Open in app

Sign in

Write

Sign in

Windows, Spying, and a Twitter Rant

Mark Burnett
XATO
Published in
6 min readMay 22, 2017

Yesterday, I was testing out some privacy settings in Windows and ran across a bunch of stuff that concerned me. So I ranted about it on Twitter (see thread):

Now those who know me know that I rant about this stuff all the time. Except this time it got quite a few retweets than usual and a lot of others ran with it. As a number of people pointed out, there were some problems with how I applied a couple of the group policy settings. And looking back, I can’t even say I’m 100% sure if I rebooted after applying the settings (although I did do a gpupdate). So no, this was by no means a clean test. It wasn’t meant to be a published finding, it was a Twitter rant.

Not all the criticism towards how I set my settings was valid but I’m not going to bother addressing that. Instead, I ran more formal tests in a controlled environment to get more accurate results.

But first let me explain that I have been using Windows exclusively on my desktop for more than twenty-five years. In the early 90’s I did Windows tech support for a major computer company. In the late 90’s I worked for a software company as Director of Microsoft-Based Development. I wrote a column for SecurityFocus.com on Windows security. I have written for Windows IT Pro Magazine, Redmond Magazine, Windows Web Solutions, Windows Secrets and others. I also wrote a book on ASP.NET security. Microsoft awarded me with the Most Valuable Professional (MVP) award seven times. Windows is kinda my thing.

But that thing changed with Windows 10. A shift in Microsoft’s philosophy has lead to a massive collection of data from Windows computers. For me, it’s not only a privacy issue but a security issue. — it’s hard to control what is happening on your computer when you aren’t in control.

But back to my tests. As I mentioned before there were too many variables I had in my more casual tests and I was a bit sloppy with some settings so I started with a clean build. This is what I did:

  1. Installed the OS (Windows 10 Enterprise Build 15063) in a VirtualBox virtual machine (CentOS host) with no network adapter.
  2. Installed virtualbox client extensions.
  3. Applied the Windows Restricted Traffic Limited Functionality Baseline that Microsoft publishes (more info).
  4. Manually uninstalled Solitaire and Feedback Hub, the only apps left Windows would let me uninstall.
  5. Shut down the virtual machine.
  6. Added NIC tracing in VirtualBox using this command:
    vboxmanage modifyvm “Win10ETest” — nictrace1 on — nictracefile1 windows.pcap
  7. Enabled the NIC.
  8. Started the virtual machine.
  9. Logged in.
  10. Pinged 8.8.8.8 to verify network connectivity.
  11. Let it sit untouched overnight.

To save you all the suspense, yes this test resulted in much less activity than my initial test (put away the pitchforks). Less, but still too much (get out the pitchforks).

What was the difference? The main difference is that the baseline sets many more settings than I did in my test. Another part of it surely was the fact that I did not set all of the settings I thought I had set. For example, I only set two settings for disabling SmartScreen, instead of considering all of these:

For the record, I don’t recommend disabling SmartScreen.

Of course, you don’t need to set all of those, there is some overlap, I’m pretty sure you only need to set 2–5.

And several people noted that I had set the Allow Telemetry policy incorrectly. Now this was just sloppiness on my part and totally my mistake, but you can see how others might find it easy to get confused with the incorrect way to disable telemetry (enable the policy and then disable below, if you scroll down it in the dialog box it explains this):

The wrong way to do it

And yet compare that with the correct way to disable SmartScreen (this time set the policy to disabled, ignore the box below):

The right way for this setting

Now about that Windows Restricted Traffic Limited Functionality Baseline. It does cut back on traffic significantly, but does it block everything? No, it still collects some telemetry info. And it doesn’t disable this setting letting Microsoft track which programs you run:

Or this:

Or this:

There’s also any telemetry from .NET, Office, Windows Error Reporting, Windows DRM, and many other apps and software components.

On the other hand, the Windows Restricted Traffic Limited Functionality Baseline does mess things up quite a bit:

No root SSL certificate updates:

No driver updates (but still a OneDrive nag although OneDrive is disabled by policy):

Windows and other apps think the internet is not connected:

No Windows Update (although your organization probably wants to manage those with WSUS anyway):

And many EventLog errors:

As you can see, even the recommended method for eliminating data collection isn’t completely effective and causes a number of problems. Therefore, if you have a volume license to buy Windows Enterprise (no, you can’t buy just one), apply the Windows Restricted Traffic Limited Functionality Baseline before bringing it online, don’t install anything, and don’t use your computer, the data sent to Microsoft is quite minimal.

If you don’t have the Enterprise edition, the best you get is basic telemetry (see what they collect), that is if you know to change it from the default enhanced levels (see what more they collect!). For many users the telemetry and other tracking is set a the maximum default levels.

The point of this article isn’t to bash Microsoft or ditch Windows. We face the same thing with Apple, Google, and so many others. What we need to do is fix this, even if that means getting lawmakers involved. It can only get worse from here.

Let me summarize this with a few key points:

  • I made mistakes on my original testing and therefore saw more connections than I should have, including some to Google ads.
  • You can cut back even more using the Windows Restricted Traffic Limited Functionality Baseline but break many things.
  • Settings can be set wrong if you aren’t paying attention. Also, settings are not consistent and can be confusing to beginners.
  • You are opted-in to just about everything by default and have to set hundreds of settings to opt out, even on an Enterprise Windows system. Sometimes multiple settings for the same feature. Most Microsoft documentation discourages opting out and warns of a less optimal experience. It’s almost like they don’t want you to opt-out.
  • But you can’t completely opt-out. Windows still tracks too much.
  • Home and Professional users are much worse off due to limitations of some settings and lack of an IT staff. I’m not going to bother with captures from those systems, this has already been shared by many others. Spoiler: it’s bad.
  • I’m not saying ditch Windows. I’m saying let’s fix this. If we can’t fix it, then we ditch Windows.

Short URL to this article: https://xa.to/3y

Mark Burnett is a security consultant and author.
Github | Twitter | LinkedIn

Microsoft
Windows
Privacy
Security
Infosec

--

--

Mark Burnett
XATO

Written by Mark Burnett

677 Followers
Editor for

IT security analyst and author working in application security, passwords, authentication, and identity. Based in South Weber, Utah https://xato.net

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams