A personal cybersecurity hardening project designed to build a “digital immune system” for your devices — focused on Windows 11 Enterprise and iOS 18.5. This project integrates system lockdown scripts, DNS & certificate monitoring, zero trust controls, and privacy enhancements across endpoints.
Security Level: This system achieves an advanced Zero Trust architecture, comparable to enterprise blue team standards — integrating endpoint hardening, network controls, and quantum-safe TLS. It aligns with NIST SP 800-53, NSA Windows hardening guidance, and post-quantum cryptographic readiness.
- Credential Guard + Virtualization-Based Security (VBS)
- BitLocker with AES-256 + PIN (pending finalization)
- PowerShell & ScriptBlock auditing
- Removal of persistence vectors
- Registry lockdown and secure DNS enforcement
- TLS 1.2/1.3 enforcement with quantum-safe cipher suites
- Root certificate & DNSSEC integrity monitoring
- Scheduled validation tasks
| Project | Description | Link |
|---|---|---|
| QuantumReadiness | Enables TLS 1.2/1.3, removes legacy protocols, enforces strong cipher suites and quantum-safe crypto | 🔗 GitHub Repo |
| Set-NTPConfig | Configures secure and accurate NTP sync for time integrity (critical for cryptographic verification) | 🔗 GitHub Repo |
| Script | Purpose | Link |
|---|---|---|
phase1/defender_hardening.ps1 |
Lock down Defender, remove attack surface | View |
phase1/norton_compatible_hardening.ps1 |
AV-compatible version for Norton or 3rd party | View |
phase2/anti_persistence.ps1 |
Removes persistence vectors from registry | View |
phase2/logging_setup.ps1 |
Enables full PowerShell and script logging | View |
phase2/registry_hardening.ps1 |
Locks down insecure registry keys | View |
quantum_tls_hardening.ps1 |
Disables SSL, enforces TLS 1.2/1.3, adds secure cipher suites | View |
set_ntp_config.ps1 |
Configures secure time sync with trusted NTP servers | View |
CYBERIMMUNITY/
├── README.md
├── LICENSE
├── docs/
│ ├── Phase1.md
│ ├── Phase2.md
│ └── Cyberimmune_Whitepaper.md
├── phase1/
│ ├── create_restore_point.ps1
│ ├── defender_hardening.ps1
│ └── norton_compatible_hardening.ps1
├── phase2/
│ ├── anti_persistence.ps1
│ ├── bitlocker_aes256_pin.ps1
│ ├── logging_setup.ps1
│ └── registry_hardening.ps1
├── monitoring/
│ ├── check_root_certs.ps1
│ ├── check_dns_integrity.ps1
│ ├── check_dnssec.ps1
│ └── tasks/
│ ├── DNSSEC_Validation_Monitor.xml
│ ├── DNS_Resolution_Check.xml
│ └── RootCertIntegrityMonitor.xml
defender_hardening.ps1: Enforces Windows Defender rules and disables legacy features.norton_compatible_hardening.ps1: Alternative for systems using Norton or other AVs.create_restore_point.ps1: Creates a restore point for rollback safety.
📄 See Phase 1 Documentation for technical controls and threat model.
anti_persistence.ps1: Removes registry-based and WSH startup persistence.logging_setup.ps1: Enables script and module auditing for PowerShell.bitlocker_aes256_pin.ps1: Applies full disk encryption with AES-256 and preboot PIN.registry_hardening.ps1: Locks down key registry paths and disables weak behaviors.
📄 See Phase 2 Documentation for technical controls and threat model.
This whitepaper presents the Cyberimmune project: a comprehensive, layered cybersecurity framework designed to implement a practical and user-driven Zero Trust model on consumer and professional endpoints. Focused on Windows 11 Enterprise and iOS 18.5, the system uses scriptable hardening, forensic-grade logging, strict access controls, DNS monitoring, and privacy tools to create a “digital immune system” capable of resisting modern cyber threats.
See Cyberimmune Whitepaper: Zero Trust Security Blueprint for technical controls and threat model.
- App-level Face ID protection (via “Protect App” long-press setting).
- Enforces DNS-over-HTTPS using DNS Override (NextDNS or Quad9).
- ProtonVPN for full-device encrypted traffic.
- Screen Time, microphone/camera lockdown, and App Tracking Transparency.
Scripts inside monitoring/ track critical resolution and root trust changes:
check_root_certs.ps1: Compares trusted root CA list against baseline.check_dns_integrity.ps1: Ensures DNS resolves correctly across providers.check_dnssec.ps1: Audits DNSSEC trust path from providers like Quad9.
XML files in monitoring/tasks automate weekly execution of above scripts at 3:00am.
| Feature | Apple Private Relay | ProtonVPN |
|---|---|---|
| Scope | Safari/web traffic only | Full device traffic encryption |
| Privacy | Obscures IP from websites/Apple | Masks IP from ISP & local network |
| Platform Support | iOS/macOS only | Cross-platform |
| Speed/Performance | Excellent | High (depends on server) |
| Control | Minimal (automatic) | Full configuration control |
✔️ Use ProtonVPN for complete security. Disable Private Relay when active.
- System restore point created
- Legacy protocols disabled (SMBv1, RDP)
- SmartScreen, DEP, and SEHOP enforced
- Defender or Norton hardening applied
- DNS-over-HTTPS to Quad9 or NextDNS
- Logging and script auditing enabled
- Credential Guard and VBS confirmed
- USB and autorun lockdown
- Root cert and DNS integrity monitoring
- BitLocker (AES-256 with PIN) planned
- App Face ID lock enabled
- DNS Override profile configured
- ProtonVPN active for VPN routing
- Untrusted Wi-Fi auto-join disabled
- Camera/microphone/privacy settings locked down
- Screen Time, updates, and 2FA enabled
# From PowerShell on Windows:
cd Downloads\Cyberimmune_Bundle_v2
powershell -ExecutionPolicy Bypass -File .\phase1\create_restore_point.ps1
powershell -ExecutionPolicy Bypass -File .\phase1\defender_hardening.ps1
powershell -ExecutionPolicy Bypass -File .\phase2 anti_persistence.ps1
powershell -ExecutionPolicy Bypass -File .\phase2\bitlocker_aes256_pin.ps1
powershell -ExecutionPolicy Bypass -File .\phase2\logging_setup.ps1
powershell -ExecutionPolicy Bypass -File .\phase2\registry_hardening.ps1
powershell -ExecutionPolicy Bypass -File .\monitoring\check_dns_integrity.ps1
powershell -ExecutionPolicy Bypass -File .\monitoring\check_dnssec.ps1
powershell -ExecutionPolicy Bypass -File .\monitoring\check_root_certs.ps1On iOS, install DNS Override and ProtonVPN from App Store.
MIT — Free to use, modify, and distribute. Please attribute original work to Collin Blaine George.
For collaboration, feedback, or contributions, open a GitHub issue or contact via GitHub profile.
🔒 Thank you for helping secure the digital future — one system at a time.