Windows restricted traffic limited functionality baseline

Время на прочтение4 мин

Количество просмотров98K

Картинка с сайта: habr.com

Неделю назад независимый специалист по безопасности Марк Бёрнетт (Mark Burnett) опубликовал результаты небольшого некорректного расследования настроек безопасности в Windows 10 Enterprise. Система установлена у него в виртуальной машине под Linux исключительно в исследовательских целях, с минимальным набором софта и удалёнными всеми дефолтными приложениями Windows Store.

Эти результаты вызвали бурную дискуссию в твиттере, потому что они дают понять, что ОС как будто игнорирует некоторые настройки, установленные пользователем — и всё равно соединяется с различными следящими серверами и отправляет туда какие-то данные. Первый тест Бёрнетта с результатами, опубликованными в твиттере, был проведён с ошибками. На самом деле есть способ получше ограничить телеметрию. Но полностью избавиться от сбора данных в Windows 10 вообще невозможно.

Марк Бёрнетт — хакер и исследователь, а не системный инженер Microsoft, хотя он написал книгу по безопасности ASP.NET, семь раз получал титул Most Valuable Professional (MVP) от компании Microsoft, занимался техподдержкой Windows и эксклюзивно пользовался только этой ОС на десктопе около 25 лет, пока не вышла Windows 10 с резким изменением политики Microsoft по массовому сбору персональных данных пользователей.

Можно сослаться на официальное руководство Microsoft по управлению соединениями в Windows 10, но всё равно мнение Бёрнетта нельзя назвать неквалифицированным. В самом деле, с групповыми политиками Windows 10 не всё так просто.

На первом скриншоте видно, что SmartScreen в системе отключен, но Windows 10 всё равно подключается к серверам SmartScreen от Microsoft. Отключить телеметрию в Windows 10 тоже не так просто. Просто изменить две групповые политики недостаточно. На скриншоте видно, что ОС всё равно отправляет данные в Microsoft, несмотря на явное двукратное указание этого не делать в групповых политиках и пару изменений в реестре.

Картинка с сайта: habr.com

Все соединения блокировались файрволом маршрутизатора, на скриншотах показаны лишь заблокированные попытки Windows 10 соединиться с различными хостами. Поэтому неизвестно, какие пакеты она могла туда передавать. Например, в случае телеметрии и др.

То же самое с настройками синхронизации, которые предполагают соединение с серверами Microsoft. В групповых политиках отключены все связанные с этим политики, но Windows 10 всё равно соединяется. То же самое с настройками сообщений об ошибках, политиками онлайновой валидации акккаунтов (AVS) в клиенте службы управления ключами (KMS).

Специалист постарался изменить все системные настройки, чтобы блокировать любое подключение с серверами Microsoft, кроме получения обновлений, но всё равно зарегистрировал множество соединений с серверами, явно имеющими рекламное и следящее предназначение.

Что характерно, согласно файрволу Glasswire, все эти рекламные хосты относятся к системным процессам Microsoft, так что их не спишешь на сторонний софт (кстати, это действительно хороший файрвол для Windows и Android, бесплатный и удобный в использовании).

Марк Бёрнетт делает вывод, что Windows 10 как будто не уважает свои собственные групповые политики. Вероятно, некоторые типы соединений можно заблокировать с помощью изменений в реестре — конечно же, это недокументированные ключи в реестре. То есть нельзя гарантировать, что вы найдёте все без исключения необходимые ключи.

Сам Бёрнетт признаёт, что первый тест не был абсолютно чистым. В последующем блог-посте он рассказал о повторном более тщательном тесте и объяснил методологию тестирования. Повторный тест всё равно показал неприятную активность Windows 10, хотя и в меньшем количестве. Например выяснилось, что для блокировки SmartScreen нужно изменить не две настройки, как сделал Бёрнетт, а больше:

Есть ряд приложений, которые помогают справиться со шпионажем со стороны Microsoft и блокировать соединения, которые Windows 10 устанавливает с удаленными серверами в обход системных настроек и которые нельзя или очень трудно блокировать иными способами. Собственно, сам факт наличия таких приложений уже указывает на наличие проблемы. Люди бы не создавали такие программы и не пользовались ими, если бы слежка в Windows 10 отключалась тривиальными методами. В качестве примера антишпионской программы, которая «затыкает» ненужные соединения в Windows 10, можно порекомендовать ShutUp 10. Сам Бёрнетт тоже использовал её на тестовой машине. Но как видно, даже антишпионский софт не помогает.

P. S. Некоторые эксперты рекомендуют для отключения телеметрии в групповых политиках не останавливать сервис, как сделал Бёрнетт, а запускать сервис с параметром 0, вот таким способом:

Это может показаться контринтуитивным, но так действительно может появиться возможность заблокировать соединения со следящими серверами Microsoft, которые не блокируются при обычной остановке сервиса телеметрии.

Бёрнетт считает, что некоторые разные групповые политики Windows 10 для слежки реализованы разными способами, и отключаются по-разному. Случайно или специально, но это затрудняет их отключение. Рекомендованный Microsoft способ отключения телеметрии через Windows Restricted Traffic Limited Functionality Baseline вызывает массу проблем. К тому же, телеметрию собирают .NET, Office, Windows Error Reporting, Windows DRM, другие приложения и компоненты. И у многих пользователей по умолчанию настройки сбора данных для Microsoft установлены на максимальный уровень.

To tweak or not to tweak? That is the eternal question, especially for those who have years of experience with Windows PCs.

All that hands-on time is both a blessing and a curse, it turns out. As Windows has evolved, many of the tips, tricks, and secrets that were once essential for enhancing performance and reliability have become irrelevant.

And yet those lessons, once learned, are hard to unlearn. That’s particularly true when habits are based on traumatic experiences, like a failed BIOS update that bricked a Windows PC, or when your favorite system tweaks have been engraved into your memory like a pilot’s pre-flight checklist.

As Windows 10 has evolved over the past few years, I’ve been paying close attention to feedback from readers, and I’ve assembled this list of outdated ideas that are still stubbornly popular.

It’s OK to update your firmware

One of my most common recommendations for people upgrading to Windows 10 is to check for system firmware updates. This is especially important when you’re working with a system that was designed before the release of Windows 10 in 2015. As I learned from troubleshooting issues readers reported to me, several manufacturers released firmware updates in the months after that launch specifically to address upgrade issues.

The trouble is, too many people are absolutely petrified at the prospect of updating their system firmware. That’s especially true for people who’ve been using PCs for decades and who have terrible memories of «bricking» a PC with a BIOS update that goes wrong.

In the 1990s and 2000s, that was a legitimate concern, as BIOS code was stored in rewritable flash memory on the motherboard. On that type of PC, flashing the BIOS often required rebooting with an MS-DOS disk, and if the process didn’t go perfectly, you had to fuss with DIP switches on the motherboard and hope you could recover.

Modern PCs no longer use a BIOS, but instead start up using the Unified Extensible Firmware Interface (UEFI). On UEFI-based PCs, the portion of firmware that’s hosted on the motherboard is relatively small and simple; its job is to find the EFI partition and load the UEFI code stored there, then find the boot loader.

Beginning with Windows 8 in 2012, Windows uses an update mechanism that delivers update packages to a known system location; the UEFI firmware then installs the update package on its own, after a restart. This architecture makes UEFI updates far more reliable than those old BIOS updates, with error-checking mechanisms that can roll back unsuccessful changes automatically.

The bottom line is that on all but the most ancient PCs, firmware updates are no longer to be feared. If they’re not delivered automatically via Windows Update, it’s worth checking the manufacturer’s support site for firmware updates before any major software update.

Don’t mess with the page file

Since its earliest days, Windows has used a page file (sometimes called a paging file*), a hidden file in the root of the system drive that caches pages of memory so they can be accessed quickly. In olden days, this hidden file was sometimes called the swap file**, and its primary purpose was to provide virtual memory so that apps didn’t crash when you ran out of physical memory.

On a clean install, Windows 10 sets the page file to be managed automatically. This is the best practice and I recommend that you leave that setting exactly where it is. To see your current settings, click in the search box or press Windows key + R to open the Run dialog box, and then enter the command systempropertiesperformance (with no spaces). That opens the Performance Options dialog box. Click the Advanced tab and then, in the Virtual Memory section, click Change to open the dialog box shown here.

By default, the option to automatically manage the page file (1) is selected. Clearing that check box gives you access to options to change the page file for the selected drive (2) and shows how much space is in use (3).

You can still find well-meaning but misguided online advice to tweak the page file in one of two ways: Some people argue that you can reclaim disk space by eliminating the page file completely (if, for example, you have 32 GB of physical memory and are unlikely to ever need virtual memory). Others recommend setting it to a fixed size, so that you don’t experience a performance hit when it automatically resizes itself.

Neither one is a good idea, for the simple reason that in the Windows 10 era, the role of the page file has evolved. In addition to enabling virtual memory, the page file provides a place for crash dump files, which are created when Windows experiences a Blue Screen of Death.

It’s possible to envision edge cases where tweaking the page file makes sense (hello, commenters!), but those examples are vanishingly rare.

* The official documentation at docs.microsoft.com, which was updated just a few weeks ago, calls it a page file; the Windows dialog box, which dates back more than 20 years, calls it a paging file.

** Because Microsoft loves confusing its customers, Windows 10 actually includes a tiny file called swapfile.sys. It holds pages of memory swapped from so-called modern apps and has nothing to do with the systemwide virtual memory settings. Although you can tweak a registry setting to manage this file, I cannot think of a reason why any rational person would want to do this.

Let defragging take care of itself

In the Dark Ages of the PC era, defragmenting a hard disk was one of the most important performance-enhancing tasks you could do to speed up your PC. The combination of a slow storage bus (relative to modern technology), slow rotating disk speeds (ditto), and dumb file systems meant that regularly rearranging the physical placement of files on the disk actually made a noticeable impact.

Over the years, two noteworthy things have happened in the Windows ecosystem. System storage has become dramatically faster, especially as solid state drives have replaced conventional hard disks, and Microsoft engineers have gotten better at automatically managing the data on all of those types of disks.

In Windows 10, the Defrag.exe command is now officially named Defragment and Optimize Drives. It runs automatically, as part of a scheduled task. On conventional hard disks, Defrag does what it has always done, rearranging data so that it can be retrieved most efficiently. On SSDs, where the traditional defragging activity doesn’t apply, running Defrag performs the Trim command, which wipes blocks of storage that are no longer in use and can be freed up for new data.

(The real old-timers in the audience will remember the MS-DOS Defrag utility, with its crude but mesmerizing Tetris-style display of colored blocks that shifted to represent files being defragged. The icon for the Defrag.exe command still includes those colorful blocks.)

To check the status of all currently available drives, type defrag in the search box and then click Defragment and Optimize Drives from the results list. The list of volumes displayed in the Optimize Drives window clearly indicates the media type and defrag/optimization status for each one.

Most importantly, all of this defragging and optimizing happens automatically. You can run the Defrag.exe command whenever you want, to inspect the status of every local disk and confirm that everything’s working as expected. But you shouldn’t need to manually intervene.

Uninstall your registry cleaner

This particular class of what I used to call «snake oil software» has declined in popularity in recent years. But it’s not dead yet, which is unfortunate.

The concept behind registry-cleaning tools is simple. It starts with the belief that the Windows registry is a chaotic kludge, and then leaps from that assumption to a belief that cleaning out unnecessary or unused registry entries can magically speed up everyday activities and prevent crashes.

Now, one can put forward all sorts of logical critiques of the Windows registry. It is indeed occasionally messy. But the idea that software can magically identify unneeded and unwanted entries in this configuration database is charmingly quaint. And the idea that you can improve performance by removing one or more registry entries that were left behind by a sloppy uninstaller is decidedly illogical.

I have never seen a registry cleaner that could justify its existence with actual data proving performance improvements. I have, on the other hand, seen multiple examples of PCs that were corrupted or crashed by aggressive «cleaning» that removed useful registry keys.

If someone offers you a registry cleaner, just say no.

Try not to obsess over telemetry

I hear much less about telemetry these days than I did a few years ago, when a handful of ill-informed commentators harvested truckloads of pageviews by scaremongering about Microsoft «spying» on PCs running Windows 10.

The reality is far more prosaic. Microsoft, like most software companies in our hyper-connected world, relies on a steady stream of data to determine how well its products are working. With more than 900 million PCs running Windows 10, having that data in real time is essential to identify problems in the ecosystem, especially those involving failures in the automatic update process.

To be fair, that initial burst of negative publicity did inspire some welcome transparency from Redmond. All of the information that’s collected as part of the telemetry process is now fully documented, and a Diagnostic Data Viewer app allows you to inspect all the data that’s being sent to Microsoft’s telemetry servers. For enterprise customers, Microsoft has even documented what it calls a Windows Restricted Traffic Limited Functionality Baseline to minimize connections from Windows to Microsoft services.

Along the way, Microsoft also simplified the settings for telemetry data. The default setting for all editions of Windows 10 is Full, which means that the uploaded data includes some anonymized details about app usage. If you are concerned about possible inadvertent leakage of personal information, you can go to Settings > Privacy > Feedback & diagnostics and change the Diagnostic And Usage Data setting to Basic.

That switch isn’t enough for some folks, who recommend a scorched-earth group of settings that disable telemetry-related services and tasks. Naturally, a cottage industry of small utility developers has sprung up to automate those settings, which can have a range of unfortunate side-effects, including blocking access to updates.

If you’re genuinely concerned about privacy, there’s a long list of settings to adjust and behaviors to modify, and telemetry data is pretty far down that list. For details, see my «Windows 10 privacy guide: How to take control.»

Do you have additional items to suggest for this list? Feel free to leave a comment below, or use the contact form on my ZDNet author page (click the envelope icon next to my name) to send me a private message. If you want a reply, be sure to include your correct email address; I won’t use that information for any other purpose.

Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. 

If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. 

You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.+  

To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the Windows Restricted Traffic Limited Functionality Baseline. This baseline was created in the same way as the Windows security baselines that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted

Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you’ve chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\system32 folder because it will not apply correctly. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
 

This article is much too long to post here.  Please go to the link below to read it.

Article