This Week, "Operating System as a Service, part 3"
Sorry about the length, but there is a lot of content to cover.
In part two, we reluctantly accepted the fact that Windows 10 may be "NSFW". While it is an incredible operating system and a brilliant achievement for Microsoft, Windows 10 may represent information privacy issues for professional and business users. We covered the immediate items that need to be reviewed before doing anything else. In this part, we will cover what to do to manage Windows 10 in a business or professional environment.
From Ars Technica . . .
"Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to: 1.comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies; 2.protect our customers, for example to prevent spam or attempts to defraud users of the services, or to help prevent the loss of life or serious injury of anyone; 3.operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or 4.protect the rights or property of Microsoft, including enforcing the terms governing the use of the services – however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement."
The SafeView Research Report is intended to give you a snapshot of technology risk management issues. SafeView is a reliable source for automated risk, threat and vulnerability data, and advisory services to help you mitigate and remediate issues.
Windows Enterprise and LTSB allow optional installation of updates. LTSB does not install Windows Store, Cortana, Edge browser and Metro tiles. Collectively, these are a large source of chatter back to Microsoft, so removing these removes the "excuse" to chatter. Unfortunately, while the applications are not there in the install test done for this post, the chatter still persisted. Enterprise and LTSB will not authenticate to MS Live as an alternative to a local account. It is possible to install without a domain server, and just use a local account for access. It is also possible to add additional accounts to a Windows 10 computer that authenticate to a Live account (Family accounts). Don't do this.
Windows Home and Pro have Cortana, Edge, Windows Store and Metro tile apps. If you are using a Live account to login to Windows, remove this. Go to settings > users. Change the signin options to be local only.
DO NOT use the 4 digit pin code login. A four digit PIN could be guessed, or visually captured with greater ease than a complex password consisting of 8 - 14 characters, UPPER and lower case, number and symbols, non sequential, and changed with frequency. more: http://answers.microsoft.com/en-us/windows/forum/windows_10-security/pin-makes-windows-less-far-far-less-secure/56f923be-0cf6-4135-9f97-a676e77acc11
DO NOT use the facial recognition login, also known as "HELLO". (Biometrics are something you have, not something you "know". You can be compelled with a warrant to provide things that you have. The fifth amendment can protect you from self incrimination. This applies to the court defending your right not to disclose something you know. more: http://rebelpundit.com/biometrics-and-the-constitution-why-fingerprints-are-less-secure-than-passwords/)
For Pro, Enterprise or LTSB, use a domain controller for centralized authentication and access control, if possible.
Put a cover over your camera and unplug the microphone on the computer when not in use. more: http://www.howtogeek.com/210921/how-to-disable-your-webcam-and-why-you-should/
Immediate policies, practices and audit:
Use and Administration
User Policy - user accounts are restricted to "Standard User" access. Installation and configuration changes are restricted to Administrators. Users cannot have Administrative access to the systems on which they work.
Audit - Run the following from the command line
Admin - net user administrator | findstr /B /C:"Last logon" > <drive>admin-access_%computername%.log (<drive> should be a network shared drive that allows write ONLY access for these logs.)
Domain user - net user john /domain | findstr /C:"Last logon" > <drive>domain_user-access_%computername%.log
Local user - net user john | findstr /C:"Last logon" > <drive>local_user-access_%computername%.log
Operating System Policy - Document the minimum Windows version for your operating requirements. This applies to all supported versions of Windows.
Audit - Win button + r, CMD (command prompt), type "winver", then <ENTER>
Long Term Audit - systeminfo > system_%computername%.log (<drive> should be a network shared drive that allows write ONLY access for these logs.)
User Authentication Policy - User authentication limited to either local Windows account or Domain Controller account. Microsoft Live account authentication not permitted. No use of biometric access. No use of PIN code access.
Password Policy - complex password consisting of 8 characters minimum, UPPER and lower case, number and symbols, non sequential, and changed every 60 days. No reuse of passwords within any one year of prior use.
Audit - The audit differs for each version of Windows. First stage is limited by Windows version. Group Policy Editor allows password complexity to be defined on a specific system. A domain controller can globally define password policy. Windows Home does not have a way to define password complexity as a policy.
From the command prompt on each computer
net accounts /MINPWLEN:8
net accounts /MAXPWAGE:60
net accounts /UNIQUEPW:
SafeView has a remote password policy audit tool for larger deployments. Contact us at "firstname.lastname@example.org" for access.
Media hardware policy - Microphone and camera must be disabled when not in use for business approved activity. Microphone lens needs to be obfuscated with a cover. Microphone needs to be physically disconnected. Microphones an cameras are built into most mobile platforms, so users have to participate in disabling these, or this can be done on a schedule using Group Policy settings locally or in the domain controller.
Microphone audit - Download nircmd from http://www.nirsoft.net/utils/nircmd.html. Set this to run with a desktop shortcut, or on a timer.
Camera audit - Visually inspect computers and laptops to make sure that cameras are covered when not in use for business purposes.
Special Windows Applications
We understand that Microsoft is trying to deliver a rich experience to users, and they are providing tools and functionality to enhance the interaction with the computer and operating system. The problem is that these applications may encourage practices and behaviors which put business and personal information at risk. Considering this, Windows 10 has to be filtered for secure business, enterprise and professional use.
Windows Enterprise removes Metro tiles (approximately 30 applications), Windows store, Edge browser and Cortana. Pro and Home users need to look at other options to remove the unwanted applications.
Managing Windows, Easy to Hard
Remove applications - (metro tiles, cortana, edge browser, windows store, onedrive)
Remove updates (telemetry and customer experience improvement program)
Turn off advertising
Manage network communications
Removing applications varies in complexity based on the version of Windows installed.
Metro Tiles (each tile below is tracked and reports use and status to Microsoft)
Film and TV
Mail and Calendar
The Windows Club makes an application available for free. 10AppsManager allows a user to permanently remove a tile, and reinstall later. The application successfully removes the application without having to edit the registry. I suspect that the tile still exists, but a registry flag has been set, since the application allows the tiles to be reinstalled later.
Press Win+R and type
regedit to open up the Registry Editor
Navigate to the
System.IsPinnedToNameSpaceTree change its value from
Log off or restart your computer. When you open File Explorer, the OneDrive entry should be gone from the list.
Pro, Ent. and LTSB: (type in “gpedit.msc” in the search box) and go to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > OneDrive. Then enable the “Prevent the usage of OneDrive for file storage” setting.
Open Command Prompt in Administrator mode: Right-click on the Windows icon in the taskbar and select Command Prompt (Admin).
taskkill /f /im OneDrive.exe to terminate any OneDrive processes and hit Enter.
Then type in either
%SystemRoot%\System32\OneDriveSetup.exe /uninstall if you’re using 32-bit Windows 10 or
%SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall if you’re using 64-bit Windows 10 and hit Enter.
Removing Edge browser involves a number of registry edits, well documented at http://news.softpedia.com/news/how-to-remove-microsoft-edge-from-windows-10-491534.shtml.
Note: Make sure you’re using an administrator account.
Step 1: Navigate to this location C:\Windows\SystemApps and look for a folder namedMicrosoft.MicrosoftEdge_8wekyb3d8bbwe
Step 2: Right-click the oddly-named Edge folder to access its properties.
Step 3: Switch to the Security tab and press the Advanced button For Special Permissions or Advanced Settings.
The first set of info shown refers to Name and Owner. You need to become the owner.
Step 4: Follow the link to Change owner so it’s no longer TrustedInstaller.
Step 5: In the prompt that appears, click the big text field and write down Administrators(plural). Then, press the button next to it to Check Names. Windows automatically detects and suggests the administrator account.
Step 6: Press OK to confirm changes. You’re taken back to the Advanced Security Settings panel.
Step 7: In the first set of info, the one with the Change link, there should now be an option to Replace Owner on Subcontainers and Objects. Make sure it is checked, and press OK.
Step 8: Back in the folder properties panel, press Edit to Change Permissions.
Step 9: Select the Administrators account from the Group or User Names list, and check the Allow box for Full Control. Press Apply and OK to confirm changes, and OK to close the properties panel so that you become the owner.
Important Note: Now that you have complete control over Edge’s location (evil laugh), DON’T go off deleting it, or you risk causing serious system stability issues. What you can do is create a backup of it in case you ever decide to use Edge again, or unexpected consequences occur.
Step 10 (optional): Access the folder’s properties panel again. At the bottom of the General tab, press the Read-only checkbox until it’s marked with a check symbol ✓ and not a square ◼. Press Apply and OK to confirm.
This prevents Windows from accessing and making changes to any files inside the folder, thus rendering Edge unusable.
Step 11: Access the Edge folder and rename the MicrosoftEdge.exe andMicrosoftEdgeCP.exe files, or completely delete them. You can also unpin Edge from the Taskbar.
Note: If you ever consider using Edge in the future, simply rename executable files to something else, so you know how to change them back to make Edge functional again.
Winaero.com has a tool that will make the registry edits for users quickly.
Removing Cortana requires a dozen registry edits performed in serial. Refer to this for details.
Winaero made a tool for this purpose too.
Block auto update, stop communications
Jonas Zimmerman from pXc-coding created DoNotSpy10 for Windows 10, and DoNotSpy78, for Windows 7 and 8.x respectively. This app creates a centralized interface where users can quickly and easily adjust settings related to 37 different features that have a direct impact on security and privacy. This means that instead of combing through a dozen different settings screens in Windows 10, users can adjust all of their privacy and security settings in one place. Jonas provided licensed copies of each for the development of this article. The application is supported by ads or donations. Be fair and pay him for his work.
Here’s a full list of the settings DoNotSpy10 can currently configure:
Disable handwriting data disclosure
Disable handwriting Error Reporting
Disable Application Telemetry
Disable Inventory Collector
Disable Steps Recorder
Disable lock screen camera settings
Deactivate and reset Cortana
Disable Web search
Disable Windows Media DRM Internet access
Activate postponing upgrades
Disable app notifications
Disable Password button ads
Stopping and resetting the advertising ID
Disable SmartScreen filter for URLs
Disable sending write information
Disable access to language list
Disable app access to localization
Disable app access to camera
Disable app access to microphone
Disable app access to user accounts info
Disable app access to calendar
Disable app access to messages
Disable app access to wireless connections
Disable app access to Uncoupled devices
Disable prompts Feedback
Disabling Windows Update distribution
Disable Windows Update for other products
Disable WiFi Sense
Disable Windows Defender
Disable automatic Windows Updates
Disable Automatic Driver Updates
Turn off advertising tracking
Turn off everything.
Block all the Internet traffic going back to Microsoft
Fortunately, Spybot Search and Destroy has come up with a tool called "Cut The Line". This is a trusted source to block the outbound traffic without spending hours to edit files and update firewall settings.
From their version notes . . .
Added Office 15 (2013) Telemetry immunization (Group Policies & Scheduled Tasks)
Added Office 16 (2016) Telemetry immunization (Group Policies & Scheduled Tasks)
Hosts file block IP default changed from 127.0.0.1 to 0.0.0.0
Added own group policy for hosts file read only flag
Added own group policy for hosts file block IP
Added own group policies for hiding each immunizer
Added OpenSSL libraries to installer
Added OpenSSL credits to About dialog
Added own scheduled task
All supported versions of Windows now affected
Users have shown their disdain for Microsoft's broad interpretation of "personally identifiable information" as required telemetry data to improve the user experience. They have uninstalled Windows 10 in favor of Windows 8.x or 7. As it turns out, unless a user installs XP in place of Windows 10, the same level of data collection is going on for all supported versions of Windows. This monitoring is part of Microsoft’s Customer Experience Improvement Program (CEIP) and is designed to “improve the products and features customers use most often and to help solve problems,” Microsoft said.
Without an insurmountable amount of effort, it is possible to secure Windows 7, 8.x and 10 in such a way as to use it for professional and enterprise business. Following the tactical steps defined herein, it is possible to create policies, implement tools and audits to verify compliance.
The second part helps us plan out how to put in place a plan to use Windows 7, 8.x and 10 platforms for business. We outlined the immediate steps required, and then outlined those things that need to be fixed.
In this part, we reviewed the tactical steps required to protect Windows 7, 8.x and 10 in a way that allows us to continue using it for business in way that does not expose customer, patient and proprietary data. Finally, in the next section, we will discuss how to implement a strategy to manage an operating system as a service.