iBet uBet web content aggregator. Adding the entire web to your favor.
iBet uBet web content aggregator. Adding the entire web to your favor.



Link to original content: http://github.com/JosefEreq/ITSecGuide
GitHub - JosefEreq/ITSecGuide: Cyber Security Hardening guide
Skip to content
This repository has been archived by the owner on Jan 29, 2024. It is now read-only.
/ ITSecGuide Public archive

Cyber Security Hardening guide

Notifications You must be signed in to change notification settings

JosefEreq/ITSecGuide

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 

Repository files navigation

Cyber Security Hardening Guide

This repository is no longer maintained.

Last updated 2022-08-01



Introduction

This document provides guidelines and recommendation for hardening the cyber security posture in the following areas:

  • Online Security and Privacy

  • Email / Chat

  • Windows 10 / 11

  • iOS

  • Firefox and Thunderbird

  • Network and Router

(Coming soon) MacOS



Each section and recommendation is categorized by area and security level, to make it easier for readers to find those that are relevant to them. See the following 3 security level definitions:

  • Standard - Basic security. Little impact on usage and convenience. For basic users.
  • Advanced - Good security. Mild impact on usage and convenience. Requires knowledge in configuring computers, operating systems and applications.
  • Expert - Great security. Big impact on usage and convenience. Requires system administration knowledge.



The provided guidelines and actions are intended for private cyber security. No consideration have neccesarly been taken for enterprise environments.



All recommended software are free open-source projects.









Table of contents

  1. Internet, VPN and Email providers
  2. Accounts and Passwords
  3. Windows 10 / 11
  4. Web Browsing
  5. Email and Chat
  6. iOS
  7. Network and Router
  8. Firefox Browser
  9. Thunderbird Email












Internet, VPN and Email provider

Consider the following when choosing a Internet, VPN or Email provider;

  •   What policy do they have regarding protecting sensitive customer data?
    
  •   Have they handed out sensitive data to a government agency or a third party previously?
    
  •   What customer data do they store?
      Your VPN provider should never store customer authentication or connection logs!
    
  •   Do they have the neccesary resources to build a secure network infrastructure? 
    





Accounts and Passwords

Level Title Description Note
Standard Use MFA! Use multi-factor authentication for your online accounts and avoid SMS. Your SIM/phone number can be taken over by a scammer. Use a mobile app for verification instead.
Standard Keep your accounts in your control. Never log in with your online account on somebody elses device!
Advanced Use a secure password management solution! I recommend:

Keepass Windows

KeepassXC MacOS

AuthPass iOS
Note: Providers of online password managers that handle your master key might be breached and leak your credentials.





Windows 10 / 11

Level Title Description Note
Standard Set a secure password on your local computer user. Set a long and complex password that's hard to guess.
Standard Configure in-app security and privacy settings. Go trough each applications privacy and security settings first thing you do after installing it. There's often a lot of of privacy settings.
Standard Auto-lock on inactivity. Set your computer to lock automatically after being inactive.
Standard Enable auto-update. Enable auto-update for both the operating system and applications, to make sure you always have the latest security patches. Hackers countinesly scan the internet for vulnerable devices and services.
Standard Completely disable crash reporting. Powershell: Run "Disable-WindowsErrorReporting". This feature might leak information about your device.
Standard Restart your PC! Regularly restart your PC to clean up running background processes and free up the memory from sensitive data.
Standard Disable network during setup! Disable your network interfaces while installing and configuring your operating system. Make sure the operating system and all applications are securely configured before connectiong to the internet
Standard Encrypt your drives. I recommend Veracrypt
Standard Take backups! Take regular file backups of the operating system drive and other important drives, a system image backup and store them in a safe location. NOTE: Make sure every kind of backup containing sensitive data or system files is encrypted, no matter where you store it.
Standard Uninstall applications you don't need. Uninstall applications in both Control Panel/Programs and Features and the Settings app. NOTE: Some apps are only visible in the Settings app.
Standard Disable extra local accounts Disable all local accounts not being used, especially the guest account.
Standard Fully activate UAC. Enable User Account Control in Control Panel/User Accounts/Change User Account Control settings Drag the slider to the higest level and click OK. UAC will prompt for verification before an application elevates itself to admin.
Standard Install a endpoint protection solution if neccesary. You may want to install a EDR solution, depending on how securely the computer is configured and used, since Windows is full of security vulnerabilities. Choose a modern EDR solution that looks for unusual executions and behaviors NOTE #1: Select a EDR provider you trust. But remember that the they could potentially read all files on your PC.

NOTE #2: Avoid installing an EDR solution, for privacy concerns, if your Windows operating system is locked down with all the recommendations in this guide applied and you only run verified software and documents.
Standard Disable logging in your torrent and VPN client! Don't leave traces of downloads in case you're subject to a legal investigation.
Standard Disable Autoplay features. Disable AutoPlay and in Windows Settings/Bluetooth & Devices/AutoPlay. This will prevent plugged in devices from auto-starting its local media and binaries.
Standard BIOS password Set a BIOS password
Standard Secure boot Enable UEFI secure boot
Standard-Advanced Disable RDP or restrict its connections! Disable Remote Desktop on Windows unless you need it in "Windows Settings/System/Advanced Sytem Settings/Remote/" select "Don't allow remote connections to this computer" AND uncheck "Allow Remote Assistance connections to this computer". Advanced: If RDP is needed, create a firewall rule to only allow connections from your own devices (IP-adresses) There has been a lot of vulnerabilities discovered in RPD throughout the years. But more importantly, you should disable all network protocols you don't need.
Advanced Don't use sleep mode. Don't put your computer to sleep. Use hibernation instead. Your memory is not cleared in sleep mode, keeping your disk decrypted, making it much easier for a malicious actor to access your data if your laptop gets lost or stolen.
Advanced Enable LSA protection Registry: Set/Create DWORD key HKLM/SYSTEM/CurrentControlSet/Control/Lsa/RunAsPPL with value of "1".
Advanced Disable driver/software download from Windows Error reporting servers. Group Policy: Enable "Prevent Windows from sending an error report when a device driver request additional software during installation" in Computer Configuration/Administratrive templates/System/Device installation. This feature might leak information about your device.
Advanced Disable automatic driver and related software installations. Group policy: Enable "Prevent device metadata retrieval from the Internet" in Computer Configuration/Administratrive templates/System/Device installation. This feature might leak information about your device and might lead to unexpected software being installed.
Advanced Disable background error reports from being sent when installing a driver. Group policy: Enable "Do not send a Windows error report when a generic driver is installed on a device" in Computer Configuration/Administrative templates/System/Device installation. This feature might leak information about your device.
Advanced Disable IP source routing, for both IPv4 and IPv6! Registry: Set/Create DWORD key "HKLM/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/IPEnableRouter" with value "0" AND "HKLM/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/disableipsourcerouting" with value "2" IP source routing allows the information in network packages to dictate the routing of its traffic. This is might result in traffic avoiding network gateways.
Advanced Disable automatic elevation of software installations. Group policy: Disable "Always install with elevated privileges" in Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Installer. This will prevent software installations from running with admin priviligies unless neccesary.
Advanced Remove Windows Features you don't need. Uninstall features in Control Panel/Programs and Features/Turn Windows features on or off.
Advanced Enable remote restrictions for UAC. Registry: Set/Create DWORD key HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/LocalAccountTokenFilterPolicy with value "0"
Advanced Disable unncesseary scheduled tasks. Go trough your scheduled tasks, including all sub-libraries, and disable unneccesary tasks. A lot of 3rd party applications creates infringing and unneccesary scheduled tasks.
Advanced Use a software firewall. Use one that can allow/block both incoming and outgoing traffic.
Expert Disable insecure protocols. Disable SMB, SSL, PCT 1.0 and TLS 1.0/1.1

See guide https://docs.microsoft.com/en-us/windows-server/securty/tls/tls-registry-settings#tls-dtls-and-ssl-protocol-version-settings AND https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
NOTE: Use SFTP instead!
Expert Remove untrusted CA certificates Run certmgr.msc as an administrator and look in "Trusted Root Certification Authorities/Certificates" and "Intermediate Certification Authorities/Certificates". NOTE: Remove certificates from CAs run by governments and affiliates and organisations you don't trust. Firefox has its own certificate root store outside Windows store.
Expert Disable automatic driver installation for plugged in devices. Group policy: Enable "Prevent installation of devices not described by other policy settings" AND enable "Allow installation of devices that match any of these device instance IDs" and specify already installed device instances IDs. Both policies can be found in Computer Configuration/Administratrive templates/System/Device installation/Device installation restrictions.
Standard Adjust Windows privacy settings. Set the features in Windows settings listed below ↓

Windows Settings:
	System \ Clipboard
		Clipboard history = Off
	Time & Language \ Typing \ Typing insights
		Typing insights = Off
      	Privacy & Security \ General
                Let apps show me personalised ads by using my advertisting ID = Off
                Let websites show me locally relevant content by accessing my language list = Off
                Let Windows improve Start and search results by tracking app launches = Off
                Show me suggested content in the Settings app = Off
        Privacy & Security \ Speech
                Online speech recognition = Off
        Privacy & Security \ Inking & Typing personalisation
                Personal Inking and typing dictionary = Off
        Privacy & Security \ Diagnostics & feedback
                Send optional diagnostic data = Off
                Tailored expierences = Off
        Privacy & Security \ Activity history
                Store my activity history on this device = Off
                Send my activity history to Microsoft = Off
        Privacy & Security \ Safe permissions
                SafeSearch = Off
                Microsoft account = Off
                Work or School account = Off
                Search history on this device = Off
                Show search highlights = Off

Advanced Disable unneccesary services. Run services.msc as an administrator and disable the services listed below ↓ NOTE: Some features and functions may stop working, and no garantue can be given against that. I've been testing it for about 1 year on my Windows installation, but that's limited to my scenario of Windows usage.

Functions you use could be depedent on some of these services (Not seen in the Dependencies tab or neccesarly intepretable by the service name or its documented purpose). Therefore you should be observant in case that some feature or function stops working.


	ActiveX Installer
	AllJoyn Router Service
	Auto Time Zone Updater
	BranchCache
	Cellular Time
	Clipboard User Service
	Connected Devices Platform Service
	Connected Devices Platform User Service
	Connected User Experiences and Telemetry
	Function Discovery Resource Publication
	(If you don't use Windows recording or streaming.) GameDVR and Broadcast User Service.
	Geolocation Service
	Retail Demo Service
	User Experience Virtualization Service
	Windows Error Reporting Service
	(Unless a NPS/Radius server) Routing and Remote Access
	(Unless in SharedPC mode) Shared PC Account Manager

Advanced Enable the Virtualization Based Security (VBS) features listed below ↓

	Group Policy #1: Computer Configuration\Administrative templates\System\Device Guard
	Enable "Turn On Virtualization Based Security" 	
	Set options:
        	Secure Boot and DMA protection
        	Enable Virtualization Based Protection of Code Integrity(HVCI) with UEFI Lock.
        	Enable the option "Require UEFI memory attribute tables" to make sure HVCI is only enabled for compatible devices.
        	Enable secure Launch.
	Group Policy #2: Computer Configuration\Administrative templates\System\Kernel DMA Protection
	Enable "Enumeration policy for external devices incompatible with Kernel DMA Protection"
	Set option "Block all".





Web Browsing

Level Title Description Note
Standard Use a VPN! Use a VPN when you want to keep your internet connection private, and when you connect to a public Wifi. NOTE: Use the VPN providers DNS server to make sure the traffic and logs are contained at one provider.

OpenVPN: Add the parameter "block-outside-dns" to your config file to block lookups to the ISPs DNS server and thus preventing information about your real ISP from leaking.
Standard-Advanced Use one of these browsers:

Standard Brave

Advanced Firefox
Brave is easy to setup and provides good built-in security and tracking protection.

Firefox is generally the most secured and private browser if you spend some time configuring it properly, including extensions.

NOTE: See the Firefox sections further below for a guide on how to configure them for best security and privacy.
Advanced Encrypt your DNS lookups Encrypt your DNS lookups when not connected to a VPN tunnel. I recommend using the DnscryptV2 protocol and dnscrypt-proxy client for Windows, MacOS and routers(Linux based) and DNSCloak for iOS. NOTE: Use a DNS server that don't log client lookups and have DNSSEC support enabled.
Advanced Use a privacy focused search engine. I recommend DuckDuckGo NOTE: Don't trust all sites in your search results, don't click on random links.





Email and Chat

Level Title Description Note
Standard Encrypt your mail storage! Make sure your email application stores its data on a encrypted drive.
Standard Don't open random files! Don't open any attached files you don't expect to receive!
Standard Beware of spoofed senders! Don't trust that email comes from the sender/domain you see displayed, it can be spoofed easily.

Expert: Look in the SMTP headers and see if the SPF,DKIM,DMARC checks passed. Not all use DKIM/DMARC yet. But if the SPF check fails, then the sender is spoofed or they have really bad email security.
Standard Don't click unsubscribe. Block instead. Avoid clicking on unsubscribe links in subsription email. It will give away more information about you. Also, the email could potentially be spoofed and contain a malicious unsubscribe link.
Standard Talk on encrypted chats! I recommend Signal for encrypted chat.

Emails are be often read/scanned by the hosting provider, unless you and the recipient encrypt them and manage your own private keys.
Advanced Use a private and secure provider for sensitive Email. You should use a secure and private provider for sensitive communication that has to be emailed.
Advanced Block remote content! Set email app default behavior to block remote content Disable remote content and only enable it selectively for emails you trust.





iOS

Level Title Description Note
Standard Set a passcode! Set a passcode, 6 digit PIN minimum, that's hard to guess. Note: It should be hard to guess even if the maliciour actor knows information about you, such as social security number.
Standard Don't jailbreak! Don't jailbreak your device, to reduce the risk of malicious device takeover. Also, you won't receive automatic iOS updates.
Standard Uninstall apps you don't need! Uninstall all apps you don't need, including native ones.
Standard Enable automatic updates. Enable automatic updates for iOS and apps.
Standard Enable On-Device Mode for the Translate app. Enable On-Device Mode in Translate system settings.
Standard Disable iCloud sync per app/feature. Disable syncronization of data to iCloud in system settings, for each app and feature (data) you don't need synced to iCloud.
Standard Avoid side-loading apps! Only side-load apps from sources you really trust.
Standard Disable Siri scanning for apps. Disable "Learn from this app" in the app system settings and Siri section for all installed apps.
Standard Don't auto-join hotposts Disable Auto-Join Hotspot in Wifi system settings.
Standard Set a SIM PIN. Make sure a PIN code is set on your SIM card.
Standard Disable notification previews when locked. Set Show Previews to "When Unlocked". You don't want others to see your notification content if your phone gets stolen.
Standard Disable Siri. Settings: Disable Siri from the Siri system settings. Siri might leak sensitive data, since not all data is processed on-device.
Standard Disable Airdrop. Disable Airdrop in system settings when not in use.
Standard Disable CarPlay while locked. Disable "Allow CarPlay While Locked" in CarPlay system settings.
Standard Require "eye contact" to use FaceID. Enable "Require Attention for Face ID" in Accessibility system settings.
Standard Disallow access to features when locked. Disable everything in "Allow Access when locked" in Face ID & Passcode system settings.
Standard Configure your in-app settings security and privacy settings. Go trough each applications privacy and security settings first thing you do after installing it. There's often a lot of of privacy settings.
Standard Erase data on multiple failed passcode attempts. Enable "Erase data" in Face ID & Passcode system settings. NOTE: Your iPhone will be reset and all data will be erased after 10 failed passcode attempts.
Standard Disable Location Services or only allow it while using the app. Disable Location Service for apps, OR only allow it while using the app. This is can be set per app in Privacy/Location Service system settings.
Standard Disable telemetry Disable "Share iPhone & Watch Analytics" in Privacy/Analytics & Improvements system settings.
Standard Disable personalised Ads Disable "Personalised Ads" in Privacy/Apple Advertising system settings.
Standard Disable Personalised Recommendations in App Store. Disable "Personalised Recommendations" in App Store account settings.
Standard-Advanced Standard: Use Firefox

Advanced: Use Firefox Focus
Firefox has very good security and privacy features on iOS.

Firefox Focus offers even better security and privacy and clears cookies between each session. Use Firefox Focus as a first option and standard Firefox for sites not working in it.
Note:

Firefox: Enable "Block Pop-up Windows", "Close Private Tabs", "Enhanced Tracking Protection" + "Strict (Mode)" AND disable "Show Link Previews", "Offer to Open Copied Links", "Send Usage data" and "Studies".

Firefox Focus: Enable "Block web fonts", "Enhanced Tracking Protection" + All block options AND disable "Send usage data", "Studies", "URL Autocomplete" and "Get Search Suggestions"
Advanced Don't use Find My Iphone unless you really need it! Disable Find My Iphone in iCloud system settings. Minimize the amount of tracking in your phone including location tracking.





Network and Router

Level Title Description Note
Standard Secure password for your Wifi! Set a long and complex password for connecting to the Wifi.
Standard WPA2/WPA3 support! Enable WPA3 security on your router, or as minimum WPA2, if not supported. NOTE: WPA3 should be a requirement for new routers you buy!
Standard Secure password for router managentment. Set a long and complex password on the account used to access your router management interfaces.
Standard Enable the router firewall! Enable the firewall on your router so to only allow incoming traffic that you need.
Standard Update your routers and APs! Enable auto-update or regulary update the firmware on your routers and access points. These devices are exposed by nature and need to stay updated from new vulnerabilities. NOTE: Don't use any unsupported routers or access points that don't receive security patches from the vendor!
Standard Use a VPN! Use a VPN when you want to keep your internet connection private, and when you connect to a public Wifi. NOTE: Use the VPN providers DNS server to make sure the traffic and logs are contained at one provider.

OpenVPN: Add the parameter "block-outside-dns" to your config file to block lookups to the ISPs DNS server and thus preventing information about your real ISP from leaking.
Standard Disable WPS PIN! Disable WPS PIN on your routers. WPS is a protocol for easy Wifi setup, and WPS PIN is one of its method that has a serious security vulnerability where the PIN can be extracted by a malicious actor.
Standard Don't expose any devices! Don't put any computers or other devices in front of the router/firewall. Unless it's intended for the public. Hackers countinesly scan the internet for exposed services and target them.
Standard Don't expose router management interfaces! Keep the router management interfaces, no matter what network protocol, accessible from the internal LAN only.
Standard Disable unnecessary features on routers/APs! Disable all your router and access point features you don't need, since they just increase the attack vector. Extra important on a router since it's exposed on the internet and many typical routers come with bloatware.

NOTE #1: Also check security features, many leak data to providers, such as web protections that upload browsing data to a 3rd party.
Standard Disable logging of sensitive data on router! Some routers log sensitive data, such as web/http traffic and DNS lookups. Disable all these.
Advanced Disable CTF/NAT acceleration. Disable Cut-Through Forwarding/NAT acceleration on your routers. These features allows for traffic to bypass internal firewall scanning and other potential security features.
Advanced Disable UPNP. Disable UPNP on your routers. UPNP could allow a potentially infected device on your network to open up network ports allowing malicious traffic from the internet.
Advanced Encrypt your DNS lookups Encrypt your DNS lookups when not connected to a VPN tunnel. I recommend using the DnscryptV2 protocol and dnscrypt-proxy client for Windows, MacOS and routers(Linux based) and DNSCloak for iOS. NOTE: Use a DNS server that don't log client lookups and have DNSSEC support enabled.
Advanced Block ping on router. There's no reason to allow clients on the internet to ping and discover your router. NOTE: Not all routers have the option to block ping (ICMP Echo).
Advanced Create a guest wifi zone. Set up a separate guest wifi SSID (With password) for devices you dont own and less secure devices such as mobile phones. The guest wifi zone must be isloated from the internal wifi.
Advanced Don't broadcast your SSID. It makes it somewhat harder for evil neighbours to hack your network.
Expert Install a secure and customizable open source firmware! For secure and customizable firmware I recommend:

Open-WRT or

DD-WRT





Firefox

Some security measures require you to install an extension while other require changes in the settings or config editor. The config editor can be accessed by entering about:config into the URL/search bar.
Level Title Description Note
Advanced Disable 3rd party cookies. Config editor: network.cookie.cookieBehavior = "1" To prevent sites on different domains from reading share each others cookies.
Standard Send "Do not track". Settings: Enable "Do not track". Not all sites follows this request/header. But it should still be enabled.
Standard Disable experimental feature. Config editor: messaging-system.rsexperimentloader.enabled = "false" You should avoid experimental/beta features since they're not neccesarily secure enough until they become generally available.
Standard Prevent fingerprinting Extension: CanvasBlocker AND Config editor: privacy.resistFingerprinting = "true", privacy.trackingprotection.fingerprinting.enabled = "true"
Standard Block trackers Extension: uBlock Origin AND Config editor: privacy.trackingprotection.enabled = "true"
Standard Block embeeded cryptominers. Extension: uBlock Origin AND Config editor: privacy.trackingprotection.cryptomining.enabled = "true"
Standard Prevent tracking from URL properties. Extension: ClearURLs AND Config editor: network.http.referer.XOriginPolicy = "2", network.http.referer.XOriginTrimmingPolicy = "2", network.http.sendRefererHeader = "0", network.http.sendSecureXSiteReferrer = "false" This prevents tracking from things like cross-domain referall links, by cleaning up URLs and HTTP headers from these properties.
Advanced Enforce HTTPS. Settings: Enable HTTPS-only mode This is to prevent you from browsing web sites on a unencrypted network connection.
Advanced Only run content you need and trust! Extension: NoScript Selectively permitt neccesary content types, for example scripts and CSS, only on domains you trust.
Advanced Disable WebGL. Config editor: webgl.disabled = "true", webgl.disable-wgl = "true", webgl.enable-webgl2 = "false" There are vulnerabilities in the API thare are unpatchable.
Advanced Use containers for sensitive sites/domains Extension: Multi Account Containers This will help prevent cookies from one domain, eg. sign-in cookies, from leaking to another, even if Firefox has built-in protection for that (Cookie isolation).
Advanced Automatically delete cookies. Extension: Cookie AutoDelete You will must probably browse many sites in a mixed un-contained browsing session. That's why it's good to keep those browsing cookies temporarly only.
Advanced Prevent Etag tracking Extension: Chameleon
Advanced Spoof your user agent. Extension: Chameleon Sites can track you from the user agent information.

NOTE: Chameleon lets you continuously randomize a new user agent.
Advanced Prevent CSS based exfiltration. Extension: CSS exfil protection
Advanced Disable WebRTC. Config editor: disable/media.peerconnection.enabled = "false" WebRTC might leak your IP-adress/ISP when connected to VPN.
Advanced Prevent tracking through CDNs Extension: Decentraleyes Prevent tracking through requests done to centralized content delviery networks(CDN) such as Google or Cloudflare. Decentraleyes will serve local files to keep sites working.
Advanced Prevent URL/search bar tracking. Config editor: browser.urlbar.speculativeConnect.enabled = "false" The setting will disable pre-emptive DNS lookups for domains you enter in the URL/search bar.
Advanced Disable snippets on the home/start page. Config editor: browser.aboutHomeSnippets.updateUrl = BLANK These snippets will generate HTTP traffic from your browser when you open the home/start page.
Advanced Disable network captive portal redirect Config editor: network.captive-portal-service.enabled = "false" This should be disabled since you can't be sure what site the public Wifi redirects you to upon connecting.
Advanced Disable network state probing. Config editor: network.connectivity-service.enabled = "false" This feature will generate HTTP traffic to test network connectivity from your browser when the network state changes.
Advanced Disable speculative pre-connection. Config editor: network.http.speculative-parallel-limit = "0", network.prefetch-next = "false", network.dns.disablePrefetch = "true", network.dns.disablePrefetchFromHTTPS = "true", network.predictor.enabled = "false", network.predictor.enable-prefetch = "false" This feature will fetch links preemptively on link previews/mouse hover.
Advanced Disable built-in regional detection feature. Config editor: browser.region.update.enabled = false, browser.region.local-geocoding = false, browser.region.network.url = BLANK This feature might leak information about you/your device.
Advanced Disable IP-based geolocation. Config editor: browser.search.geoip.url = BLANK
Advanced Disable Activity Stream. Config editor: browser.newtabpage.activity-stream.feeds.asrouterfeed = "false" Activity Stream might leak information about your page visists.
Advanced Block DRM content. Settings: Disable playback of DRM content AND Config editor: media.eme.enabled = "false", media.gmp-widevinecdm.enabled = "false", media.gmp-widevinecdm.visible = "false" Playing DRM content also means your running code on in your browser you can't review (Closed source).
Advanced Prevent hardware device enumeration. Config editor: media.navigator.enabled = "false" This function can leak information about your device.
Advanced Prevent sensitive information in Firefox Session Restore feature. Config editor: browser.sessionstore.privacy_level = "2" This function stores information such as cookies, form values and HTTP POST data.
Advanced Prevent IDN exploits. Config editor: network.IDN_show_punycode = "true" This prevent IDN exploits by displaying raw punnycode. See more information about the vulnerability and workaround here https://www.mozilla.org/en-US/security/advisories/mfsa2005-29/
Advanced Disable cached browsing. Config editor: browser.cache.memory.enable = "false", browser.cache.disk.enable = "false" This feature might lead to information about your browsing being saved without your knowledge, even if temporarly.
Expert Remove untrusted CA certificate. Settings: Uncheck certificates in Privacy & Security/View Certificates. NOTE: Remove certificates from CAs run by governments and affiliates and organisations you don't trust. Firefox has its own certificate root store outside Windows store.
Standard Prevent native data collection. Set config editor properties listed below ↓ Disable Firefox built-in data collection and potential data leaking features, such as telemetry.

app.normandy.optoutstudies.enabled = "false"
app.shield.optoutstudies.enabled = "false"
extensions.getAddons.cache.enabled = "false"
browser.send_pings = "false"
dom.event.clipboardevents.enabled = "false"
beacon.enabled = "false"
app.normandy.enabled = "false"
browser.ping-centre.telemetry = "false"
toolkit.telemetry.bhrPing.enabled = "false"
toolkit.telemetry.firstShutdownPing.enabled = "false"
toolkit.telemetry.healthping.enabled = "false"
toolkit.telemetry.newProfilePing.enabled = "false"
toolkit.telemetry.shutdownPingSender.enabled = "false"
toolkit.telemetry.updatePing.enabled = "false"
toolkit.telemetry.archive.enabled = "false"
toolkit.telemetry.enabled = "false"
toolkit.telemetry.rejected = "true"
toolkit.telemetry.unified = "false"
toolkit.telemetry.unifiedIsOptIn = "false"
toolkit.telemetry.prompted = "2"
toolkit.telemetry.rejected = "true"
datareporting.healthreport.uploadEnabled = "false"
browser.crashReports.unsubmittedCheck.autoSubmit2 = "false"
browser.crashReports.unsubmittedCheck.autoSubmit = "false"
browser.crashReports.unsubmittedCheck.enabled = "false"
browser.tabs.crashReporting.includeURL = "false"
browser.tabs.crashReporting.sendReport = "false" 
dom.ipc.plugins.flash.subprocess.crashreporter.enabled = "false"
dom.ipc.tabs.createKillHardCrashReports = "false"





Thunderbird Email

Some security measures require you to install an extension while other require changes in the settings or config editor. The config editor can be accessed by entering about:config into the URL/search bar.
Level Title Description Note
Advanced Disable remote content. Settings: Disable remote content. NOTE: This will prevent Thunderbird from loading any content not directly attached to the email, thus preventing leaks when you read an email.
Advanced Disable speculative pre-connection. Config editor: network.http.speculative-parallel-limit = "0", network.prefetch-next = "false", network.dns.disablePrefetch = "true", network.dns.disablePrefetchFromHTTPS = "true", network.predictor.enabled = "false", network.predictor.enable-prefetch = "false" This feature will fetch links preemptively on link previews/mouse hover.
Standard Prevent native data collection. Set config editor properties listed below ↓ Disable Thunderbirds built-in data collection and potential data leaking features, such as telemetry.

app.normandy.optoutstudies.enabled = "false"
app.shield.optoutstudies.enabled = "false"
extensions.getAddons.cache.enabled = "false"
browser.send_pings = "false"
dom.event.clipboardevents.enabled = "false"
beacon.enabled = "false"
app.normandy.enabled = "false"
browser.ping-centre.telemetry = "false"
toolkit.telemetry.bhrPing.enabled = "false"
toolkit.telemetry.firstShutdownPing.enabled = "false"
toolkit.telemetry.healthping.enabled = "false"
toolkit.telemetry.newProfilePing.enabled = "false"
toolkit.telemetry.shutdownPingSender.enabled = "false"
toolkit.telemetry.updatePing.enabled = "false"
toolkit.telemetry.archive.enabled = "false"
toolkit.telemetry.enabled = "false"
toolkit.telemetry.rejected = "true"
toolkit.telemetry.unified = "false"
toolkit.telemetry.unifiedIsOptIn = "false"
toolkit.telemetry.prompted = "2"
toolkit.telemetry.rejected = "true"
datareporting.healthreport.uploadEnabled = "false"
browser.crashReports.unsubmittedCheck.autoSubmit2 = "false"
browser.crashReports.unsubmittedCheck.autoSubmit = "false"
browser.crashReports.unsubmittedCheck.enabled = "false"
browser.tabs.crashReporting.includeURL = "false"
browser.tabs.crashReporting.sendReport = "false" 
dom.ipc.plugins.flash.subprocess.crashreporter.enabled = "false"
dom.ipc.tabs.createKillHardCrashReports = "false"