[Guide] Disable Data Collection in Windows 10

[Artarga]

And more about DNS... interesting is it possible to set up a sort of a commuity DNS server that will fall back to 8.8.8.8 in all cases except of MS domain names. So people can just put this DNS as a primary and be sure that at least "phoning home by a domain name" is blocked and the list of domain names does not get outdated.

[NoelC]

 

As for your comment about continuos updates then I think the opposite. Block all MS connection (including updates) and do maual updates once in a while. I mean explicitly allow certain conections. Press "check 4 updates". and close all connections back. does not seem to be the perfect scenario though

 

 

I've pretty much achieved that with my Win 7, 8.1, and 10 firewall configurations.  They are "deny by default" with a white list of addresses allowed for connection only to specific system components.  Plus updates are only installed when I request them, owing to several settings and reliance on resiliency in the Windows Update process.

 

Yes, explicit IP address management is absolutely needed.  Just a hosts file (which I also have) doesn't do it.  Not even close.

 

Yes, Microsoft rotates addresses.  You tend to see a lot of them in sequence when you block traffic, because it has retry logic to try to work around temporary server outages.  But even that list changes from run to run.  It's like fishing.

 

Yes, things are blocked at all hours of the day and night.  In fact, at the moment I'm finding I'm blocking more from Win 8.1 than 10, believe it or not.

 

Unfortunately, it's not a perfect solution, because it's entirely possible that an address in a range required to complete a Windows Update (and there are a LOT of them) by a particular Service might be the very same one that can receive uploads of personal data.  But the traffic seems very small in practice.  WAYYY less than without the firewall in place.

 

I have put many hours into this, and I can honestly say that my lists of addresses cannot possibly be perfect.  Worse yet, as jaclaz has alluded, they're going to change.  I've already seen this happen with the system accessing new addresses after a recent update.  Even worse, they're certainly not the same for systems in other geographic places.

 

And you can't just block all Microsoft addresses.  They use Content Delivery Networks (CDNs), so some information is exchanged with servers owned by Acamai, Edgecast, and a number of others.  And there some Microsoft addresses from which you DO want to receive data, e.g., while browsing, so you have to be pretty selective in how you set up your rules.  Frankly, it's complicated as hell to get it right then select the right reporting options so as to be able to manage it.

 

I'd hesitate to say it's hopeless, but being this close to a working solution I honestly still wonder whether I'll have the energy and time to maintain this configuration - it does take significant ongoing effort to remember that things that used to just work might now be failing because of the "deny by default" policy.  This comes into play when you install new software, for example.

 

-Noel

 

 

 

P.S., if your system being promiscuous online disturbs you - and don't get me wrong, it should - keep in mind that instituting a process whereby you can actually track what's being done can actually be more disturbing.  Sometimes ignorance really is bliss.  "What was in that one packet that got through?"

Edited September 14, 2015 by NoelC

[Formfiller]

Maybe the solution is just to run W7 (or a metro-less 8.1 for that matter) until it falls apart.

 

If you keep your browser, Acrobat Reader and Flash updated, the internet is pretty safe even on an unpatched Windows. And that's pretty much the only attack-vector if you have a working firewall.

[NoelC]

I'm doing just that.  The Metro-less Win 8.1 is pretty chatty, and 7 - while being MUCH less so - isn't purely quiet either, and does need firewall treatment.

 

Here's the kicker:  It's probably ill advised to cut off updates entirely, and frankly it's getting more and more difficult to separate wheat from chaff in the update sets.  Does every "Security" update contain only security fixes?  Will a system start to fall apart quickly if you take only security updates and not bugfixes?  Are the bugfixes intermingled with privacy invading changes?

 

With everything in place, last night my Win 8.1 setup contacted ctldl.windowsupdate.com (23.14.84.48).  No new updates were downloaded, but the difficulty in separating wanted from unwanted connections I mentioned up above is quite real.

 

-Noel

[Artarga]

Here's the kicker:  It's probably ill advised to cut off updates entirely, and frankly it's getting more and more difficult to separate wheat from chaff in the update sets.  Does every "Security" update contain only security fixes?  Will a system start to fall apart quickly if you take only security updates and not bugfixes?  Are the bugfixes intermingled with privacy invading changes?

 

-Noel

 

It looks like that the answer could become like this. Block everything even updates. Do updates through wsusoffline.net or something. This is another tool I'm going to play with

[JorgeA]

 

Here's the kicker:  It's probably ill advised to cut off updates entirely, and frankly it's getting more and more difficult to separate wheat from chaff in the update sets.  Does every "Security" update contain only security fixes?  Will a system start to fall apart quickly if you take only security updates and not bugfixes?  Are the bugfixes intermingled with privacy invading changes?

 

-Noel

 

It looks like that the answer could become like this. Block everything even updates. Do updates through wsusoffline.net or something. This is another tool I'm going to play with

 

 

Maybe one solution would be to port Samsung's Windows Update blocker over to PCs made by other manufacturers...

 

--JorgeA

[Artarga]

It looks like that the answer could become like this. Block everything even updates. Do updates through wsusoffline.net or something. This is another tool I'm going to play with

 

 

Here is what I have so far.

I'm running a local DNS service (Acrylic) to block all traffic by domain name. Like hosts but without an ability for the OS to bypass that.

So far I have came up with the following tiny list of rules

0.0.0.0 *.a-msedge.net

0.0.0.0 *.bing.com

0.0.0.0 *.microsoft.com.akadns.net

0.0.0.0 *.microsoft.com.nsatc.net

0.0.0.0 *.msn.com

0.0.0.0 *.live.com

0.0.0.0 *.microsoft.com

0.0.0.0 *.windowsupdate.com

 

And so far during a couple of hours of running and 5-6 reboots the VM with Win10 Pro was not contacting anything from outside. Of course WinUpdates is not working and networking icon in system tray shows "connection is limited". However it works well as far the Internet browsing is concerned.

 

So I'm interested in scenarios you observe that triggers Win10 to "call home". It looks like I'm missing something. The solution so far looks very simple.

[Tripredacus]

Artarga, it is clear that using HOSTS file in Windows 10 is not valid as there are a few documented instances where the file is not even used for resolving domains.

[NoelC]

Probably why he's using a local DNS service instead. 

 

Do asterisks even work in hosts?

 

-Noel

[alacran]

The important thing here is this additional hosts file can be used to block Windows spying domains too as Artaga said, and OS is not going to bypass it.

 

See here it looks promising : http://sourceforge.net/projects/acrylic/

 

And this is home page: http://mayakron.altervista.org/wikibase/show.php?id=AcrylicHome

 

 

Acrylic is a local DNS proxy for Windows which improves the performance of your computer by caching the responses coming from your DNS servers and helps you fight unwanted ads through a custom HOSTS file (optimized for handling hundreds of thousands of domain names) with support for wildcards and regular expressions.

When you browse a web page a portion of the loading time is dedicated to name resolution (usually from a few milliseconds to 1 second or more) while the rest is dedicated to the transfer of the web page contents and resources to your browser. What Acrylic does is to reduce the time dedicated to name resolution for frequently visited addresses closest to zero possible. It may not seem such a great optimization but in a few weeks of Internet browsing you will probably save an hour or so, which is definitely not such a bad thing. Furthermore Acrylic's sliding expiration caching mechanism, simultaneous forwarding to multiple DNS servers and support for background DNS updates are able to improve your browsing experience independently of the browser.

With Acrylic you can also gracefully overcome downtimes of your DNS servers without disrupting your work, because in that case you will at least be able to connect to your favourite websites and to your email server.

Another good thing is that Acrylic is released as open source, which means that it's free and its source code, written with Borland Delphi 7, is freely available to anyone under the GNU General Public License.

 

EDIT: Bolds are mine

 

alacran

Edited September 15, 2015 by alacran

[NoelC]

 

So I'm interested in scenarios you observe that triggers Win10 to "call home". It looks like I'm missing something. The solution so far looks very simple.

 

 

Can you complete a Windows Update with that?  That's the difference.  It's not really a viable solution if you can't do a Windows Update.

 

-Noel

[alacran]

 

 

So I'm interested in scenarios you observe that triggers Win10 to "call home". It looks like I'm missing something. The solution so far looks very simple.

 

 

Can you complete a Windows Update with that?  That's the difference.  It's not really a viable solution if you can't do a Windows Update.

 

-Noel

 

 

You can use this for direct downloading updates, without using WU, and also can be ported  to another machine, (Free for personal use): http://www.portableupdate.com/

 

I selected metered conection to stop WU and tried it, see this post: http://www.msfn.org/board/topic/174149-we-can-hide-updates/#entry1104725

 

First time you run it downloads some API's from MS servers, so at that time it may need full acces.

 

NoelC please try it and see if it can be of some use for this approach.

 

EDIT: I'm asking this because I don't have my Win10 testing machine with me at the moment.

 

Best Regards

 

alacran

Edited September 15, 2015 by alacran

[Artarga]

 

 

So I'm interested in scenarios you observe that triggers Win10 to "call home". It looks like I'm missing something. The solution so far looks very simple.

 

 

Can you complete a Windows Update with that?  That's the difference.  It's not really a viable solution if you can't do a Windows Update.

 

-Noel

 

 

Yes and no. To make an update I was using http://www.wsusoffline.nettool and while running that tool I was slightly opening the defense. In fact my Acrylic hosts file looks like this:

127.0.0.1 localhost

 

0.0.0.0 *.a-msedge.net

0.0.0.0 *.bing.com

0.0.0.0 *.microsoft.com.akadns.net

0.0.0.0 *.microsoft.com.nsatc.net

0.0.0.0 *.msn.com

0.0.0.0 *.live.com

 

#############################################################################

0.0.0.0 *.microsoft.com

0.0.0.0 *.windowsupdate.com

 

# Comment 2 rules above and uncomment 2 below while doing an update.

 

#0.0.0.0 *.microsoft.com -download.microsoft.com

#0.0.0.0 *.windowsupdate.com -download.windowsupdate.com

 

 

And it worked since WSUS needs only download.windowsupdate.com and download.microsoft.com to get those updates. Need to be confirmed by anyone else though.

 

I haven't tried yet to live these lines permanently

#0.0.0.0 *.microsoft.com -download.microsoft.com

#0.0.0.0 *.windowsupdate.com -download.windowsupdate.com

and run Windows Update instead of WSUS. But I'm planning to do so.

[Artarga]

Upd to the previous post. With only download.windowsupdate.com and download.microsoft.com allowed Windows Update does not go. However WSUS Offline works perfectly fine. And I'm completely OK with this approach if it helps me avoid maintaining huge rule-sets inside my firewall.

 

Still the approach needs verification since I have my system up-to-date and the only thing WSUS tells me in the end is "No missing update found. Nothing to do!"

[Artarga]

After a couple of days running this local DNS I can say I'm pretty satisfied with how it works.

Since the last post I had to add only one line into Acrylic hosts file (0.0.0.0 *.xboxlive.com) it came from WinStore.Mobile.exe application accessing the settings-ssl.xboxlive.com domain.

 

Still looking for updates to see how WSUS offline really works. BTW I had also to whitelist definitionupdates.microsoft.com.

 

There is also one more thing I found - C:\Windows\System32\taskhostw.exe was trying to access ocsp.verisign.com and crl.verisign.com domains. Looks like something related to certificates but I'm not sure if I need this to be permitted. Does anyone know if verisign.com can be safely blocked?