diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf
index 380b87b..1d0e0df 100644
--- a/etc/permission-hardening.d/30_default.conf
+++ b/etc/permission-hardening.d/30_default.conf
@@ -41,6 +41,12 @@
 /usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist
 /usr/lib/chromium/chrome-sandbox exactwhitelist
 
+## https://forums.whonix.org/t/disable-suid-binaries/7706/61
+## Protect from 'chmod -x' (and SUID removal).
+## SUID will be removed below in separate step.
+/bin/mount exactwhitelist
+/usr/bin/mount exactwhitelist
+
 ## There is a controversy about firejail but those who choose to install it
 ## should be able to use it.
 ## https://www.whonix.org/wiki/Dev/Firejail#Security
@@ -92,6 +98,11 @@ dbus-daemon-launch-helper matchwhitelist
 # Permission Hardening
 ######################################################################
 
+## Remove SUID from 'mount' but keep executable.
+## https://forums.whonix.org/t/disable-suid-binaries/7706/61
+/bin/mount 745 root root
+/usr/bin/mount 745 root root
+
 /home/ 0755 root root
 /home/user/ 0700 user user
 /root/ 0700 root root