Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Oracle Quarterly Critical Patch Updates are out - time to patch all things Oracle! http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

Making Windows 10 a bit less "Creepy" - Common Privacy Settings

Published: 2017-01-18
Last Updated: 2017-01-18 14:50:18 UTC
by Rob VandenBrink (Version: 1)
1 comment(s)

Microsoft regards Windows 10 is the most secure version of Windows out of the box, and I do have to agree that's the case.

Which is all well and good, but the question that folks seem to continually ask me is various versions of "How can I reduce how much personal information I send to Microsoft".  Or in other words - why is Windows 10 so "creeping me", and how do I dial back that creep factor?

I've put a short list together of various features that people might consider to be at the "big brother" end of the spectrum, and how to script your way out of them - and yes, you knew there'd be PowerShell involved!  Note that if you are looking to disable these features in an Active Directory domain, these settings are all front-and-center in Group Policy, so are easily updated centrally.

First, let's look at Windows Telemetry.  This is basic information on what applications run, search information, Cortana activity, gaming patterns and so on.  Specific search terms aren't sent, but for me this is well in to creep territory anyway.  The resulting information gets sent to Microsoft, and they do resell it after it's anonymized. But it's not all bad - a very complete description of what telemetry does can be found here https://technet.microsoft.com/en-ca/itpro/windows/manage/configure-windows-telemetry-in-your-organization.  A privacy specific discussion can be found here: https://privacy.microsoft.com/en-US/windows-10-feedback-diagnostics-and-privacy ) The Microsoft page covers the GUI adjustments for this, or changing three registry keys kills that datastream  (Powershell command shown).  Note that telemetry can't be disabled completely, the most restrictive setting (0) sends security data only:

In Group Policy:
Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry, set the value to 0 (zero).

In Powershell (registry keys):

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" -Name "AllowTelemetry" -Type DWord -Value 0

Smartscreen Filter has a solid business use - it monitors your browser activity, and will give you a warning or block if you browse to known malicious sites, phishing or otherwise suspicous sites, or if you are downloading known malicious files.  More info on this service can be found here: https://support.microsoft.com/en-ca/help/17443/windows-internet-explorer-smartscreen-filter-faq   and here: https://privacy.microsoft.com/en-US/windows-10-microsoft-edge-and-privacy

This sounds great, except that Microsoft is pretty cagey about how this works and what data is sent where - from most of their docs it's not clear if your activity is sent to them, or if they download a database of malicious sites to you.  Since that "malicious sites" thing never shows up in Windows Udpate, I know where I land on this question. All that being said, it *is* a useful feature, especially if you are in the "support friends and family" role.  Since I don't generally use IE or Edge, this isn't a setting I normally worry about on my own gear.  If you do want to disable this, it's a toggle in "Privacy Settings",  a setting in Control Panel / Internet Properties / Advanced / Enable SmartScreen Filter .  

In Group Policy:
Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows SmartScreen

Or, in Powershell:
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Explorer" -Name "SmartScreenEnabled" -Type String -Value "Off"
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\AppHost" -Name "EnableWebContentEvaluation" -Type DWord -Value 0


Wi-Fi Sense connects you to Open hotspots that are "greenlighted" through crowdsourcing. This setting is disabled in current versions of Windows (Anniversary Edition or newer) - if  you have not updated, today is a good day to do that!  If for some reason you can't, more information on the various levels of "trust" you might have in this can be found at: https://privacy.microsoft.com/en-US/windows-10-about-wifi-sense  For me, what crowdsourcing equates to is the mom-proverb "if all of your friends jumped off a bridge ...." - yes, your mom was right

To disable this feature - in Group Policy it's:
Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots - set this to "Disabled"
Also, depending on the setting:
set "Allow Windows to automatically connect to networks shared by contacts" to disabled
and set "Allow Windows to automatically connect to hotspots offering paid services" to disabled

Or, directly against the registry:

Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" -Name "Value" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" -Name "Value" -Type DWord -Value 0

(note - these keys may not be there, you should check for the key being present first).


Searching the start menu seems like an innocuous thing, except that Microsoft pairs it with "search suggestions", which means that this is part of the telemetry stream as well.  To disable both search from the start menu and search suggestions:

In Group Policy:
Computer Configuration > Policies > Administrative Templates > Windows Components > Search
Set "Don't search the web or display web results in search" to "Enabled"

Or, in Powershell:
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search" -Name "BingSearchEnabled" -Type DWord -Value 0
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" -Name "SystemPaneSuggestionsEnabled" -Type DWord -Value 0

Cortana is a cool thing, and is just as useful as Sira and Echo, but your interactions are processed in the cloud.  Because of this, we're starting to see noise about voice systems such as Siri, Echo and Cortana having interactions subpoena'd in criminal cases.  

To disable Cortana in Group Policy:
Computer Configuration > Administrative Templates > Windows Components > Search > Allow Cortana, set to "Disabled"


Or in the Registry:
Set-ItemProperty -Path "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Windows Search" -Name "AllowCortana" -Type DWord -Value 0

Location tracking?  Great if you're asking "how far do I need to walk for donuts" or "help, I'm almost out of gas", but otherwise maybe not so much.  I'd like to see this enabled app by app (as is iOS), Windows makes a start at this, but win Windows there are only 5 granular picks for this, one being "App Connector" (which looks like it means "any other app not listed").

To disable from the individual UI:
Settings / Privacy / Location

To disable in GPO:
Computer Configuration > Administrative Templates > Windows Components > Search > Allow search and Cortana to use location, set to "Disabled"

Or in the Registry:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" -Name "SensorPermissionState" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\lfsvc\Service\Configuration" -Name "Status" -Type DWord -Value 0

Windows Feedback is more of an annoyance feature, it's more or less a periodic pop-up "How is Microsoft doing today?" survey.  In a corporate setting especially, you'll likely look on this as a productivity-eater, plus people will confuse things and think that they're providing feedback to your internal IT Group rather than Microsoft.

In the UI, you'll find these settings under
Settings / Privacy / Feedback & Diagnostics
Also
Settings / System / Notifications and Actions / Windows Feedback
you can adjust the frequency or turn this off.  

In GPO:
Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Do not show feedback notifications

Or this reg key below does the job too:
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Siuf\Rules" -Name "NumberOfSIUFInPeriod" -Type DWord -Value 0

These settings cover the adjustments I normally set - have I missed any that you might consider important?  Please use our comment form to add any settings you enable or disable.

===============
Rob VandenBrink
Metafore

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

domain_stats.py a web api for SEIM phishing hunts
Jan 17th 2017
1 day ago by Mark (0 comments)

Whitelisting File Extensions in Apache
Jan 16th 2017
2 days ago by Johannes (0 comments)

Backup Files Are Good but Can Be Evil
Jan 14th 2017
4 days ago by Xme (3 comments)

Who's Attacking Me?
Jan 13th 2017
5 days ago by Xme (2 comments)

System Resource Utilization Monitor
Jan 12th 2017
6 days ago by Mark (7 comments)

Some tools updates
Jan 12th 2017
6 days ago by Mark (1 comment)

Hancitor/Pony/Vawtrak malspam
Jan 11th 2017
1 week ago by Brad (1 comment)

View All Diaries →

Latest Discussions

Importance of File Integrity Monitoring software
created Jan 18th 2017
5 hours ago by Promisec (0 replies)

New Incident Response/Forensics tool : srum-dump.exe
created Jan 12th 2017
6 days ago by Mark (1 reply)

How to make the social media accounts safe from hacking?
created Jan 6th 2017
1 week ago by Brad4333 (3 replies)

Time Warner Cable IMAP SSL certificate expired
created Dec 31st 2016
2 weeks ago by Paul (2 replies)

SonicWALL Setup
created Dec 29th 2016
2 weeks ago by HateTheSnow (3 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Dyn.com DDoS Attack
Oct 21st 2016
2 months ago by Johannes (9 comments)

Port 7547 SOAP Remote Code Execution Attack Against DSL Modems
Nov 29th 2016
1 month ago by Johannes (21 comments)

Increase in Protocol 47 denys
Dec 29th 2016
2 weeks ago by Rick (9 comments)

TR-069 NewNTPServer Exploits: What we know so far
Nov 29th 2016
1 month ago by Johannes (12 comments)

One, if by email, and two, if by EK: The Cerbers are coming!
Dec 16th 2016
1 month ago by Brad (4 comments)