00:00Welcome, we're stepping into 2026 and the digital landscape has never been more treacherous.
00:07Your network privacy is under constant assault, not just from malicious actors, but from a pervasive system of data collection.
00:16What if I told you that the default settings on your Windows 11 machine are leaving you exposed?
00:22Today, we're not just discussing privacy, we are engineering it.
00:26This is your masterclass in fortifying your digital fortress, starting with the very foundation of your internet connection.
00:35Our first and most critical battleground is the domain name system, or DNS.
00:41Every time you visit a website, your computer sends a plaintext DNS query to a server, essentially announcing your destination
00:50to anyone listening.
00:52This is a massive privacy vulnerability.
00:55Your internet service provider, network snoops, and data brokers can see every site you visit.
01:03The solution?
01:05Encrypting these queries.
01:07We're going to implement DNS over HTTPS, or DOE.
01:12This wraps your DNS requests in a secure HTTPS tunnel, making them indistinguishable from normal encrypted web traffic.
01:21Let's configure this on Windows 11 right now.
01:25Navigate to Settings, then Network and Internet, and select your active connection, whether it's Wi-Fi or Ethernet.
01:34Scroll down to DNS Server Assignment and click Edit.
01:37Change the setting from Automatic to Manual.
01:42For IPv4, you'll want to enter a privacy-focused DNS provider's address.
01:47For example, Quad9s is 9.9.9.9.
01:52Then, under Preferred DNS Encryption, select Encrypted Only DNS over HTTPS.
01:59This is non-negotiable.
02:02It forces encryption, ensuring your queries are never sent in the clear.
02:07Repeat this process for IPv6 if you use it.
02:11For Quad9, the IPv6 address is to 620 colon fey colon colon fey.
02:17Once applied, your DNS traffic is now shielded from prying eyes.
02:22This is a fundamental step that every security-conscious professional must take.
02:28Now, let's escalate our defenses with a virtual private network or VPN.
02:35But not just any VPN.
02:37We're going to configure a secure VPN with a protocol that offers no compromises.
02:43While many consumer VPN apps are convenient, setting up a manual connection gives you granular control over your security parameters.
02:52In Windows 11, we'll use the built-in client, but we will pair it with a robust protocol like IK
02:59EV2 or OpenVN.
03:01WireGuard is also an excellent, modern option if supported by your provider.
03:07Here's the process.
03:08First, you need a VPN subscription from a reputable provider that supports manual configuration
03:15and provides the necessary credentials and server addresses.
03:20Look for providers based in privacy-friendly jurisdictions with a strict no-logs policy audited by third parties.
03:28Avoid free VPNs.
03:30Their business model often relies on selling your data.
03:33Once you have your credentials, go to Settings, then Network and Internet, and select VPN.
03:41Click Add VPN.
03:43For the VPN provider, choose Windows built-in.
03:47Give the connection a descriptive name.
03:50For the server name or address, enter the one provided by your VPN service.
03:56For the VPN type, select the most secure protocol offered.
04:01IK EV2 is a great choice for its balance of speed and security.
04:06For the type of sign-in info, use username and password and enter the credentials you were given.
04:13Save the configuration.
04:16Now, before you connect, click on the Connections properties and navigate to the Networking tab.
04:22Select Internet Protocol Version 4, click Properties, then Advanced.
04:27Make sure Use Default Gateway on Remote Network is checked.
04:33This ensures all your traffic is.
04:35Route it through the VPN tunnel, preventing any leaks, by taking manual control.
04:42You are verifying the protocol and settings, leaving nothing to chance.
04:47With our traffic encrypted via DNS and tunnelled through a secure VPN, let's harden our system against direct attacks.
04:56Hackers are constantly scanning for vulnerabilities.
04:59Your first line of defense is the Windows Defender Firewall.
05:03Most users leave it on its default.
05:06Settings.
05:07But we can do better.
05:08We need to create specific rules to lock down our system.
05:12Open Windows Defender Firewall with advanced security.
05:17The key here is to move from a default allow to a default deny posture for outbound connections.
05:23This is an advanced technique.
05:26By default, Windows allows all outbound traffic.
05:30By blocking all outbound connections by default and then creating specific allow rules only for the applications you trust,
05:39you prevent any unauthorized software from phoning home.
05:43Let's create a rule.
05:45Right-click on Outbound Rules and select New Rule.
05:50Choose Program and specify the path to an application you trust, like your web browser.
05:56Select Allow the connection.
05:58Do this for all essential applications.
06:02Then, go to the Firewall S main properties and for the outbound connections setting on your active profile private or
06:10public change it from allow to block.
06:13Any application not explicitly on your allow list is now unable to access the network.
06:20This stops malware in its tracks even if it manages to infect your system.
06:25To complement this, regular network traffic monitoring is crucial.
06:30Use tools like GlassWire or the built-in resource monitor as network tab to see which processes are making network
06:38connections.
06:40Investigate anything you don't recognize.
06:42This proactive monitoring is the difference between a secure system and a compromised one.
06:49Finally, let's talk about professional network settings.
06:52For many IT professionals and power users, a dynamic IP address assigned by your router is inefficient and can pose
07:02security challenges.
07:03We will configure a static internal IP address.
07:07This ensures your device is always at a predictable address on your local network, which is essential for managing fireball
07:15rules, port forwarding, and other advanced configurations.
07:20To set a static IP, go back to your network adapter's properties.
07:25Select Internet Protocol Version 4 and click Properties.
07:30Choose Use the following IP address.
07:33You'll need to enter an IP address that is outside your router SDHCP range, but within the same subnet.
07:41For example, if your router's DHCP range is 192.168, 1.100 to 192.168, 1.200, you could set
07:56your static IP to 192.168.1.50.
08:00You'll also need to enter the subnet mask, which is usually 255.255, 255.0, and the default gateway, which
08:13is your router's IP address.
08:15Crucially, you must also manually enter your DNS server addresses here the same encrypted DOE ones we configured earlier.
08:23If you don't, your system might revert to an insecure DNS.
08:28While you're in the adapter settings, let's optimize for security.
08:33Click Configure on the adapter properties, go to the Advanced tab, and disable any legacy or insecure protocols you don't
08:42need,
08:43such as link layer topology discovery or any power saving features that might interrupt a secure.
08:49Connection
08:51These small tweaks reduce your attack surface and enhance network stability.
08:57Let's recap what we've accomplished.
09:00We started by encrypting our DNS queries with DOE, blinding snoopers to our browsing habits.
09:07We then built a secure, manually configured VPN tunnel to anonymize our IP address and encrypt all our internet traffic.
09:17We hardened the Windows firewall with a default deny outbound policy, effectively caging any potential malware.
09:25Finally, we established a professional network environment with a static IP and optimized adapter settings.
09:32You are now in control.
09:35You have transformed your Windows 11 machine from a default, vulnerable endpoint into a hardened, secure workstation.
09:44This isn't just about privacy, it's about digital sovereignty.
09:48In 2026, proficiency in these skills is no longer optional, it is a professional necessity.
09:56Take what you've learned today and apply it.
09:59Secure your digital life.
10:02Thank you for joining this masterclass.
10:05Be sure to subscribe for more advanced security guides.
10:09Stay vigilant.
Comentarios