Microsoft Windows 10: Trading Privacy For an Upgrade (Operating System as a Service.pt 3)


This Week, “Operating System as a Service, part 3”

Sorry about the length, but there is a lot of content to cover.

In part two, we reluctantly accepted the fact that Windows 10 may be “NSFW“. While it is an incredible operating system and a brilliant achievement for Microsoft, Windows 10 may represent information privacy issues for professional and business users. We covered the immediate items that need to be reviewed before doing anything else. In this part, we will cover what to do to manage Windows 10 in a business or professional environment.

Spy versus Spy

From Ars Technica . . .

The entire privacy policy can be found here, which says in part (from Microsoft’s new small print – how your personal data is (ab)used):

“Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to: 1.comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies; 2.protect our customers, for example to prevent spam or attempts to defraud users of the services, or to help prevent the loss of life or serious injury of anyone; 3.operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or 4.protect the rights or property of Microsoft, including enforcing the terms governing the use of the services – however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement.”

 

About SafeView

The SafeView Research Report is intended to give you a snapshot of technology risk management issues. SafeView is a reliable source for automated risk, threat and vulnerability data, and advisory services to help you mitigate and remediate issues.

 

sourced from: http://www.darkgovernment.com/news/norad-north-american-aerospace-defense-command/

NORAD Control Center

Tactical 

Windows Enterprise and LTSB allow optional installation of updates. LTSB does not install Windows Store, Cortana, Edge browser and Metro tiles. Collectively, these are a large source of chatter back to Microsoft, so removing these removes the “excuse” to chatter. Unfortunately, while the applications are not there in the install test done for this post, the chatter still persisted. Enterprise and LTSB will not authenticate to MS Live as an alternative to a local account. It is possible to install without a domain server, and just use a local account for access. It is also possible to add additional accounts to a Windows 10 computer that authenticate to a Live account (Family accounts). Don’t do this.

Windows Home and Pro have Cortana, Edge, Windows Store and Metro tile apps. If you are using a Live account to login to Windows, remove this. Go to settings > users. Change the signin options to be local only.

sourced from: http://mac-how-to.wonderhowto.com/how-to/dual-boot-windows-10-mac-os-x-your-mac-0162616/

PIN creation

DO NOT use the 4 digit pin code login. A four digit PIN could be guessed, or visually captured with greater ease than a complex password consisting of 8 – 14 characters, UPPER and lower case, number and symbols, non sequential, and changed with frequency. more: http://answers.microsoft.com/en-us/windows/forum/windows_10-security/pin-makes-windows-less-far-far-less-secure/56f923be-0cf6-4135-9f97-a676e77acc11

sourced from: http://www.redicecreations.com/article.php?id=32943

Windows Hello facial recognition

DO NOT use the facial recognition login, also known as “HELLO“. (Biometrics are something you have, not something you “know”. You can be compelled with a warrant to provide things that you have. The fifth amendment can protect you from self incrimination. This applies to the court defending your right not to disclose something you know. more: http://rebelpundit.com/biometrics-and-the-constitution-why-fingerprints-are-less-secure-than-passwords/)

For Pro, Enterprise or LTSB, use a domain controller for centralized authentication and access control, if possible.

Put a cover over your camera and unplug the microphone on the computer when not in use. more: http://www.howtogeek.com/210921/how-to-disable-your-webcam-and-why-you-should/

Immediate policies, practices and audit:

Use and Administration

User Policy – user accounts are restricted to “Standard User” access. Installation and configuration changes are restricted to Administrators. Users cannot have Administrative access to the systems on which they work.

Audit – Run the following from the command line

Admin - net user administrator | findstr /B /C:"Last logon" > <drive>admin-access_%computername%.log (<drive> should be a network shared drive that allows write ONLY access for these logs.)

Domain user - net user john /domain | findstr /C:"Last logon" > <drive>domain_user-access_%computername%.log

Local user - net user john | findstr /C:"Last logon" > <drive>local_user-access_%computername%.log

Windows Version

Operating System Policy – Document the minimum Windows version for your operating requirements. This applies to all supported versions of Windows.

Audit – Win button + r, CMD (command prompt), type “winver”, then <ENTER>

Long Term Audit – systeminfo > system_%computername%.log (<drive> should be a network shared drive that allows write ONLY access for these logs.)

Login 

User Authentication Policy – User authentication limited to either local Windows account or Domain Controller account. Microsoft Live account authentication not permitted. No use of biometric access. No use of PIN code access.

Password Policy – complex password consisting of 8 characters minimum, UPPER and lower case, number and symbols, non sequential, and changed every 60 days. No reuse of passwords within any one year of prior use. 

Audit – The audit differs for each version of Windows. First stage is limited by Windows version. Group Policy Editor allows password complexity to be defined on a specific system. A domain controller can globally define password policy. Windows Home does not have a way to define password complexity as a policy.

From the command prompt on each computer

net accounts /MINPWLEN:8

net accounts /MAXPWAGE:60

net accounts /UNIQUEPW:6

SafeView has a remote password policy audit tool for larger deployments. Contact us at “rdgroup@safeview.com” for access.

Media Hardware

Media hardware policy – Microphone and camera must be disabled when not in use for business approved activity. Microphone lens needs to be obfuscated with a cover. Microphone needs to be physically disconnected. Microphones an cameras are built into most mobile platforms, so users have to participate in disabling these, or this can be done on a schedule using Group Policy settings locally or in the domain controller.

Microphone audit –  Download nircmd from http://www.nirsoft.net/utils/nircmd.html. Set this to run with a desktop shortcut, or on a timer.

Camera audit –  Visually inspect computers and laptops to make sure that cameras are covered when not in use for business purposes.

Special Windows Applications

We understand that Microsoft is trying to deliver a rich experience to users, and they are providing tools and functionality to enhance the interaction with the computer and operating system. The problem is that these applications may encourage practices and behaviors which put business and personal information at risk. Considering this, Windows 10 has to be filtered for secure business, enterprise and professional use.

Windows Enterprise removes Metro tiles (approximately 30 applications), Windows store, Edge browser and Cortana. Pro and Home users need to look at other options to remove the unwanted applications.

Managing Windows, Easy to Hard

Remove applications – (metro tiles, cortana, edge browser, windows store, onedrive)

Remove updates (telemetry and customer experience improvement program)

Turn off advertising

Manage network communications

Remove Applications

Removing applications varies in complexity based on the version of Windows installed.

Metro Tiles (each tile below is tracked and reports use and status to Microsoft)

3D Builder

Alarms

Calculator

Camera

Film and TV

Get Office

Get Skype

Get Started

Mail and Calendar

Maps

Money

Music

News

OneNote

People

Phone Companion

Photos

Solitaire

Sports

Store

Voice Recorder

Weather

XBox

sourced from: http://www.thewindowsclub.com/10appsmanager-windows-10

10 Apps Manager, copyright The Windows Club

The Windows Club makes an application available for free. 10AppsManager allows a user to permanently remove a tile, and reinstall later. The application successfully removes the application without having to edit the registry. I suspect that the tile still exists, but a registry flag has been set, since the application allows the tiles to be reinstalled later.

OneDrive

Remove icon in File Explorer

Press Win+R and type regedit to open up the Registry Editor

Navigate to the HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}registry key.

Double-click on System.IsPinnedToNameSpaceTree change its value from 1 to 0.

Log off or restart your computer. When you open File Explorer, the OneDrive entry should be gone from the list.

Remove OneDrive from the computer

Pro, Ent. and LTSB:  (type in “gpedit.msc” in the search box) and go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > OneDrive. Then enable the “Prevent the usage of OneDrive for file storage” setting.

Open Command Prompt in Administrator mode: Right-click on the Windows icon in the taskbar and select Command Prompt (Admin).

Type in taskkill /f /im OneDrive.exe to terminate any OneDrive processes and hit Enter.

Then type in either %SystemRoot%\System32\OneDriveSetup.exe /uninstall if you’re using 32-bit Windows 10 or %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall if you’re using 64-bit Windows 10 and hit Enter.

Edge Browser

Removing Edge browser involves a number of registry edits, well documented at http://news.softpedia.com/news/how-to-remove-microsoft-edge-from-windows-10-491534.shtml.

Note: Make sure you’re using an administrator account.

Step 1: Navigate to this location C:\Windows\SystemApps and look for a folder namedMicrosoft.MicrosoftEdge_8wekyb3d8bbwe

Step 2: Right-click the oddly-named Edge folder to access its properties.

Step 3: Switch to the Security tab and press the Advanced button For Special Permissions or Advanced Settings.

The first set of info shown refers to Name and Owner. You need to become the owner.

Step 4: Follow the link to Change owner so it’s no longer TrustedInstaller.

Step 5: In the prompt that appears, click the big text field and write down Administrators(plural). Then, press the button next to it to Check Names. Windows automatically detects and suggests the administrator account.

Step 6: Press OK to confirm changes. You’re taken back to the Advanced Security Settings panel.

Step 7: In the first set of info, the one with the Change link, there should now be an option to Replace Owner on Subcontainers and Objects. Make sure it is checked, and press OK.

Step 8: Back in the folder properties panel, press Edit to Change Permissions.

Step 9: Select the Administrators account from the Group or User Names list, and check the Allow box for Full Control. Press Apply and OK to confirm changes, and OK to close the properties panel so that you become the owner.

Important Note: Now that you have complete control over Edge’s location (evil laugh), DON’T go off deleting it, or you risk causing serious system stability issues. What you can do is create a backup of it in case you ever decide to use Edge again, or unexpected consequences occur.

Step 10 (optional): Access the folder’s properties panel again. At the bottom of the General tab, press the Read-only checkbox until it’s marked with a check symbol ✓ and not a square ◼. Press Apply and OK to confirm.

This prevents Windows from accessing and making changes to any files inside the folder, thus rendering Edge unusable.

Step 11: Access the Edge folder and rename the MicrosoftEdge.exe andMicrosoftEdgeCP.exe files, or completely delete them. You can also unpin Edge from the Taskbar.

Note: If you ever consider using Edge in the future, simply rename executable files to something else, so you know how to change them back to make Edge functional again.

Winaero.com has a tool that will make the registry edits for users quickly.

sourced from: http://winaero.com/blog/how-to-uninstall-and-remove-edge-browser-in-windows-10/

Windows 10 uninstall Microsoft Edge browser, copyright Winaero, http://winaero.com

Uninstall Cortana

Removing Cortana requires a dozen registry edits performed in serial. Refer to this for details.

Winaero made a tool for this purpose too.

sourced from: http://winaero.com/blog/how-to-uninstall-and-remove-cortana-in-windows-10/

Windows 10 Cortana uninstall

Block auto update, stop communications

Jonas Zimmerman from pXc-coding created DoNotSpy10 for Windows 10, and DoNotSpy78, for Windows 7 and 8.x respectively. This app creates a centralized interface where users can quickly and easily adjust settings related to 37 different features that have a direct impact on security and privacy. This means that instead of combing through a dozen different settings screens in Windows 10, users can adjust all of their privacy and security settings in one place. Jonas provided licensed copies of each for the development of this article. The application is supported by ads or donations. Be fair and pay him for his work.

DoNotSpy10 (Note that the resolution is unusual on my HD display)

Here’s a full list of the settings DoNotSpy10 can currently configure:

Disable telemetry

Disable Biometrics

Disable handwriting data disclosure

Disable handwriting Error Reporting

Disable Application Telemetry

Disable Inventory Collector

Disable Steps Recorder

Disable lock screen camera settings

Deactivate and reset Cortana

Disable localization

Disable sensors

Disable Web search

Disable Windows Media DRM Internet access

Activate postponing upgrades

Disable app notifications

Disable Password button ads

Stopping and resetting the advertising ID

Disable SmartScreen filter for URLs

Disable sending write information

Disable access to language list

Disable app access to localization

Disable app access to camera

Disable app access to microphone

Disable acquaintance

Disable app access to user accounts info

Disable app access to calendar

Disable app access to messages

Disable app access to wireless connections

Disable app access to Uncoupled devices

Disable prompts Feedback

Disabling Windows Update distribution

Disable Windows Update for other products

Disable WiFi Sense

Disable Windows Defender

Disable automatic Windows Updates

Deactivate OneDrive

Disable Automatic Driver Updates

Turn off advertising tracking

Go to “Search Windows”. Look for “privacy”

then, Privacy Settings

Turn off everything.

Block all the Internet traffic going back to Microsoft

Fortunately, Spybot Search and Destroy has come up with a tool called “Cut The Line“. This is a trusted source to block the outbound traffic without spending hours to edit files and update firewall settings.

From their version notes . . .

Implemented /silent

Added Office 15 (2013) Telemetry immunization (Group Policies & Scheduled Tasks)

Added Office 16 (2016) Telemetry immunization (Group Policies & Scheduled Tasks)

Hosts file block IP default changed from 127.0.0.1 to 0.0.0.0

Added own group policy for hosts file read only flag

Added own group policy for hosts file block IP

Added own group policies for hiding each immunizer

Added OpenSSL libraries to installer

Added OpenSSL credits to About dialog

Added own scheduled task

On Installation, WIndows 10, Enterprise 2015 LTSB

After Immunization

All supported versions of Windows now affected

Users have shown their disdain for Microsoft’s broad interpretation of “personally identifiable information” as required telemetry data to improve the user experience. They have uninstalled Windows 10 in favor of Windows 8.x or 7. As it turns out, unless a user installs XP in place of Windows 10, the same level of data collection is going on for all supported versions of Windows. This monitoring is part of Microsoft’s Customer Experience Improvement Program (CEIP) and is designed to “improve the products and features customers use most often and to help solve problems,” Microsoft said.

http://www.infoworld.com/article/2979054/windows-security/windows-7-8-10-now-all-collecting-user-data-for-microsoft.html

http://www.zdnet.com/article/microsoft-tries-to-clear-the-air-on-windows-10-privacy-furor/

http://thehackernews.com/2015/08/windows-spying-on-you.html

 

 

Summary

Without an insurmountable amount of effort, it is possible to secure Windows 7, 8.x and 10 in such a way as to use it for professional and enterprise business. Following the tactical steps defined herein, it is possible to create policies, implement tools and audits to verify compliance.

In the first part, we discussed the concept of Windows as a Service and the scope of information collected. We are able to see clearly the disconnect between the proposed privacy policy and information collection and the reality when compared to multiple data sources, Microsoft included.

The second part helps us plan out how to put in place a plan to use Windows 7, 8.x and 10 platforms for business. We outlined the immediate steps required, and then outlined those things that need to be fixed.

In this part, we reviewed the tactical steps required to protect Windows 7, 8.x and 10 in a way that allows us to continue using it for business in  way that does not expose customer, patient and proprietary data. Finally, in the next section, we will discuss how to implement a strategy to manage an operating system as a service.

sourced from: https://www.hackread.com/microsoft-updates-spy-on-windows7-8-users/