Windows Blockers

-Forticlient 7.0 (better than the discontinued k9 web protection)

Spoiler

-It might not work well with some anti-viruses as:
1- Eset antivirus --> All Web pages will not load, or will load very slowly.
..........

Why FortiClient?

FortiClient has one of the LARGEST website categorization database. You will *almost* never find a porn site or a proxy site that’s not blocked by FortiClient.

Also, it filters all apps including emulators like Bluestacks and Android Studio.

It works well when you're connected to a VPN and all bad sites will remain blocked.
It cannot be removed without its password.

1-Must see before you Install FortiClient:
https://ibb.co/yQ5ZxfP

2-Download FortiClient v7.x:
64-bit version:
https://links.fortinet.com/forticlient/win64/fabricagent
32-bit version:
https://links.fortinet.com/forticlient/win/fabricagent

You'll notice that FortiClient doesn't filter anything, because it still needs to be activated using FortiClient EMS.

3-Sign up for a FortiClound account. (Don't use your personal e-mail or you'll be able to reset the password)

4-Download FortiClient Endpoint Management Server (EMS) 7.0.2:
64-bit:
https://links.fortinet.com/forticlient/win64/ems

5-The following video (3:45 minutes) will show you how to:
-Import the custom configuration to FortiClient EMS
-Activate FortiClient using FortiClient EMS.
-Optional: Activate FortiClient on an iOS device, which has to be connected on the same network as EMS, e.g. Wifi.
Watch it on highest quality.


To activate an iPhone, it needs to be connected to the same network (wifi) as the EMS and it requires Supervised mode and installing a profile.

Save the EMS login password on lockbox.pluckeye.net

Additional information
*FortiClient EMS can only activate 3 devices for free. To activate more, you'll need to install EMS on another PC and login using a new FortiCloud account.
*To remove a device from EMS, go to Endpoints, select the device, click on action>deregister, then click again on action> delete. This will free up "license seats" when you don't need to filter a device anymore.
*If you get the error "EMS maximum licenses exceeded" when attempting to connect to the EMS even when no endpoints are connected:
Try restarting your PC and reconnecting to the EMS. If it still fails then you'll have to login to EMS and delete your FortiCloud account. Sign up to a new FortiCloud account and login to EMS using it.
*Editing the Web filter section of the Default profile in EMS:
-If you need to block a URL keyword, select regex. Examples:
.*urword.*
.*naughty.*girl.*
-If you want to allow/block a site, select Wildcard. Example:
*badsite.com/*
-If you want to block torrent and illegal download sites, block this category: Potentially liable>Illegal or Unethical.
-It's better to keep "Enable Safe search off" because it just edits the hosts file and will cause problems on iOS when you try to log in to Google apps.
*If FortiClient shows "Not reachable" message, the web filter will still work, but if you need to update the settings from EMS, you'll have to disconnect then reconnect FortiClient to EMS.

-Editing and locking the hosts file

Spoiler

The following hosts file will do the following by default:
-Enable Safe search on Google, Bing, duckduckgo & Yandex.
-Block other search engines.
-Allow access to reddit and twitter. (Edit the file if you want to block images and videos. Instructions are included in the file).
-Block tons of porn sites and other bad sites.
-Enable youtube normal (unrestricted) access.
-You could also block any site.

Apps needed:
Notepad++:https://notepad-plus-plus.org/downloads/
Anvi Folder Locker:https://www.filehorse.com/download-anvi-folder-locker/download/

The blocklist for the hosts file:
https://raw.githubusercontent.com/John889/blocklists/main/hosts.txt

Step by step video (1:31 mins):

-Pluckeye (customize it to block only porn sites):

Spoiler

This is one of the essential blockers. Do not skip it.
https://forum.nofap.com/index.php?threads/pluckeye.300403/

-DN-Secure (previously fapsecure)

Spoiler

DN-Secure helps with self control and cannot be stopped without its password or you will have to wait for a delay of 4 hours (the delay could be modified).

Download:
https://raw.githubusercontent.com/John889/DN-Secure/main/DN-Secure-setup.zip

-Features of DN-Secure:
*Enforces Cleanbrowsing Family DNS (Blocks millions of bad sites). https://cleanbrowsing.org/filters
*Enforces safe search on Google, Bing, Yandex and duckduckgo.
*Blocks other search engines.
*Blocks proxies/vpns
*Filters all apps and browsers, but only Chromium-based browsers like Edge, Chrome, brave, etc are supported.
Other browsers will be filtered but to achieve the highest protection, they will keep crashing and will not be usable. Firefox proved to be not good for filtering, so it will keep crashing.

*I recommend editing and locking the hosts file when using DN-Secure (discussed above).

*When you enable DN-Secure it will generate a file called DN-Securepw.txt in your C: drive. It contains the password to remove DN-Secure. Save it on lockbox.pluckeye.net

*To disable DN-Secure, open DN-Secure from the start menu, and use the password.

*You can change the DNS server to anything else that you prefer by opening DN-Secure settings from the start menu. It will open a folder conaining many files. You can also modify the delay to disable DN-Secure. Open HowToUse.txt for detailed instructions.

*You can't change the DNS server once DN-Secure is enabled. You need to disable DN-Secure first which needs the password, then re-enable DN-Secure.

It won't affect other devices on your home network.

An alternative DNS enforcer is ForceDNS, but it doesn’t use DNSCrypt.

DN-Secure was tested on windows 8.1 and windows 10 with no problems.
Windows 8, Windows 7 and vista need to install this windows update first:
https://www.microsoft.com/en-us/download/details.aspx?id=54616

-----
If you get a missing .dll file error when running DN-Secure, this means you need to install Visual C++ redistributable x86 (size 13 MBs):
https://aka.ms/vs/16/release/vc_redist.x86.exe
----
special thanks to @Infidel.48 for his support and ideas to improve DN-Secure.

-Cold Turkey:

Spoiler

Has the advantage of being able to block URLs using keywords and app blocking.

Cold Turkey:
https://getcoldturkey.com/

Screenshot on how to use:
https://ibb.co/DgFBzG0

Screenshot on how to prevent easy bypass:
https://ibb.co/Ks9SMjj
Leave Block Date&Language off as it will cause high CPU usage.


Import this list:
https://www.mediafire.com/file/pzm36f2xsr1sgog/Block+Lists+from+MacBook+Air.ctbbl/file
It contains lists for windows and macOS. The ones we need are:
Bad Sites: Blocks porn, proxies using keywords, tons of bad apps and a lot more.
Regedit/Gpedit/Secpol/FileSec: Blocks access to Regedit, Gpedit, Secpol, File Security options and methods to bypass some blockers.
Cold turkey will block unsafe browsers that could be used to access porn.

You could edit the list as you wish.

The best way to lock Cold Turkey Free version:
This requires basic understanding of locking Cold Turkey using the command line (command prompt).
Example:
"C:\Program Files\Cold Turkey\Cold Turkey Blocker.exe" -start "Bad Sites" -lock 720
This will lock a block named Bad Sites for 720 minutes (12 hours).

Task scheduler could be used to execute and repeat the commands we want automatically.

1-Download this xml file:
https://www.mediafire.com/file/bkdi4vulw7msmnx/ColdTurkey.xml/file

2-From start menu, open Task Scheduler.
3-Right click "Task Scheduler Library" > Import task>Select the file you just downloaded (ColdTurkey.xml).

In the "Actions" tab, you'll find to entries to lock "Bad Sites" and "Regedit/Gpedit/Secpol/FileSec" for 12 hours. Double click any of them to learn the correct format. You could modify them or remove what you don't need. You could add more Cold Turkey blocks by clicking on "New..."

In the "Triggers" tab, you'll see that Task scheduler will execute the commands once your computer starts and every one hour. Click OK. It will start automatically in the first minute of every hour (12:00, 1:00, etc) or if you restart your PC, but you could also start it manually by right clicking ColdTurkey in Task Scheduler>run.

This is the basis of delayed gratification, if you want to unlock a block, say for example, "Bad Sites", just go to the actions tab and edit the command, change "Bad Sites" to anything like "Bad Sites1" >OK>OK. After 12 hours, the block will be unlocked. If you want to lock it again. Change "Bad Sites1" to "Bad Sites". dontdeleteme is a dumb block and will keep unsupported browsers blocked even if you disable other real blocks.

Finally, go to the Cold Turkey app and lock TaskScheduler using Random Text> 30 characters. This will prevent you from messing with task scheduler except when you really need to. Only increase the characters gradually, e.g., 30 >40>50. If you set 100+ character then you're probably locked out permanently.




Bonus:
to block the google images search add this:
*tbm=isch*
to block the google videos search add this:
*tbm=vid*

Protecting files and folders

Spoiler

-Anvi Folder Locker
Completely locks files and folders from being modified. Set the locking settings to "ReadOnly". (recommended)

If you want to prevent files and folders from being read or copied you could password protect files and folders.
-Easy File Locker (V2.0 is the best for win10)
Just like Anvi Folder locker. You could try both and see what works better for you. Here, and unlike Anvi folder locker, password locking folders and files is not recommended as it will produce a lot of bugs.

-Protecting services:

Spoiler

Only use this when needed. It is not needed in most cases with the blockers above.

To protect a windows service from being stopped, modified or deleted; you could do this:
1-Run cmd as administrator then use the following command. Replace servicename with the name of the service you want to protect:
SC Failure servicename actions= restart/1/restart/1/restart/1/restart/1// reset= 0

Now, even if you terminate the exe of that service, it will auto restart immediately.

2-Change the service permissions using Service Security Editor:
https://www.coretechnologies.com/products/ServiceSecurityEditor/
Use this app to deny stop, modify and delete permissions of the service.

-Encrypting your Hard drive (optional): For the tech savvy. From @Infidel.48

Spoiler

This will protect your files and settings from being modified using bootable operating systems.

Download:
https://www.veracrypt.fr/en/Downloads.html

Disable safe mode (HIGHLY RECOMMENDED)

Spoiler

We will have to edit the registry.
https://www.raymond.cc/blog/disable-f8-key-to-block-access-to-safe-mode-during-windows-startup/2/

^Open the link and scroll down till you get to this part:

“Editing The Windows Vista, 7 And 8 Registry”,

Edit the registry and rename "Network" (and “Minimal” if you want).

Finally, you need block access to regedit using Cold Turkey.

Disabling Windows recovery

Spoiler

Windows recovery includes system restore, system reset, fresh start, etc.
Method 1 (Using Pluckeye):

Code:

pluck + norecovery

This one is reversible, so it's the recommended way to begin with.

Method 2 (Permanently deleting the recovery partition):
https://www.cleverfiles.com/howto/delete-recovery-partition.html

Windows recovery can be very useful if your system stopped working properly, for example, if you accidentally deleted important system files. So don't delete the recovery partition except if it is actually causing you problems.

Outdated apps:

Spoiler

old apps. not needed

-Qustodio:
I had to mention qustodio because it's worth trying and you can install it together with any other filter but never use it alone.

Features:

*Blocks porn & proxies
*Forces safe Google, youtube (moderate restrictions), bing, duckduckgo, etc.
https://www.qustodio.com/en/family/downloads/

You might want to sign up for an account using your friends email. After you login on the qustodio app on all of your devices. Ask your friend to change the qustodio account password.

-K22 Process blocker (Shared by @Infidel.48
An excellent free app blocker.
Features:
-Can block any process/exe/task
-Can block by window names
Video tutorial:

Download page:
scroll down to "Process Blocker"
https://www.haascomputers.com/our_software
The antivirus will block it but it's totally safe.

It's recommended that you lock it using anvi and also check out how to protect services.

 

I bet you haven't tried any of those . FortiClient 7.0 and Pluckeye cannot be bypassed even by coders.

 

You could encrypt your hard drive using this:
https://www.veracrypt.fr/en/Downloads.html

try pluckeye and put in this command:
pluck + norecovery

This should fix all backdoors.

 

I know you probably thought about it, but have you tried physical locks to the PC case?
something like this:
https://www.fjmsecurity.com/Computer-Locks.php

 

No problem @erhemee Great to hear they work well for you

Thanks a lot for the feedback, man. If you get any other similar issues let me know and I might know a fix.

Perfect!
Actually, app blocking was @Infidel.48 's idea and he had the first list of bad apps to block and I added some more.

 

https://u.pluckeye.net/configurations/47631