Threat Level: green Handler on Duty: Basil Alawi S.Taher

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2017-01-18 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Stormcast For Thursday, January 19th 2017 https://isc.sans.edu/podcastdetail.html?id=5337
Apple Garage Band Remote Code Exec Patched - v10.1.5 - https://support.apple.com/en-ca/HT207477
Oracle Quarterly Critical Patch Updates are out - time to patch all things Oracle! http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

Making Windows 10 a bit less "Creepy" - Common Privacy Settings

Published: 2017-01-18
Last Updated: 2017-01-18 14:50:18 UTC
by Rob VandenBrink (Version: 1)
3 comment(s)

Microsoft regards Windows 10 is the most secure version of Windows out of the box, and I do have to agree that's the case.

Which is all well and good, but the question that folks seem to continually ask me is various versions of "How can I reduce how much personal information I send to Microsoft".  Or in other words - why is Windows 10 so "creeping me", and how do I dial back that creep factor?

I've put a short list together of various features that people might consider to be at the "big brother" end of the spectrum, and how to script your way out of them - and yes, you knew there'd be PowerShell involved!  Note that if you are looking to disable these features in an Active Directory domain, these settings are all front-and-center in Group Policy, so are easily updated centrally.

First, let's look at Windows Telemetry.  This is basic information on what applications run, search information, Cortana activity, gaming patterns and so on.  Specific search terms aren't sent, but for me this is well in to creep territory anyway.  The resulting information gets sent to Microsoft, and they do resell it after it's anonymized. But it's not all bad - a very complete description of what telemetry does can be found here https://technet.microsoft.com/en-ca/itpro/windows/manage/configure-windows-telemetry-in-your-organization.  A privacy specific discussion can be found here: https://privacy.microsoft.com/en-US/windows-10-feedback-diagnostics-and-privacy ) The Microsoft page covers the GUI adjustments for this, or changing three registry keys kills that datastream  (Powershell command shown).  Note that telemetry can't be disabled completely, the most restrictive setting (0) sends security data only:

In Group Policy:
Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry, set the value to 0 (zero).

In Powershell (registry keys):

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0

Smartscreen Filter has a solid business use - it monitors your browser activity, and will give you a warning or block if you browse to known malicious sites, phishing or otherwise suspicous sites, or if you are downloading known malicious files.  More info on this service can be found here: https://support.microsoft.com/en-ca/help/17443/windows-internet-explorer-smartscreen-filter-faq   and here: https://privacy.microsoft.com/en-US/windows-10-microsoft-edge-and-privacy

This sounds great, except that Microsoft is pretty cagey about how this works and what data is sent where - from most of their docs it's not clear if your activity is sent to them, or if they download a database of malicious sites to you.  Since that "malicious sites" thing never shows up in Windows Udpate, I know where I land on this question. All that being said, it *is* a useful feature, especially if you are in the "support friends and family" role.  Since I don't generally use IE or Edge, this isn't a setting I normally worry about on my own gear.  If you do want to disable this, it's a toggle in "Privacy Settings",  a setting in Control Panel / Internet Properties / Advanced / Enable SmartScreen Filter .  

In Group Policy:
Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows SmartScreen

Or, in Powershell:
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "SmartScreenEnabled" -Type String -Value "Off"
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation" -Type DWord -Value 0


Wi-Fi Sense connects you to Open hotspots that are "greenlighted" through crowdsourcing. This setting is disabled in current versions of Windows (Anniversary Edition or newer) - if  you have not updated, today is a good day to do that!  If for some reason you can't, more information on the various levels of "trust" you might have in this can be found at: https://privacy.microsoft.com/en-US/windows-10-about-wifi-sense  For me, what crowdsourcing equates to is the mom-proverb "if all of your friends jumped off a bridge ...." - yes, your mom was right

To disable this feature - in Group Policy it's:
Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots - set this to "Disabled"
Also, depending on the setting:
set "Allow Windows to automatically connect to networks shared by contacts" to disabled
and set "Allow Windows to automatically connect to hotspots offering paid services" to disabled

Or, directly against the registry:

Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Name "Value" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" -Name "Value" -Type DWord -Value 0

(note - these keys may not be there, you should check for the key being present first).


Searching the start menu seems like an innocuous thing, except that Microsoft pairs it with "search suggestions", which means that this is part of the telemetry stream as well.  To disable both search from the start menu and search suggestions:

In Group Policy:
Computer Configuration > Policies > Administrative Templates > Windows Components > Search
Set "Don't search the web or display web results in search" to "Enabled"

Or, in Powershell:
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "BingSearchEnabled" -Type DWord -Value 0
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SystemPaneSuggestionsEnabled" -Type DWord -Value 0

Cortana is a cool thing, and is just as useful as Sira and Echo, but your interactions are processed in the cloud.  Because of this, we're starting to see noise about voice systems such as Siri, Echo and Cortana having interactions subpoena'd in criminal cases.  

To disable Cortana in Group Policy:
Computer Configuration > Administrative Templates > Windows Components > Search > Allow Cortana, set to "Disabled"


Or in the Registry:
Set-ItemProperty -Path "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "AllowCortana" -Type DWord -Value 0

Location tracking?  Great if you're asking "how far do I need to walk for donuts" or "help, I'm almost out of gas", but otherwise maybe not so much.  I'd like to see this enabled app by app (as is iOS), Windows makes a start at this, but win Windows there are only 5 granular picks for this, one being "App Connector" (which looks like it means "any other app not listed").

To disable from the individual UI:
Settings / Privacy / Location

To disable in GPO:
Computer Configuration > Administrative Templates > Windows Components > Search > Allow search and Cortana to use location, set to "Disabled"

Or in the Registry:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" -Name "SensorPermissionState" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\lfsvc\Service\Configuration" -Name "Status" -Type DWord -Value 0

Windows Feedback is more of an annoyance feature, it's more or less a periodic pop-up "How is Microsoft doing today?" survey.  In a corporate setting especially, you'll likely look on this as a productivity-eater, plus people will confuse things and think that they're providing feedback to your internal IT Group rather than Microsoft.

In the UI, you'll find these settings under
Settings / Privacy / Feedback & Diagnostics
Also
Settings / System / Notifications and Actions / Windows Feedback
you can adjust the frequency or turn this off.  

In GPO:
Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Do not show feedback notifications

Or this reg key below does the job too:
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Siuf\Rules" -Name "NumberOfSIUFInPeriod" -Type DWord -Value 0

These settings cover the adjustments I normally set - have I missed any that you might consider important?  Please use our comment form to add any settings you enable or disable.

===============
Rob VandenBrink
Metafore

3 comment(s)
Diary Archives