific addresses 
      in a system's memory.
    - Structured exception handler overwrite protection -> A mitigation that blocks 
      exploits that attempt to exploit stack overflows.
    - Export address table access filtering -> A technology that blocks an exploit's
      ability to find the location of a function.
    - Anti-Return Oriented Programming -> A mitigation technique that prevents
      hackers from bypassing DEP.
    - SSL/TLS certificate trust pinning -> A feature that helps detect 
      man-in-the-middle attacks leveraging the public key infrastructure.

  - Piriform CCleaner.
    Download: https://www.piriform.com/ccleaner/download
    Description: Stands for Crap Cleaner, it has the ability to securely 
    destroy data, temporary files and unused registry keys.

  - KeePass Password Database [Not necessary if you can remember long complex passwords].
    Download: http://keepass.info/
    Discription: This software creates very long and randomly generated mixed 	
    ASCII characters and numbers. It also stores them in a nice   
    layout for you. You can use these randomly generated passwords for all of the 
    Anonymous accounts that you create.

  - Software Update Monitor [SUMo].
    Download: http://www.kcsoftwares.com/?sumo
    Description: SUMo keeps your PC up-to-date and safe by using the most 
    recent version of your favorite software. Unlike built-in auto 
    update features, SUMo tells you if updates are available 
    before you need to use your software. 

  - OpenDNS Crypt.
    Download: https://github.com/opendns/dnscrypt-win-client
    Description: DNSCrypt is a piece of lightweight software that everyone     
    should use to boost online privacy and security. It works by 
    encrypting all DNS traffic between the user and OpenDNS,    
    preventing any spying, spoofing or man-in-the-middle attacks.

  - Piriform Speccy.
    Download: https://www.piriform.com/speccy
    Description: Displays detailed information about your computer hardware 
    and external devices. Comes in handy when trying to gather your system     
    information. 

  - VeraCrypt.
    Download: https://veracrypt.codeplex.com/
    Description: VeraCrypt is encryption software, designed from the outdated  
    TrueCrypt. It allows you to create hidden and encrypted volumes so you 
    have full deniability if you get v& [Arrested] and/or get your computer 
    seized.    
   
/ Download all of the installers for the software that you plan on using now. 
Like audio players, video players, image viewers, photo and video editors, 
ect. Make sure these installers are downloaded DIRECTLY from the software 
manufacturers website. DO NOT download from torrent sites, third-party sites, 
YouTube, forums, ect! 

=================================================================
[06] BIOS Configuration:

/ Reboot the computer and press either ESC/DEL/F2/F10/F11/F12 to enter your 
BIOS.

/ Place a password on your BIOS and as well as your hard drive if you have the 
option.

/ Enable the following options [If you have them]:
  - Enable Secure Boot.
  - Enable Fast Boot.
  - Install Default Secure Boot keys.

/ Set the first boot option to the Windows 8.1 USB bootloader you created 
earlier. Save changes and exit.

=================================================================
[07] Windows 8.1 Installation:

/ Boot up the Windows 8.1 USB bootloader. Set your timezone, language, 
keyboard layout, ect.

/ When you get to the storage settings screen, you are going to want to click 
on "Delete All Partitions". Then click "New", create the primary partition and 
make it 128GB - 256GB depending on your storage capabilities [This is where 
the Windows 8.1 OS will be installed].

/ Next, click on "New" and create a the secondary partition with the rest of 
the storage space. Or another hard drive depending on your computer 
configuration.

/ Be sure for format each partition and/or hard drive at least 3 times in a 
row. This is important for consistency.

/ Next, install the Windows 8.1 OS onto the 128GB-256GB partition you just 
created.

/ Wait until your computer loads the Windows 8.1 installation. Then select 
your language, timezone and currency format, and your keyboard input. Click 
"Next" and then click "Install Now".

/ Now you are going to need to put in your Windows 8.1 serial key. If you do 
not have a serial key, then you are going to need to find one online. There 
are a lot of websites out there dedicated to the free release of Windows OS 
serial keys. I would recommend https://www.serials.ws/. DON'T BE DUMB, DO NOT 
DOWNLOAD ANYTHING. It should be a plain-text serial key.

/ Now create your administrator account. Its recommended that you do not name 
it something such as your screen names, real name, aliases, admin, ect. Name 
it something simple such as "Primary" or "SuperUser" or "Root". Next, give 
your new account a STRONG password. At least 10 characters is recommended.

/ Disable ALL of the options that invade your privacy, Which is pretty much 
all of them. Make sure you enable the "Do Not Track" and the "Smart Screen 
Filter" options.

/ After the Windows 8.1 OS is installed, completely disconnect from the 
internet. Insert the USB drive or external hard drive where you stored all of 
your software installations, hardware drivers and BIOS flashing kit. [If you 
were able to flash your BIOS from the Ubuntu Live OS or directly from your 
BIOS configuration, you may skip the next step].

/ If you could not flash your BIOS from the Ubuntu Live OS or directly from 
your BIOS, do that now by running the BIOS flashing executable. After its 
installed, you are going to have to reboot your computer to the Ubuntu Live OS 
again and wipe your hard drive again [Refer to step 03]. After this is 
finished you are going to have to re-install Windows 8.1 and re-configure 
everything again [Refer to step 07]. I know this is a huge pain, but doing 
this will insure that there is no malware hiding out on your BIOS ROM chip.

/ Install the .NET 4.0 and .NET 4.5 framework by pressing the Windows key + X, 
click on "Command Prompt (Admin)" and run the following command:
  DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:x:\sources\sxs.
  [Replace x:\ with the drive letter of your Windows 8.1 installation media is assigned].

/ Connect to the internet.

/ Next, press the Windows key and search "Update" and open "Window Update". 
You are going to want to do a FULL update. Excluding anything to do with 
Windows 10 [Because Windows 10 is basically government spyware]. Do not do 
anything else on your computer, simply just allow the updates to download and 
install, then reboot your computer.

/ Now you can go ahead and install all of your hardware drivers.

/ Update DirectX by downloading and running this package: 
https://www.microsoft.com/en-us/download/details.aspx?id=17431

/ Open a command prompt with administrator privileges by pressing the Windows 
key + X and click on "Command Prompt: Administrator" and run the following 
command: SFC /SCANNOW. You should get a response back after it is finished 
scanning that reads "File Integrity Check completed and no errors were found".

/ While still in the administrative command prompt, you are going to copy and 
paste all of the following commands [This will UNINSTALL everything to do with 
Microsoft's spy updates]:

@echo off

echo

echo Delete KB3075249 (telemetry for Win7/8.1)
start /w wusa.exe /uninstall /kb:3075249
echo Delete KB3080149 (telemetry for Win7/8.1)
start /w wusa.exe /uninstall /kb:3080149
echo Delete KB3021917 (telemetry for Win7)
start /w wusa.exe /uninstall /kb:3021917
echo Delete KB3022345 (telemetry)
start /w wusa.exe /uninstall /kb:3022345
echo Delete KB3068708 (telemetry)
start /w wusa.exe /uninstall /kb:3068708
echo Delete KB3044374 (Get Windows 10 for Win8.1)
start /w wusa.exe /uninstall /kb:3044374
echo Delete KB3035583 (Get Windows 10 for Win7sp1/8.1)
start /w wusa.exe /uninstall /kb:3035583
echo Delete KB2990214 (Get Windows 10 for Win7 without sp1)
start /w wusa.exe /uninstall /kb:2990214
echo Delete KB2990214 (Get Windows 10 for Win7)
start /w wusa.exe /uninstall /kb:2990214
echo Delete KB2952664 (Get Windows 10 assistant)
start /w wusa.exe /uninstall /kb:2952664
echo Delete KB3075853 (update for "Windows Update" on Win8.1/Server 2012R2)
start /w wusa.exe /uninstall /kb:3075853
echo Delete KB3065987 (update for "Windows Update" on Win7/Server 2008R2)
start /w wusa.exe /uninstall /kb:3065987
echo Delete KB3050265 (update for "Windows Update" on Win7)
start /w wusa.exe /uninstall /kb:3050265
echo Delete KB971033 (license validation)
start /w wusa.exe /uninstall /kb:971033
echo Delete KB2902907 (description not available)
start /w wusa.exe /uninstall /kb:2902907
echo Delete KB2976987 (description not available)
start /w wusa.exe /uninstall /kb:2976987

echo Step 2: Blocking Routes

route -p add 23.218.212.69 MASK 255.255.255.255 0.0.0.0
route -p add 65.55.108.23 MASK 255.255.255.255 0.0.0.0
route -p add 65.39.117.230 MASK 255.255.255.255 0.0.0.0
route -p add 134.170.30.202 MASK 255.255.255.255 0.0.0.0
route -p add 137.116.81.24 MASK 255.255.255.255 0.0.0.0
route -p add 204.79.197.200 MASK 255.255.255.255 0.0.0.0

Part 2

echo Step 3: Disabling tasks

schtasks /Change /TN "\Microsoft\Windows\Application Experience\AitAgent" 
/DISABLE
schtasks /Change /TN "\Microsoft\Windows\Application Experience\Microsoft 
Compatibility Appraiser" /DISABLE
schtasks /Change /TN "\Microsoft\Windows\Application Experience 
\ProgramDataUpdater" /DISABLE
schtasks /Change /TN "\Microsoft\Windows\Autochk\Proxy" /DISABLE
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement 
Program\Consolidator" /DISABLE
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement 
Program\KernelCeipTask" /DISABLE
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement 
Program\UsbCeip" /DISABLE
schtasks /Change /TN "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-
DiskDiagnosticDataCollector" /DISABLE
schtasks /Change /TN "\Microsoft\Windows\Maintenance\WinSAT" /DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\ActivateWindowsSearch" 
/DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center
\ConfigureInternetTimeService" /DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\DispatchRecoveryTasks" 
/DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\ehDRMInit" /DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\InstallPlayReady" 
/DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\mcupdate" /DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\MediaCenterRecoveryTask" 
/DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask" 
/DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\OCURActivate" /DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\OCURDiscovery" /DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\PBDADiscovery" /DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\PBDADiscoveryW1" 
/DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\PBDADiscoveryW2" 
/DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\PvrRecoveryTask" 
/DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\PvrScheduleTask" 
/DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\RegisterSearch" /DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\ReindexSearchRoot" 
/DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\SqlLiteRecoveryTask" 
/DISABLE
schtasks /Change /TN "\Microsoft\Windows\Media Center\UpdateRecordPath" 
/DISABLE

echo Step 4: Killing Diagtrack-service (if it still exists)

sc stop Diagtrack
sc delete Diagtrack
echo Final Step: Stop remoteregistry-service (if it still exists)
sc config remoteregistry start= disabled
sc stop remoteregistry

echo All done, go to reboot!

pause


/ Reboot your computer.

=================================================================
[08] Creating an Organized Software File System:

/ It is always a good idea to have a secure and organized file structure so 
you can find files with ease.

/ Usually on a Windows OS, when you install new software on your computer, it 
defaults to "C:\Program Files" or "C:\Program Files (x86)". You are going to 
need to right click on both of these files, click "Properties", click on the 
"Security" tab, then click on "Edit". Now modify the permissions to "Read, 
Write and Execute" ONLY for the Administrator or Super User account. For 
normal users, the permissions should be only "Read and Execute".

/ Create a new folder called "Applications" under "C:\Program Files" and "C:
\Program Files (x86)".

/ Under the new "Applications" folders, create some sub-folders for your 
software. Name them in an organized way like "Audio", "Graphics", "Internet", 
"Tools", "Video", ect.

/ Now whenever you install new software, you may install them to these 
directories. Whenever you install new software, be 100% sure that the software 
is genuine and was downloaded directly from the manufacturers website. NEVER 
download anything from a third-party source like torrents, YouTube, IRC, 
Forums, ect.

=================================================================
[09] System Configuration:

/ Right click on your taskbar and then click "Properties". In the "Taskbar" 
tab and disable the "Use peek to preview the desktop" option. Click on the 
"Jump Lists" tab set the "Number or recent items to display in Jump Lists" 
option to 0. Now disable both the "Store recently opened programs" and "Store 
and display recently opened items in Jump Lists" options.

/ Press the Windows key + X and click on "System", then click "Advanced 
Settings". Click on the "Advanced" tab and then in the performance box, click 
on "Settings". Click on the "Visual Effects" tab and enable the "Adjust for 
best performance" option and enable ONLY the "Show thumbnails instead of 
icons: option.

/ Next, click on the "Advanced" tab that is next to the "Visual Effects" tab, 
under "Adjust for best performance", select the "Programs" option. Now under 
the "Virtual Memory" box, click "Change" and disable the "Automatically manage 
paging file size for all drives". Now click on your C:\ drive and enable the 
"No paging file" option. Do this for all drive letters. Then click "Set" and 
then click on "Yes", then click "OK" to close the popup window.

/ Click on the "Data Execution Prevention" tab and enable the "Turn on DEP for 
all programs and services except those I select". Then click "OK" to return to 
the "System Properties" window. Now click on the "System Protection" tab and 
delete all restore points and turn off system protection. Now click on the 
"Remote" tab and disable the "Allow Remote Assistance connections to this 
computer" and enable the "Don't allow remote connections to this computer" 
option. Click on the "Computer Name" tab and give your computer a name and 
change your WORKGROUP to "YourComputerName-WORKGROUP".

/ Now goto your C:\ drive on your file explorer and create a new folder called 
"Temporary". Now go back to the "System Properties" window and click on 
"Environment Variables" and set both the TMP and TEMP variables to "C:
\Temporary" [You will have to do this for every user account that you create]. 
Go back to "C:\Temporary" and right click on this file, set the permissions to 
Read, Write and Execute ONLY for Administrators and Read and Execute for 
normal users.

/ Press the Windows key + R and type ncpa.cpl to open your network 
connections. Right click on you network adapters and click on "Properties" and 
disable all of the options except for IPv4 [And IPv6 if you use that]. 
Highlight the IPv4 option and click on "Properties", then click on "Advanced" 
near the bottom of the popup window. Click on the "DNS" tab and disable the 
"Register this connections address in DNS" option. Click on the "WINS" tab and 
disable the "Enable LMHOSTS lookup". Now under the NetBIOS box, enable the 
"Disable NetBIOS over TCP/IP" option, then click "OK". Repeat this step on ALL 
of your network adapters. This includes the Virtual TAP adapters that are 
installed with any OpenVPN client.

/ Press the Windows key + X and click on "Programs and Features" then click on 
"Turn Windows features on or off" and disable the "Internet Explorer 10", 
"Windows Identity Foundation", "Windows Location Provider" and "Windows 
Process Activation Service" options. Now enable the "Telnet Client" option, 
because chances are you are going to need it. Reboot your computer.

/ After your computer boots back up, open the Control Panel by pressing the 
Windows key + X and clicking on "Control Panel". Click on "Display" and enable 
the "ClearType Text" option. Go back to the Control Panel and click on "File 
History" and disable ALL file history. Click on "Folder Options" and disable 
the "Hide Extensions for Known File Types" option. 

/ Now click on "Internet Options" and configure the following settings:
  - Click the "General" tab, click on "Settings", then click "Temporary        
    Internet Files" tab and set the "Check for newer versions of stored 
    pages" to "Every time I visit the webpage". Now set the "Disk space to 
    use" option to 8MB.
  - Click on the "History" tab and set the "Days to keep pages in history" to 0.
  - Go to the "Caches and Databases" tab and disable the "Allow website caches 
    and databases" option. Press "OK".

/ Click on the "Security" tab and set the security level to "High". Do this 
for all zones [Internet, Local Intranet, Trusted Sites and Restricted Sites]. 
Then click "Apply".

/ Go to the "Privacy" tab and click "Advanced" and enable the "Override 
automatic cookie handling" option and set both the "First Party" and Third 
Party" cookies options to "Block". Now disable the "Always allow session 
cookies" option. Click "OK". Then enable the "Turn on Pop-up Blocker" option 
then click on the "Settings" button and set the "Blocking Level" to "High: 
Block all pop-ups (Ctrl+Alt to override)". Click "Close".

/ Now in the "Content" tab and click "Settings" next to AutoComplete, disable 
both the "Forms" and "User names and passwords on forms" options and click on 
the "Delete AutoComplete history" button and select all of the checkboxes and 
click "Delete". Click "OK". Now, click on the second "Settings" button that's 
next to Feeds. Disable the "Automatically check feeds for updates" and the 
"Turn on feed readin view" options. Click "OK".

/ Enter the "Program" tab and click on "Manage Addons" and disable ALL addons 
in under the "Add-ons that have been used by your browser" drop down menu. Now 
go to the "Run without permission" option under the drop down menu and disable 
ALL of the addons. Next, click on the "Downloaded controls" option and disable 
ALL of the addons there, if you have any.

/ Next, click on the "Advanced" tab and DISABLE the "Allow active content from 
CDs to run on My Computer", "Allow active content to run in files on My 
Computer", "Allow software to run or install even if the signature is 
invalid", "Enable DOM storage" and "Use SSL 2.0" options. Now you are going to 
ENABLE the following options, "Block unsecured images with other mixed 
content", "Do not save encrypted pages to disk", "Empty Temporary Internet 
Files folder when browser is closed" and "Send Do Not Track request to sites 
you visit in Internet Explorer", click "Apply".

/ Now head back to the control panel and click on "Location Settings", disable 
the "Turn on the Windows Location platform" and the "Help improve Microsoft 
location services" options. Click "Apply".

/ If you are using a laptop, go back and click on "Power Options" and choose a 
power plan that suits your needs. Then click "Choose what closing the lid 
does", set "When I press the power button" to "Shut down". Now set the "When I 
press the sleep button" to "Do nothing". Now set the "When I close the lid" 
option to "Shut down". Next, enable the "Require a password (Recommended)" 
option, enable the "Turn on fast startup (Recommended)" and the "Lock"
options. Click "Save changes". MAKE SURE that both "Hibernation" and "Sleep" 
modes are completely DISABLED. There is software that can extract your 
BitLocker encryption key from your RAM. Always shut down your computer after 
you are finished using it.

/ Click on "Windows Defender" and click on the "Update" icon. After that is 
completed, click on the "Settings" tab and enable the "Turn on real-time 
protection (Recommended)" option. Click on the "Advanced" option on the left 
side of the window and enable the "Scan archive files", "Scan removable 
drives" and "Remove quarantined files after: 1 day". Now click on "MAPS" and 
enable the "I don't want to join MAPS" option. Now click "Save changes".

/ Press the Windows key and search "User Account Control" and change the 
slider bar to "Always Notify", then click "OK".

=================================================================
[10] Software Installation and Configuration:

/ Install the following software to the directories you created in the earlier 
steps and configure them.
  - Software: SUMo
    Configuration: Simply run the installer and install it.

  - Software: Mozilla Firefox Offline Installer
    Configuration: Run the installer and install it. Now you can go ahead and  
    configure your Firefox by following the below guide. Things marked with   
    "**" are essential for security and privacy. [This version is condensed, 
    you can read the full Firefox Security Hardening tutorial here:         
        http://pastebin.com/fn7VHwhm

/ Extensions:
-> **[NoScript]
Download: https://addons.mozilla.org/en-us/firefox/addon/noscript/
Features: Protects you from XSS and clickjacking attacks, also enables click 
to load Flash and Java.

-> **[HTTPS-Everywhere]
Download: https://www.eff.org/https-everywhere
Features: Forces HTTPS whenever possible.

-> **[AdBlock Edge]
Download: https://addons.mozilla.org/en-US/firefox/addon/adblock-edge
Features: Blocks intrusive and non-intrusive ads on all websites. It also does 
not have the "Acceptable Ads" feature.

-> **[Random Agent Spoofer]
Download: https://addons.mozilla.org/en-US/firefox/addon/random-agent-spoofer
Features: Provides many user agent spoofing options. Over 100 different 
browsers, has the option to send spoofed headers and much more.

-> **[RequestPolicy]
Download: https://addons.mozilla.org/en-us/firefox/addon/requestpolicy/
Features: Protects you against CSRF attacks and allows you to be in control of 
all cross-site requests.

-> **[Cookie Controller]
Download: https://addons.mozilla.org/en-US/firefox/addon/cookie-controller/
Features: Browse, manage and remove cookies from sites.

-> **[FoxyProxy Standard]
Download: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard
Features: Advanced proxy management tool for Firefox, way better than the one 
included with Firefox.

-> **[Disconnect]
Download: https://addons.mozilla.org/en-US/firefox/addon/disconnect
Features: Stops tracking by about 2000 third party websites, makes loading 
pages about 27% faster.

-> **[Privacy Badger]
Download: https://addons.mozilla.org/en-US/firefox/addon/privacy-badger-firefox
Features: Protects privacy by blocking spying ads and invisible trackers.

-> **[Modify Headers]
Download: https://addons.mozilla.org/En-us/firefox/addon/modify-headers
Features: Add/Modify/Filter HTTP headers. Useful for mobile development, HTTP 
testing and privacy.

-> **[CrytoCat]
Download: https://addons.mozilla.org/en-US/firefox/addon/cryptocat
Features: Instant encrypted conversations, open source, private, safer 
communications. Uses the OTR encrypted messaging protocol.

/ You can access these configurations by typing in "about:config" in the URL bar.

-> **Turn off Geo-location:
geo.enabled => false
geo.wifi.uri => 127.0.0.1

-> **Override the useragent to most common useragent [Not needed with UA Switcher]:
New > string: general.useragent.override =>
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0

-> **Disable DNS prefetching:
network.prefetch-next => false 
network.dns.disablePrefetch => false
webgl.disabled => true
devtools.cache.disabled => true
browser.sessionstore.privacy_level => 2

-> **Disable referer headers:
network.http.sendRefererHeader => 0
network.http.sendSecureXSiteReferrer => false
network.http.referer.XOriginPolicy => 1
network.http.referer.spoofSource => true
network.http.referer.trimmingPolicy => 2

-> **Enable HTTP pipelineing regularly, on SSL pages, and on proxies, respectively:
network.http.pipelining => true
network.http.pipelining.ssl => true
network.http.proxy.pipelining => true
network.http.pipelining.maxrequests => 10

-> **Prevent child windows/tabs from spawning:
dom.disable_window_open_feature.resizable => false

-> **Disable insecure RC4 encryption protocol:
security.ssl3.ecdhe_ecdsa_rc4_128_sha => false
security.ssl3.ecdhe_rsa_rc4_128_sha => false
security.ssl3.rsa_rc4_128_md5 => false
security.ssl3.rsa_rc4_128_sha => false

-> **Disable Firefox telemetry:
toolkit.telemetry.enabled => false

-> **Allow cookies only from the originating server [Not needed with Cookie Manager]:
network.cookie.cookieBehavior => 1
network.cookie.lifetimePolicy => 2

-> **Reduce RAM usage for Firefox cache feature:
browser.sessionhistory.max_total_viewers => 0

-> **Set a "do-not-track" header to tell sites not to track browsing habits:
privacy.donottrackheader.enabled => true
privacy.donottrackheader.value => 1

-> **Disable Google Blacklists and Safebrowsing:
browser.safebrowsing.enabled => false
browser.safebrowsing.maleware.enabled => false
browser.safebrowsing.appRepURL => blank
browser.safebrowsing.downloads.enabled => false
browser.safebrowsing.gethashURL => blank
browser.safebrowsing.malware.reportURL => blank
browser.safebrowsing.reportErrorURL => blank
browser.safebrowsing.reportGenericURL => blank
browser.safebrowsing.reportMalwareErrorURL => blank
browser.safebrowsing.reportMalwareURL => blank
browser.safebrowsing.reportPhishURL => blank
browser.safebrowsing.reportURL => blank
browser.safebrowsing.updateURL => blank
services.sync.prefs.sync.browser.safebrowsing.enabled => false
services.sync.prefs.sync.browser.safebrowsing.malware.enabled => false

-> **Disable pings:
browser.send_pings => false
browser.send_pings.require_same_host => true

-> **Disable Firefox health report:
datareporting.healthreport.uploadEnabled => flase

-> **Disable DOM storage:
dom.storage.enabled => false
dom.event.clipboardevents.enabled => false

-> **Disable suggestions on searchbar:
browser.search.suggest.enabled => false

-> **Disable keywords:
keyword.enabled => false

-> Disable certificates:
browser.ssl_override_behavior => 2

-> **Disable DNS proxy bypass:
network.proxy.socks_remote_dns => true

-> **Disable crash reporting:
breakpad.reportURL => blank
In application.ini in the Firefox folder,
[Crash Reporter]Enabled=1 => [Crash Reporter]Enabled=0

-> **Disable caching on hard drive:
browser.cache.disk.enable => false
browser.cache.offline.enable => flase
browser.cache.disk.capacity => 0
browser.cache.offline.capacity => 0

-> **Do not cache HTTP or HTTPS files:
network.http.use-cache => false

-> **Disable navigator.sendBeacon:
beacon.enable => flase

-> **Disable WebRTC:
media.peerconnection.enabled => false


  - Software: Java.
    Configuration: Open you Control Panel by pressing the Windows key + X, 
    then click on "Java Options", click on the "General Tab" and then click on 
    "Settings" and disable the "Keep temporary files on my computer" 
    option and then click on "Delete Files" then click "OK". Go to the 
    "Security" tab and uncheck the "Enable Java content in the browser" check 
    box. Click "Apply".

  - Software: MalwareBytes Offline Installer with up-to-date Malware Database.
    Configuration: Run the installer and install the software. Once finished,  
    open MalwareBytes and click on "My Account". Enter this serial key: 
    MC3ZJ-D2NBW-ZF4PG-23784. Now you have the preimium version for life! Next, 
    click on the "Settings" tab and click on "Detection and Protection", 
    enable the "Use Advanced Heuristics Engine [Shuriken]", "Scan for 
    Rootkits" and "Scan within archives" options. Now select "Treat 
    detections as malware" for both the "Potentially Unwanted Program 
    [PUP]" and "Potentially Unwanted Modifications [PUM]" options. Next, click 
    on "History Settings" and disable the "Help fight malware by anonymously 
    providing historical information" option, also enable the "Don't export 
    log information" option [Unless you want MalwareBytes to keep logs, its 
    up to your preferance].

  - Software: ClassicShell Start Menu.
    Configuration: Run the installer and install the software. Optionally, you 
    can download different start buttons for further configurations from      
    DeviantArt.com, heres a pack that I would recommend:                    
    http://w1ck3dmatt.deviantart.com/art/Mega-Orb-Pack-150-start-orbs-259940654

  - Software: Piriform CCleaner.
    Configuration: Run the installer and install the software. When the 
    install is finished, click the "Cleaner" button and check all of the check 
    boxes under the "Windows" and "Applications" tabs. Next, click the 
    "Registry" button and enable all of the check boxes. Now click on the 
    "Options" button and click on "Settings". Check the "Automatically check 
    for updates to CCleaner" option. Now, enable the  "Secure file 
    deletion [Slower]" and set the drop down menu to "Complex Overwrite [7 
     passes]" and enable the "Wipe Alternate Data Streams", "Wipe Cluster 
     Tips" and "Wipe MFT Free Space"  options.

  - Software: OpenDNS Crypt.
    Configuration: Run the installer and install the software. Then open the   
    software and enable the "Enable OpenDNS", "Enable DNSCrypt" and "DNSCrypt 
    over TCP / 443 [slower]" options. If everything is configured correctly  
    then the DNSCrypt icon on the taskbar should be green.

/ Install and configure all of your other software that you downloaded in the 
previous steps now.

  - Software: Microsoft Enhanced Mitigation Experience Toolkit [EMET].
    Configuration: Set everything to "Always On" and reboot your computer.     
    After your computer boots back up, open EMET and click on "Apps", then    
    click "Add Applications". Now navigate to "C:\Program Files" directory 
    and in the search box, type ".exe". Once all of the files have been 
    found, press Ctrl + A to highlight everything and then click "Open". 
    Now reboot your computer again if necessary.

=================================================================
[11] Windows Firewall Configuration:

/ When it comes to firewall configuration, it is always best practice to 
disable EVERYTHING and just poke holes in your firewall to allow basic and a 
few advanced functions. This is exactly what we will be doing.

/ Press the Windows key and search "Windows Firewall" and open the "Windows 
Firewall with Advanced Security".

/ Click on "Windows Firewall Properties" and set the "Domain Profile", 
"Private Profile" and "Public Profile" tabs to "On" and set the "Inbound 
connections"  to "Block all incoming connections" and the "Outbound 
connections" to "Block". Click "Apply".

/ Now click on the "Inbound Rules" table and press Ctrl + A to highlight all 
of the inbound rules and right click and click "Delete". Always keep the 
"Inbound Rules" section of your firewall empty, this will insure that no 
connections are coming into your computer from the outside.

/ Next, click on the "Outbound Rules" table and press Ctrl + A to highlight 
all of the rules, then right click and click "Disable All". Now you are going 
to enable the entries that are called "Core Networking" that deal with IPv4 
and IPv6 [If you use IPv6]. Also enable IPHTTPS and DHCP [If you are not using 
a static IP configuration]. Then delete all other rules.

/ This part is going to take some time. You are going to need to manually 
configure ALL of your software that needs to connect to the Internet. Things 
like your Firefox, IRC client, ect. You can do this now by clicking on the 
"Outbound Rules" and clicking on the "New Rule" button, click "Program" then 
click "Next". Now click on "Browse" and navigate to the directories where your 
software is installed, it should be a ".exe" file. Click "Next", click on 
"Allow this connection", click "Next" again and name the rules in an organized 
way. Such as "Software->Internet->Firefox" or "Software->Security->DNSCrypt" 
and so on. You will need to do this for all software that needs internet 
connectivity.

=================================================================
[12] VeraCrypt and BitLocker Hard Drive Encryption:

/ First off, you are going to need to have VeraCrypt [TrueCrypt successor] 
installed on your machine. Do this now by running the installation package.

/ Now reboot your computer and enter the BIOS. Then change your BIOS to Legacy 
Mode. Restart your computer and load up the VeraCrypt software.

/ When VeraCrypt is open, click on the "System" drop down menu and click on 
"Encrypt System Partition/Drive". Enter a COMPLEX password, one that you will 
NOT forget! I would recommend at least 16 characters [Upper case, lower case, 
numbers and symbols]. Now just wait until for the encryption process to 
complete. If you forget this password, you will not be able to turn your 
computer on. Reboot your computer and enter the BIOS again and change it back 
to UEFI BIOS. Reboot your computer.

/ Press the Windows key and type "Group Policy" and open "Edit group policy". 
Now, navigate to "Computer Configuration" -> "Administrative Templates" -> 
"Windows Components" -> "BitLocker Drive Encryption". Now click on the "Choose 
drive encryption method and cipher strength". Change the "Select encryption 
method" drop down menu to "AES 256-bit" then click "OK".

/ Next, you are going to need to determine if your computer has what is called 
a Trusted Platform Module chip, or a TPM chip. You can find this out by 
looking up your motherboard model number on the manufactures website and 
reading the specifications page. You can get your motherboards model number 
using the Speccy software that you installed earlier.

/ If you HAVE a TPM chip on your motherboard, you can enable BitLocker Drive 
Encryption by opening up your File Explorer and clicking "This PC", now rename 
your C:\ drive to something like "Windows_8.1", "Windows", "OS", ect. Right 
click on your C:\ drive and click "Turn On BitLocker". Now enter a VERY 
COMPLEX password. I would recommend at least 24 to 30 characters [Upper case, 
lower case, numbers and symbols]. Now save the encrytption key to a USB drive
and then securely DELETE it using CCleaner. Never forget this password as you 
will NOT be able to turn your computer on without it.

/ If you DO NOT have a TPM chip you are going to need to open your "Group 
Policy Editor" again and navigate to "Computer Configuration" -> 
"Administrative Templates" -> "Windows Components" -> "BitLocker Drive 
Encryption" -> "Operating System Drives". Now double click on the "Require 
additional authentication at startup", then click "Enabled", also enable the 
"Allow BitLocker without a compatible TPM" option. Click "OK". Next, you can 
enable BitLocker Drive Encryption by opening up your File Explorer and 
clicking "This PC", now rename your C:\ drive to something like "Windows_8.1", 
"Windows", "OS", ect. Right click on your C:\ drive and click "Turn On 
BitLocker". Now enter a VERY COMPLEX password. I would recommend at least 24 
to 30 characters [Upper case, lower case, numbers and symbols]. Allow the 
encryption process to finish and save the encryption key to a USB drive and 
then securely DELETE it using CCleaner. Never forget this password as you will 
NOT be able to turn your computer on without it!

/ Now right click on your second partition[s] and rename it to "Partition_2", 
"Data_Partition" or something of that sort. Now click on "Turn On BitLocker" 
and give it a password, make it the same password as your C:\ drive or 
something different if you wish. DO NOT forget this password!

/ If your configurations are correct, you should now have to enter 4 passwords 
to turn on your computer [Hard drive password, BitLocker password, VeraCrypt 
password and your username and password]. Doing this will make your hard drive 
100% secure and impossible for any government or person to decrypt your 
drives. :]

=================================================================
[13] Local Security Policy Configuration:

/ Press the Windows key and search for "Local Security Policies" and open it.

/ Click on the "Action" menu at the top, then click on "Export Policies" and 
save a backup of the default policies. Now click on "Windows Firewall with 
Advanced Security" and make sure that all firewall profiles are set to "On" 
and that all inbound connections are set to "Block". Now make sure that the 
outgoing connections are set to "Outbound connections that do not match a rule 
are blocked".

/ Click on the "Account Policies" table, then click "Password Policy". Now 
configure the following options:
  - Enforce password history -> 0 passwords remembered.
  - Maximum password age -> 42 days.
  - Minimum password age -> 0 days.
  - Minimum password length -> 0 characters.
  - Password must meet complexity requirements -> Disabled.
  - Store passwords using reversible encryption -> Disabled.

/ Now click on "Account Lockout Policy" table and configure the following 
options:
  - Account lockout duration -> 10 minutes.
  - Account lockout threshold -> 3 invalid logon attempts.
  - Reset account lockout counter after -> 10 minutes.

/ Click on the "Local Policies" table and click on "Audit Policy" and 
configure the following options:
  - Audit account logon events -> Success, Failure.
  - Audit account management -> Success, Failure.
  - Audit directory service access -> Success, Failure.
  - Audit logon events -> Success, Failure.
  - Audit object access -> Success, Failure.
  - Audit policy change -> Success, Failure.
  - Audit privilege use -> Success, Failure.
  - Audit process tracking -> Success, Failure.
  - Audit system events -> Success, Failure.

/ Next, click on "User Rights Assignment" and configure the following options:
  - Access Credential Manager as a trusted caller -> Blank.
  - Access this computer from the network -> Administrators.
  - Act as part of the operating system -> Blank.
  - Add workstations to domain -> Blank.
  - Adjust memory quotas for a process -> LOCAL SERVICE, NETWORK SERVICE, Administrators.
  - Allow logon locally -> Administrators, Users.
  - Allow logon through Remote Desktop Services -> Blank.
  - Backup files and directories -> Administrators.
  - Bypass traverse checking -> Everyone, LOCAL SERVICE, NETWORK SERVICE,      
    Administrators, Users, Backup Operators.
  - Change system time -> LOCAL SERVICE, Administrators.
  - Change the timezone -> LOCAL SERVICE, Administrators.
  - Create a pagefile -> Administrators.
  - Create a token object -> Blank.
  - Create global objects -> LOCAL SERVICE, NETWORK SERVICE, Administrators, SERVICE.
  - Create permanent shared objects -> Blank.
  - Create symbolic links -> Administrators.
  - Debug programs -> Administrators.
  - Deny access to this computer from the network -> Guest.
  - Deny logon as a batch job -> Everyone.
  - Deny logon as a service -> Everyone.
  - Deny logon locally -> Guest.
  - Deny logon through Remote Desktop Services -> Everyone.
  - Enable computer and user accounts to be trusted for delegation -> Blank.
  - Force shutdown from a remote system -> Blank.
  - Generate security audits -> LOCAL SERVICE, NETWORK SERVICE.
  - Impersonate a client after authentication -> LOCAL SERVICE, NETWORK, SERVICE, 
    Administrators, SERVICE.
  - Increase a process working set -> Users, Window Manager/Window Manager Group.
  - Increase scheduling priority -> Administrators.
  - Load and unload device drivers -> Administrators.
  - Lock pages in memory -> Blank.
  - Logon as a batch job -> Blank.
  - Logon as a service -> Blank.
  - Manage auditing and security log -> Administrators.
  - Modify an object label -> Blank.
  - Modify firmware environment values -> Administrators.
  - Preform volume maintenance tasks -> Administrators.
  - Profile single process -> Administrators.
  - Profile system performance -> Administrators, NT SERVICE/WdiServiceHost.
  - Remove computer from docking station -> Administrators, Users.
  - Replace a process level token -> LOCAL SERVICE, NETWORK SERVICE.
  - Restore files and directories -> Administrators, Backup Operators.
  - Shutdown the system -> Administrators, Users.
  - Synchronize directory service data -> Blank.
  - Take ownership of files or other objects -> Administrators. 

/ Click on the "Security Options" table and configure the following options:
  - Accounts: Administrator account status -> Disabled.
  - Account: Block Microsoft account -> Users can't add or logon with Microsoft account.
  - Accounts: Guest account status -> Disabled.
  - Accounts: Limit local account use of blank passwords to console logon only -> Enabled.
  - Accounts: Rename administrator account -> Administrator.
  - Accounts: Rename the guest account -> Guest.
  - Audit: Audit the access of global system objects -> Enabled.
  - Audit: Audit the use of Backup and Restore privilege -> Enabled.
  - Audit: Force audit policy subcatagory settings - Not defined.
  - Audit: Shut down system immediately if unable to log security audits -> Enabled.
  - DCOM: Machine Access Restrictions in Security Descriptor Definition
    Language [SDDL] syntax -> Not defined.
  - DCOM: Machine Launch Restrictions in Security Descriptor Definition        
    Language [SDDL] syntax -> Not defined.
  - Devices: Allow undock without having to logon -> Enabled.
  - Devices: Allowed to format and eject removable media -> Administrators.
  - Devices: Prevent users from installing printer drivers -> Enabled.
  - Devices: Restrict CD-ROM access to locally logged-in user only -> Enabled.
  - Devices: Restrict floppy access to locally logged-on user only -> Enabled.
  - Domain controller: Allow server operators to schedule tasks -> Not defined.
  - Domain controller: LDAP server signing requirements -> Not defined.
  - Domain controller: Refuse machine account password changes -> Not defined.
  - Domain controller: Digitally encrypt or sign secure channel data [always] -> Enabled.
  - Domain controller: Digitally sign secure channel data [when possible] -> Enabled.
  - Domain controller: Disable machine account password changes -> Disabled.
  - Domain controller: Maximum machine account password age -> 30 days.
  - Domain controller: Require strong [Windows 2000 or later] session key -> Enabled.
  - Interactive logon: Display user information when the session is locked ->  
    Do not display user information.
  - Interactive logon: Do not require CTRL+ALT+DEL -> Disabled.
  - Interactive logon: Machine account lockout threshold -> 3 invalid logon attempts.
  - Interactive logon: Machine inactivity limit -> 360 seconds.
  - Interactive logon: Message text for users attempting to logon -> Blank.
  - Interactive logon: Message title for users attempting to logon -> Blank.
  - Interactive logon: Number of previous logon to cache -> 10 logons.
  - Interactive logon: Prompt user to change password before expiration -> 5 days.
  - Interactive logon: Require Domain Controller authentication to unlock workstation -> Disabled.
  - Interactive logon: Require smart card -> Disabled.
  - Interactive logon: Smart card removal behavior -> No Action.
  - Microsoft network client: Digitally sign communications [always] -> Enabled.
  - Microsoft network client: Digitally sign communications [if server agrees] 
    -> Enabled.
  - Microsoft network client: Send unencrypted password to third-party SMB     
    servers -> Disabled.
  - Microsoft network server: Amount of idle time required before suspending   
    session -> 5 minutes.
  - Microsoft network server: Attempt S4U2Self to obtain claim information ->  
    Not defined.
  - Microsoft network server: Digitally sign communications [always] ->    
    Enabled.
  - Microsoft network server: Digitally sign communications [if client agrees] 
    -> Enabled.
  - Microsoft network server: Disconnect clients when logon hours expire -> Enabled.
  - Microsoft network server: Server SPN target name validation level -> Not defined.
  - Network access: Allow anonymous SID/Name translation -> Disabled.
  - Network access: Do not allow anonymous enumeration of SAM accounts -> Enabled.
  - Network access: Do not allow anonymous enumeration of SAM accounts and     
    shares -> Enabled.
  - Network access: Do not allow storage of passwords and credentials for      
    network authentication -> Enabled.
  - Network access:Let Everyone permissions apply to anonymous users ->        
    Disabled.
  - Network access: Named Pipes that can be accessed anonymously -> Blank.
  - Network access: Remotely accessible registry paths -> Blank.
  - Network access: Remotely accessible registry paths and sub-paths -> Blank.
  - Network access: Restrict anonymous access to Named Pipes and Shared -> Enabled.
  - Network access: Shares that can be accessed anonymously -> Not defined.
  - Network access: Sharing and security model for local accounts -> Classic - 
    local users authenticate as themselves.
  - Network security: Allow Local System to use computer identity for NTLM ->  
    Not defined.
  - Network security: Allow LocalSystem NULL session fallback -> Not defined.
  - Network security: Allow PKU2U authentication requests to this computer to  
    use online identities -> Not defined.
  - Network security: Configure encryption types allowed for Kerberos -> Not   
    defined.
  - Network security: Do not store LAN Manager hash value on next password     
    change -> Enabled.
  - Network security: Force logoff when logon hours expire -> Disabled.
  - Network security: LAN Manager authentication level -> Not defined.
  - Network security: LDAP client signing requirements -> Negotiate signing.
  - Network security: Minimum session security for NTLM SSP based clients ->   
    Require 128-bit encryption.
  - Network security: Minimum session security for NTLM SSP based servers ->   
    Require 128-bit encryption.
  - Network security: Restrict NTLM: Add remote server exceptions for NTLM     
    authentication -> Not defined.
  - Network security: Restrict NTLM: Add server exceptions in this domain ->   
    Not defined.
  - Network security: Restrict NTLM: Audit Incoming NTLM Traffic -> Enable     
    auditing for all accounts.
  - Network security: Restrict NTLM: Audit NTLM authentication in this domain 
    -> Enable all.
  - Network security: Restrict NTLM: Incoming NTLM traffic -> Deny all         
    accounts.
  - Network security: Restrict NTLM: NTLM authentication in this domain -> Not 
    defined.
  - Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers -> Deny all.
  - Recovery console: Allow automatic administrative logon -> Disabled.
  - Recovery console: Allow floppy copy and access to all drives and all       
    folders -> Disabled.
  - Shutdown: Allow system to be shut down without having to log on -> Enabled.
  - Shutdown: Clear all virtual memory pagefile -> Enabled.
  - System cryptography: Force strong key protection for user keys stored on   
    the computer -> Not defined.
  - System cryptography: Use FIPS compliant algorithms for encryption, 
    hashing, and signing -> Disabled.
  - System objects: Require case insensitivity for non-Windows subsystems      
    -> Enabled.
  - System objects: Strengthen default permissions of internal system objects  
    -> Enabled.
  - System settings: Optional subsystems -> Posix.
  - System settings: Use Certificate Rules on Windows Executables for Software 
    Restriction Policies -> Disabled.
  - User Account Control: Admin Approval Mode for the Built-in Administrator   
    account -> Enabled.
  - User Account Control: Allow UIAccess applications to prompt for elevation  
    without using the secure desktop -> Disabled.
  - User Account Control: Behavior of the elevation prompt for administrators  
    in Admin Approval Mode -> Prompt for credentials.
  - User Account Control: Behavior of the elevation prompt for standard users  
    -> Prompt for credentials.
  - User Account Control: Detect application installations and prompt for      
    elevation -> Enabled.
  - User Account Control: Only elevate executables that are signed and         
    validated -> Disabled.
  - User Account Control: Only elevate UIAccess applications that are 
    installed in secure locations -> Enabled.
  - User Account Control: Run all administrators in Admin Approval Mode ->     
    Enabled.
  - User Account Control: Switch to the secure desktop when prompting for      
    elevation -> Enabled.
  - User Account Control: Virtualize file and registry write failures to per-  
    user locations -> Enabled.

/ Now, click on "Advanced Audit Policy Configuration" table and enable logging 
of all the options by clicking on them and by setting ALL of the sub keys to 
"Success and Failure". Do this for everything except the "Global Object Access 
Auditing" table. Doing this will enable you to keep track of all login 
attempts and failures, you can access these logs by pressing the Windows key 
and searching "View Event Logs".

=================================================================
[14] Local Services Policies Configuration:

/ Press the Windows key and search "Local Services" and open "View Local 
Services".

/ This part will take awhile...

/ Configure the following options:
  - ActiveX Installer [AxInstSV] -> Startup Type = Manual -> Log On As = Local 
    System.
  - App Readiness -> Startup Type = Manual -> Log On As = Local System.
  - Application Experience -> Startup Type = Manual [Trigger Start] -> Log On As = System.
  - Application Information -> Startup Type = Manual [Trigger Start] -> Log On 
    As = Local Service.
  - Application Layer Gateway Service -> Startup Type = Manual -> Log On As =  
    Local Service.
  - Applications Management -> Startup Type = Manual -> Log On As = Local      
    System.
  - AppX Deployment Service [AppXSVC] -> Startup Type = Manual -> Log On As =  
    Local System.
  - Background Intelligent Transfer Service -> Startup Type = Disabled -> Log On As = Local System.
  - Background Tasks Infrastructure Service -> Startup Type = Automatic -> Log 
    On As = Local System.
  - Base Filtering Engine -> Startup Type = Automatic -> Log On As = Local     
    Service.
  - BitLocker Drive Encryption Service -> Startup Type = Manual[Trigger Start] 
    -> Log On As = Local System.
  - Block Level Backup Engine Service -> Startup Type = Manual -> Log On As ->
    Local System.
  - Bluetooth Support Service -> Startup Type = Disabled -> Log On As = Local  
    System.
  - BranchCache -> Startup Type = Manual -> Log On As = Network Service.
  - Certificate Propagation -> Startup Type = Manual -> Log On As = Local      
    System.
  - CNG Key Isolation -> Startup Type = Manual -> Log On As = Local System.
  - COM+ Event System -> Startup Type = Automatic -> Log On As = Local System.
  - COM+ System Application -> Startup Type = Manual -> Log On As = Local      
    Service.
  - Computer Browser -> Startup Type = Manual[Trigger Start] ->Log On As = Local System.
  - Credential Manager -> Startup Type = Manual -> Log On As = Local System.
  - Cryptographic Services -> Startup Type = Automatic -> Log On As = Network  
    Service.
  - DCOM Server Process Launcher -> Startup Type = Automatic -> Log On As =    
    Local System.
  - Device Association Service -> Startup Type = Manual[Trigger Start] -> Log  
    On As = Local System.
  - Device Install Service -> Startup Type = Manual[Trigger Start] -> Log On 
    As = Local System.
  - Device Setup Manager -> Startup Type = Manual[Trigger Start] -> Log On As = Local System.
  - DHCP Client -> Startup Type = Automatic -> Log On As = Local Service.
  - Diagnostic Policy Service -> Startup Type = Automatic -> Log On As = Local 
    Service.
  - Diagnostic Service Host -> Startup Type = Manual -> Log On As = Local      
    Service.
  - Diagnostic System Host -> Startup Type = Manual -> Log On As = Local       
    System.
  - DirMngr -> Startup Type = Automatic -> Log On As = Local System.
  - Distributed Link Tracking Client -> Startup Type = Automatic -> Log On As = Local System.
  - Distributed Transaction Coordinator -> Startup Type = Manual -> Log On As = 
    Network Service.
  - DNS Client -> Startup Type = Automatic[Trigger Start] -> Log On As =       
    Network Service.
  - Encrypting File System [EFS] -> Startup Type = Manual[Trigger Start] -> 
    Log On As = Local System.
  - Extensible Authentication Protocol -> Startup Type = Manual -> Log On As = 
    Local System.
  - Family Safety -> Startup Type = Manual -> Log On As = Local Service.
  - Fax -> Startup Type = Manual -> Log On As = Network Service.
  - File History Service -> Startup Type = Disabled -> Log On As = Local       
    System.
  - Function Discovery Provider Host -> Startup Type = Manual -> Log On As =   
    Local Service.
  - Function Discovery Resource Publication -> Startup Type = Manual -> Log On 
    As = Local Service.
  - Group Policy Client -> Startup Type = Automatic[Trigger Start] -> Log On As
    = Local System.
  - Health Key and Certificate Management -> Startup Type = Manual -> Log On 
    As = Local System.
  - HomeGroup Listener -> Startup Type = Manual -> Log On As = Local System.
  - HomeGroup Provider -> Startup Type = Manual[Trigger Start] -> Log On As =  
    Local System.
  - Human Interface Device Service -> Startup Type = Manual[Trigger Start] ->  
    Log On As = Local System.
  - Hyper-V Data Exchange Service -> Startup Type = Manual[Trigger Start] ->   
    Log On As = Local System.
  - Hyper-V Guest Service Interface -> Startup Type = Manual[Trigger Start] -> 
    Log On As = Local System.
  - Hyper-V Guest Shutdown Service -> Startup Type = Manual[Trigger Start] ->  
    Log On As = Local System.
  - Hyper-V Heartbeat Service -> Startup Type = Manual[Trigger Start] -> Log 
    On As = Local System.
  - Hyper-V Remote Desktop Virtualization Service -> Startup Type = Manual     
    [Trigger Start] -> Log On As = Local System.
  - Hyper-V Time Synchronization Service -> Startup Type = Manual[Trigger Start]     
    -> Log On As = Local Service
  - Hyper-V Volume Shadow Copy Requester -> Startup Type = Disabled -> Log On  
    As = Local System.
  - IKE and AuthIP IPSec Keying Modules -> Startup Type = Automatic[Trigger    
    Start] -> Log On As = Local System.
  - Interactive Services Detection -> Startup Type = Manual -> LogOn As = 
    Local System.
  - Internet Connection Sharing [ICS] -> Startup Type = Disabled -> Log On As =    
    Local System.
  - Internet Explorer ETW Collector Service -> Startup Type = Disabled -> Log  
    On As = Local System.
  - IP Helper -> Startup Type = Automatic -> Log On As = Local System.
  - IPSec Policy Agent -> Startup Type = Manual[Trigger Start] -> Log On As =  
    Network Service.
  - Link-Layer Topology Discovery Mapper -> Startup Type = Manual -> Log On As 
    = Local Service.
  - Local Session Manager -> Startup Type = Automatic -> Log On As = Local     
    System.
  - Microsoft Account Sigh-in Assistant -> Startup Type = Disabled -> Log On 
    As = Local System.
  - Microsoft EMET Service -> Startup Type = Automatic -> Log On As = Local    
    System.
  - Microsoft iSCSI Initiator Service -> Startup Type = Manual -> Log On As =  
    Local System.
  - Microsoft Keyboard Filter -> Startup Type = Disabled -> Log On As = Local  
    System.
  - Microsoft Software Shadow Copy Provider -> Startup Type = Manual -> Log On As
    = Local System.
  - Microsoft Storage Spaces SMP -> Startup Type = Manual -> Log On As =       
    Network Service.
  - Mozilla Maintenance Service -> Startup Type = Manual -> Log On As = Local  
    System.
  - Multimedia Class Scheduler -> Startup Type = Automatic -> Log On As = 
    Local System.
  - Net.TCP Port Sharing Service -> Startup Type = Disabled -> Log On As =     
    Local Service.
  - Netlogon -> Startup Type = Manual -> Log On As = Local System.
  - Network Access Protection Agent -> Startup Type = Manual -> Log On As =    
    Network Service.
  - Network Connected Devices Auto-Setup -> Startup Type = Manual[Trigger      
    Start] -> Log On As = Local Service.
  - Network Connection Broker -> Startup Type = Manual[Trigger Start] -> Log   
    On As = Local System.
  - Network Connections -> Startup Type = Manual -> Log On As = Local System.
  - Network Connectivity Assistant -> Startup Type = Manual[Trigger Start] ->  
    Log On As = Local System.
  - Network List Service -> Startup Type = Manual -> Log On As = Local 
    Service.
  - Network Location Awareness -> Startup Type = Automatic -> Log On As =      
    Network Service.
  - Network Store Interface Service -> Startup Type = Automatic -> Log On As = 
    Local Service.
  - OpenDNSCrypt -> Startup Type = Automatic -> Log On As = Network Service.
  - Peer Name Resolution Protocol -> Startup Type = Disabled -> Log On As =    
    Local Service.
  - Peer Networking Grouping -> Startup Type = Disabled -> Log On As = Local   
    Service.
  - Peer Networking Identity Manager -> Startup Type = Disabled -> Log On As = 
    Local Service.
  - Plug and Play -> Startup Type = Manual -> Log On As = Local System.
  - PNRP Machine Name Publication Service -> Startup Type = Disabled -> Log On As
    = Local Service.
  - Print Spooler -> Startup Type = Automatic -> Log On As = Local System.
  - Printer Extensions and Notifications -> Manual -> Log On As = Local System.
  - Problem Reports adn Solutions Control Panel Support -> Startup Type =      
    Manual -> Log On As = Local System.
  - Program Compatibility Assistant Service -> Startup Type = Automatic -> Log 
    On As = Local System.
  - Remote Access Auto Connection Manager -> Startup Type = Disabled ->Log On  
    As = Local System.
  - Remote Access Connection Manager -> Startup Type = Manual -> Log On As =   
    Local System.
  - Remote Desktop Configuration -> Startup Type = Disabled -> Log On As =     
    Local System.
  - Remote Desktop Services -> Startup Type = Disabled -> Log On As = Network  
    Service.
  - Remote Desktop Services UserMode Port Redirector -. Startup Type = 
    Disabled -> Log On As = Local System.
  - Remote Procedure Call [RPC] -> Startup Type -> Disabled -> Log On As =     
    Network Service.
  - Remote Procedure Call [RPC] Locator -> Startup Type = Disabled -> Log On 
    As = Network Service.
  - Remote Registry -> Startup Type = Disabled -> Log On As = Local Service.
  - Routing and Remote Access -> Startup Type = Disabled -> Log On As = Local  
    System. 
  - RPC Endpoint Mapper -> Startup Type = Automatic -> Log On As = Network     
    Service.
  - Secondary Logon -> Startup Type = Manual -> Log On As = Local System.
  - Secure Socket Tunneling Protocol Service -> Startup Type = Manual -> Log 
    On As = Local Service.
  - Security Accounts Manager -> Startup Type = Automatic -> Log On As = Local 
    System.
  - Security Center -> Startup Type = Automatic -> Log On As = Local Service.
  - Server -> Startup Type = Disabled -> Log On As = Local System.
  - Shell Hardware Detection -> Startup Type = Automatic -> Log On As = Local  
    System.
  - Smart Card -> Startup Type = Disabled -> Log On As = Local Service.
  - Smart Card Device Enumeration Service -> Startup Type = Disabled -> Log On 
    As = Local System.
  - Smart Card Removal Policy -> Startup Type = Disabled -> Log On As = Local  
    System.
  - SNMP Trap -> Startup Type = Manual -> Log On As = Local Service.
  - Software Protection -> Startup Type = Automatic -> Log On As = Network     
    Service.
  - SSDP Discovery -> Startup Type = Disabled -> Log On As = Local Service.
  - Storage Service -> Startup Type = Manual[Trigger Start] -> Log On As =     
    Local System.
  - System Event Notification Service -> Startup Type = Automatic -> Log On As 
    = Local System.
  - System Events Broker -> Startup Type = Automatic -> Log On As = Local      
    System.
  - TCP/IP NetBIOS Helper -> Startup Type = Disabled -> Log On As = Local      
    Service.
  - Te.Service -> Startup Type = Manual -> Log On As = Local System.
  - Telephony -> Startup Type = Manual -> Log On As = Network Service.
  - UPnP Device Host -> Startup Type = Disabled -> Log On As = Local Service.
  - User Profile Service -> Startup Type = Automatic -> Log On As = Local      
    System.
  - Virtual Disk -> Startup Type = Manual -> Log On As = Local System.
  - Volume Shadow Copy -> Startup Type = Disabled -> Log On As = Local System.
  - Windows Error Reporting Service -> Startup Type = Disabled -> Log On As =  
    Local System.
  - Windows Remote Management [WS-Management] -> Startup Type = Disabled -> Log 
    On As = Network Service.
  - Workstation -> Startup Type = Disabled -> Log On As = Network Service.

=================================================================
[15] Local Group Policy Configuration:

/ Press the Windows key and search "Group Policy" and click on "Edit group 
policy".

/ Next, navigate to the following tables and set them as follows:
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> ActiveX Installer Service" -> "Disabled".
  - "Computer Configuration" -> "Administrative Templates" -> "System" ->      
     "Early Launch Antimalware" -> "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Application Compatibility" -> "Turn off Application       
     Telemetry" -> "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "AutoPlay Policies" -> Change all settings to "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Biometrics" -> Change all settings to "Disabled.
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Credential User Interface" -> "Do not display the 
     password reveal button" -> "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Desktop Gadgets" -> Change all settings to "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Digital Locker" -> "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Family Safety" -> "Disabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "File Explorer" -> "Show sleep in the power options menu" 
     -> "Disabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "File Explorer" -> "Show hibernate in the power options    
     menu" -> "Disabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "File History" -> "Turn off File History" -> "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Game Explorer" -> Change all settings to "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "HomeGroup" -> "Prevent the computer from joining a        
     homegroup" -> "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Internet Explorer" -> Change all settings to "Disabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Location and Sensors" -> Change all settings to "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "NetMeeting" -> "Disable remote Desktop sharing" -> "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "OneDrive" -> "Save documents to OneDrive by default" ->   
     "Disabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "OneDrive" -> "Prevent OneDrive files from syncing over    
     metered connections" -> "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "OneDrive" -> "Prevent the usage of OneDrive" ->  "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Online Assistance" -> Turn off Active Help" -> "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Remote Desktop Services" -> Change all settings to        
     "Disabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Shutdown Options" -> "Turn off legacy remote shutdown     
     interface" -> "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Sync your settings" -> Change all settings to "Enabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Windows Customer Experience Improvement Program" -> 
     Change all settings to "Disabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Windows Remote Shell" -> "Allow Remote Shell Access" ->   
     "Disabled".
  - "Computer Configuration" -> "Administrative Templates" -> "Windows         
     Components" -> "Windows Update" -> "Turn off the upgrade to the latest    
     version of Windows through Windows Update" -> "Enabled".

=================================================================
[16] Router and/or Modem Configuration:

/ This step is very important, you will need to determine if you are using a 
wireless or wired router.

/ You are going to have to download a fresh copy of the routers firmware 
directly from the manufactures website and you are going to flash your router 
and modems firmware. Doing this will eliminate any backdoors/rootkits that 
have possibly been installed on your router and/or modem.

/ Next, you are going to need to access your routers configuration page and 
start to configure your security settings. You should have all incoming ports 
CLOSED and all outgoing ports CLOSED [Except for the ones you will be using, 
80, 443, 21 ect]. Enable WAN ping blocking, disable DMZ hosting and set your 
firewall to the highest security settings. Disable anything else that may 
present a security risk. You can also add blocklists to your router for 
disabling ads and malware serving hosts, this of course is optional.

/ Do this for all of your other hardware [Firewalls, modems, switches, VOIP 
systems, ect]. 

=================================================================
[17] VPNs:

/ A Virtual Private Network [VPN] is a connection from your computer to 
another network. Setup properly, they can be used by anyone to create a safer 
connection to the internet and have the added benefit of disguising your true 
location. It encrypts your internet connection. So you can surf the web 
securely with no restrictions. It will allow you to visit websites that your 
ISP or government has blocked. You can also change your IP whenever you please 
by switching servers. 

/ When you are picking out a VPN provider, be sure to read the Terms of 
Service [ToS] aswell as the Privacy Policy [PP]. Make sure that the VPN
provider you choose does NOT keep ANY logs.

/ NEVER use a "Free" VPN!! If you don't have to pay for a product, you are the 
product being sold.

/ First off, you are going to need to purchase TWO different VPN services from 
TWO separate VPN providers. NEVER use your own or anyone of your 
family/friends credit cards, because they can be backtraced directly to you. It 
is highly recommended that you buy a prepaid Mastercard [Or Visa, but it is 
NOT recommended]. To do this you are going to need to get about $50-$100 in 
cash and head into a high populated store with a lot of foot traffic such as 
Walmart, Target, 7-11, ect. Be sure wear something you wouldn't normally wear 
when buying this card and make sure your face is hidden from ALL cameras when 
making this purchase. ALWAYS pay for this prepaid card with cash and cash 
only. Using any other methods of payment such as Interact will completely 
compromise your identity.

/ When you purchase the prepaid card, write down ALL of the information on the 
card [Card number, CVV, Expiry date, ect] and the securely dispose of the card 
[Either burn the card or cut it into 3-4 pieces and put each piece in separate 
trash bins that are in separate locations]. 

/ Now you are going to have to activate the prepaid card online. To do this 
you are going to need to access the internet through TOR on your cellphone or 
any other means by using a free public wifi hotspot. When activating the 
prepaid card online, you are going to need a fake name and address. Go to 
http://www.fakenamegenerator.com/ and use a random name and address [Remember 
to write down the ZIP/Postal code you used, as you may need it in the future]. 
When you are on the VPN providers website and you are creating your account, 
use a throwaway email address that is with any email provider [Mail.com 
usually works quite nicely]. Use http://www.fakenamegenerator.com/ again to 
fill in random information for the throwaway and in the VPN providers website.

=================================================================
[18] Testing Security Configurations:

/ This step may seem redundant, but it is one of the most valuable. You are 
now going to preform a small "Security Audit" of your system and network.

/ Download the following software:
  - Software: NMap
  - Download: https://nmap.org/dist/nmap-7.01-setup.exe

  - Software: Nessus Home
  - Download: https://www.tenable.com/products/nessus-home
  - Configuration: Enter FAKE details in the "Register for an Activation Code" 
    section of the Nessus website. Then just download and install. Make sure   
    that you allow ALL of the Nessus executables through your OUTBOUND         
    firewall. 

  - Software: WireShark
  - Download: https://www.wireshark.org/download.html

  - Software: TCPView
  - Download: https://technet.microsoft.com/en-us/sysinternals/tcpview.aspx

/ Now open a Command Prompt window with Administrator privilege, then type 
this command: "nmap -vvv 192.168.0.1" [Remove the quotation marks and change 
the IP address to your routers internal IP address]. If configured correctly, 
NMap should not be able to detect any open ports. 

/ Next open Nessus Home and preform a vulnerability scan on the same internal 
IP address that is assigned to your router. Again, Nessus should not detect any 
open ports or vulnerabilities.

/ Open Firefox and head over to these web application port scanners:
  - Website: https://www.grc.com/x/ne.dll?bh0bkyd2
  - Website: http://www.speedguide.net/scan.php

/ Preform a port scan using BOTH of these web application port scanners. The 
results for GRC should be "True Stealth" and the results for speedguide should
be no open ports.

/ If you have detected any open ports, then you may need to go back to the 
previous steps and re-configure these settings.

/ Now open TCPView, this will show you if there are any suspicious packet 
activities that are going through your network. If you find any, remove them 
immediately. Now open WireShark and do the same thing, look for any unknown or 
suspicious packet activity.

/ Open up a Command Prompt window with Administrator privileges and type this 
command: "netstat -nab" [Remove the quotation marks]. This command will show 
you all inbound and outbound connections and details about them like 
process, local ip:port, foreign ip:port, protocol and connection status.

/ Open Firefox again and go to the following websites:
  - Website: https://ipleak.net/
  - Description: This website will show you what information is being passed   
    to the websites you visit. This includes your IP address, DNS addresses,    
    WebRTC, Geolocation, User Agent, System Information, Plugins, MIME         
    type, ect. If configured correctly, everything should be disabled          
    and/or spoofed. You should check this website EVERY TIME YOU GO ONLINE 
    for DNS leaks and to make sure that everything is secure before you login
    to anything.

  - Website: https://www.dnsleaktest.com/
  - Description: This site will detect any DNS leaks from your network. If     
    configurations were done correctly, all of the DNS addresses should be    
    "OpenDNS, LLC".

=================================================================
[19] Peer Filtering:

/ Peer filtering will automatically block certain IP ranges from accessing 
your computer from the internet. These include: Advertisement companies,
Government and Federal agencies, Law Enforcement agencies, Educational 
Intitutions and Analytic Services and so on.

/ Download this peer filtering software:
  - Software: PeerBlock
  - Download: http://www.peerblock.com/releases

/ Now install PeerBlock and allow peerblock.exe through you firewall's 
outgoing table. Now open PeerBlock and click on the "List Manager" button, 
click "Add". Now open up Firefox and go to https://www.iblocklist.com/lists 
for free blocklists. Copy and paste the "Update URL" into PeerBlock and there 
you have it. 

/ There are many websites on the internet that offer free blocklists, you may 
find them by doing a quick search on the internet. You can then load them into 
PeerBlock as explained above.

=================================================================
[20] TOR, I2P and FreeNet Configuration:

/ Download and configure the following software:
  - Software: The Onion Router [TOR] Browser Bundle
  - Download: https://www.torproject.org/projects/torbrowser.html.en
  - Description: Tor is free software for enabling anonymous communication. 
    The name is an acronym derived from the original software project name 
    The Onion Router, Tor directs Internet traffic through a free, worldwide, volunteer
    network consisting of more than seven thousand relays[9] to conceal a user's location
    and usage from anyone conducting network surveillance or traffic analysis. 
    Optionally, You can download the TOR Expert bundle here:
    https://www.torproject.org/download/download
  - Configuration: Run the installer and allow TOR though your firewall.
    You can now route your internet traffic through The Onion Router by binding your 
    applications to Socks5 host @ 127.0.0.1 on port 9050 through the applications 
    proxy settings.

  - Software: I2P
  - Download: https://geti2p.net/en/
  - Description: 2P is an anonymous overlay network, a network within a network.
    It is intended to protect communication from dragnet surveillance and monitoring
    by third parties such as ISPs. 
  - Configuration: Run the installer and install the software. Open your firewall
    and local all of the executables in the I2P installation directory and allow them
    all though the firewalls outgoing table. Now, allow the JaveSEBinary.exe though
    the inbound table. Now open a Command Prompt with administrator privilege and type
    the following command:
    i2psvc -c wrapper.config
    I2P should start and load everything, now open firefox and type "http://127.0.0.1:7657" into
    the URL bar to configure all of the additional options. You can now configure your 
    applications to use the I2P network by configuring the applications proxy settings to
    Socks5 host @ 127.0.0.1 on port 4445.

  - Software: FreeNet
  - Download: https://freenetproject.org/download.html
  - Description: Freenet is a platform for censorship-resistant communication and publishing.
    It helps you to remain anonymous, and communicate without fear.
  - Configuration: Run the installer and install the software. Now allow the FreeNet.exe, 
    FreeNetWrapper.exe and the FreeNetLauncher.exe though the outgoing table, now allow the
    JavaSEBinary.exe [This one was installed with FreeNet] though the outbound firewall table.
    Open a Command Prompt with administrator privilage and run the following command: FreeNet.
    FreeNet should start and load everything, now open firefox and enter "http://127.0.0.1:8888"
    into the URL bar and configure the FreeNet settings.

=================================================================
[21] Secure Social Media Communications:

/ You are going to download the following software to allow the secure communications
over mainstream social media sites, XMPP, IRC and other protocols.
  - Software: Pidgin
  - Download: https://pidgin.im/download/
  - Configuration: Run the installer and install the software. Allow pidgin.exe file
    though your firewalls outgoing table.

  - Software: Off The Record Plugin
  - Download: https://otr.cypherpunks.ca/binaries/windows/pidgin-otr-4.0.1.zip
  - Configuration:  Run the installer and install the software. Now allow all of the OTR
    executables through your firewalls outgoing table.

/ Now open Pidign and enable the OTR plugin. You may now add your accounts
into Pidgin. Now click on the "Tools" drop down menu and click "Preferences", now
click the "Proxy" tab and select "Tor/Privacy (SOCKS5)" from the proxy type drop down
menu. Now enter "127.0.0.1" in the "Host" field and change the port to "9050". Doing this will
ensure that you are not being connected to your accounts unless your connection is binded and 
anonymized though TOR.

/ Optionally, you can install the Skype4Pidgin plugin [If you even use Skype] from here:
https://github.com/eionrobb/skype4pidgin

=================================================================
[22] Application Proxy Configuration:

/ This step will show you how to add an extra layer of security while
using your applications and software. You can find large lists of proxies
by just doing a simple search. I would AVOID using HideMyAss.com because they
are known to give up user data to the feds.

/ Once you have the proxy IPs, you can now locate the proxy settings that should
be within the settings page of your applications. You can now bind your software to
your already encrypted and secure connection [VPN, TOR and I2P], thus adding an extra 
layer of security. Try to use different proxies for different applications to make sure
your connection is completely anonymized.

=================================================================
[23] Secure Virtualization Configuration:

/ In this step we will be securely installing a virtual machine [VM]
Download and install the following software:
  - Software: VirtualBox
  - Download: https://www.virtualbox.org/wiki/Downloads
  - Configuration: Run the installer and install the software, be sure to allow
    this software though your firewall.

/ Now open VeraCrypt and click the "Volumes" drop down menu, then click on
"Create New Volume". Select the "Create an encrypted file container", click "Next".
Now select "Hidden VeraCrypt Volume" and click "Next", select "Normal Mode", click
"Next". Now click on the "Select File" button and locate a directory that is some what
hidden deep within your file system and name it something like "Test.txt" or "VM.txt".
Be sure to save this file as a .txt file and NOT .vc, because a .vc file makes is very
obvious that there is something hidden inside. Make sure that the "Never Save History" 
check box is checked. Click "Next".

/ You should now be creating the "Outer Volume" of your hidden and encrypted container.
Click "Next". For the encryption algorithm, select "AES(Twofish(Serpent))" from the drop down
menu, then make sure that "SHA-512" is selected for the hash algorithm, then click "Next".
Now enter the size of the file you want in GB, I would recommend for it to be at least 15-25GB in 
size. Click "Next". Now you should be prompted for the outer volume password. Make this password
whatever you want, just make sure that you remember it! Now the next screen you will have to move
you cursor around for about 5 minutes, doing this for a long time will increase the strength of the
encryption. Next, click on "Format". You may now open your outer volume [It should be mounted as the 
Z:\ drive] and place a few sensitive looking files that you DO NOT actually want to hide 
[Doing this will allow for full deniability if v& and forced to disclose your password, 
if they demand a password, give them the one for outer volume]. Click "Next".

/ Now you can create the hidden volume, again make sure that the encryption algorithm is set to
"AES(Twofish(Serpent))" and that "SHA-512" is selected for the hash algorithm, click "Next".
Now select the file size in GBs, make it about 1-2GB smaller than the outer volume. Click "Next".
Set a password that is DIFFERENT from the one you used above! Make it as long and complex as possible
[Add numbers, upper case, lower case and symbols] The goal with this password it to make it 100%
uncrackable by any super computer, I would recommend 64+ characters in length. Click "Next".
Again, you are going to want to move your cursor as randomly as possible. This time do it for about
10 minutes or more, then click on "Format". 

/ Open VeraCrypt and click the "Select File" button and locate the .txt file that you just created, 
then select a drive letter and click "Mount" and enter your password for the HIDDEN container.

/ For this VM we will be using Ubuntu Linux. Click "New" and give your VM a name like "Ubuntu" or
something along those lines. Set the "Memory Size" [RAM] to whatever your computer can handle. 
1GB = 1024MB, 2GB = 2048MB and 4GB = 4096MB and so on. Click "Create". Now for the "File Location"
you are going to navigate to the hidden volume that you created earlier. Set the "File Size" to 15-20GB
then click "Create". Next, boot up the new Ubuntu VM and navigate to where you saved the Ubuntu.iso file.
Allow the VM to boot up and you can then configure the Ubuntu VM with encryption, TOR, VPNs, proxies and 
other security measures. I am not going to include a Ubuntu Linux security hardening guide here, you can
however find hundereds of tutorials and guides with a simple search.

/ You will need to open VeraCrypt and enter the password for the hidden container everytime you want to
boot this Ubuntu Linux virtual machine. Make sure that you DISMOUNT this volume everytime you step away
from your computer.

=================================================================
[24] Anonymous Identities:

/ The first thing you should do is create a nickname that you will use as one of 
your alter-egos. This one should ONLY be used for connecting IRC Networks/Email/Facebook
Services and so fourth. This screen name should be completely different from your Anonymous 
screen name and should NEVER be related to one another and should always be separate. 
One slip with these screen names could seal your fate in the corrupt federal prison system.
 
/ You are going to now create an Anonymous screen name. This will be your second alter-ego for 
use with other things such as Email/Hacking/Chatting with other Anons and so on.
 
/ Create a back story that is believable to use alongside your Anonymous screen names,
preferably with supporting evidence [Use a common name, a school in the city of your choosing, 
choose a place in the same city where your fake alias works]. NEVER contaminate this back story
with real personal information.
 
/ When creating your Anonymous screen names, do so through TOR as well as a VPN layered on top. 
This will guarantee that all account creation details remain anonymous and untraceable.

=================================================================
[25] Conclusion:

/ There you have it, if you followed the all of the steps correctly. You should now have 
a completely secure and encrypted installation of Windows 8.1 and you have installed and configured 
all of the necessary security tools and applications to ensure that your internet connection is
encrypted. You have configured all of your software that needs internet connectivity though your strict
firewall settings and you have configured your software to specifically bind the connection
they use to connect to the internet though a VPN, TOR, aswell as proxies. You have created
anonymous nicknames and identities. You may do things of questionable legality assuming you
take full responsibility and know what your going and the feds will have an extremely hard time
finding you :]. Happy hacking #NewBloods!

/ This is one of my gifts to the internet, Anonymous and humanity itself. Also to the corrupt
governments of this world; You cannot arrest an idea.

=================================================================

       .-.
      ( " )
   /\_.' '._/\
   |         |
    \       /
     \    /`
  .(__)  /
   `.__.' @Gh0sterSec