Windows 10 & GPO - Hardening against personal data leak

Since the release of the Windows 10 operating system, many questions about user privacy have been raised. Indeed, even if our data were already collected before, Microsoft has opened their communication on the data collection with Windows 10. It allows mani people to open their eyes and become aware of things happenin.

However, it is possible through various small manipulations and configurations to limit the personal data leak that are collected by Microsoft. This can be done through Group Policy Objects and we will discover them in this post. I will give you some examples so that you can have an idea of how they are used. I would like to take this opportunity to say a word about the ANSSI (French National Agency for System Security) which regularly publishes guides to good practice on digital good pratices. Configurations showed in this article are taken from their guide “Concerns about privacy and data confidentiality in Windows 10” and have been compiled by @Gouzou, many thanks for his help!

[Preliminary Note 1] This article will be updated (more or less) regularly to add or remove some interesting parameters.

[Preliminary Note 2] GPO management is only possible with a Pro, Enterprise or Integral version of Windows 7, 8.1 or 10. However, it seems possible to install the editor on more traditional versions (Home). I never tested it, so I just can’t tell if it’s true or not.

GPO (Group Policy Objects)

What the hell is that ?

Group Policy Objects (GPOs) are centralized management functions for Windows. They are used in company networks, composed of many computers. By using them, you can easily deploy parameters throughout the fleet or configure some network and security parameters, etc. There are several hundred of GPOs, making it possible to administer a large number of things.

Even if this system is mainly used in company networks, there is a local version on every computers, allowing each administrator to define parameters for his machine, we talk of local policies.

Inside a company, it is possible to set up both local policies (for your PC only) and group policies (for the entire IT infrastructure). However, parameters are in conflict, the group policy will take priority and be applied, intead of local Setting s.

In case of a personal computer, no worries . I won’t go deeper on GPOs because it could quickly become complex and the goal is not to go in depth.

How does it work ?

In practice, all GPOs are managed in the same place, in the group policy editor. A significant number of parameters are available and to choose one value when we have the choice. For example, it is possible to activate or deactivate this account for the parameter “Accounts : Guest account status” . Below is a screenshot illustrating what the editor looks like.

gpo_1.PNG

Inside a company’s IT system, group policies are managed in the Active Directory domain controllers. These are the servers used to rule the infrastructure.

What about my computer ?

As mentioned above, there is a local version of the policy editor. We are talking here about the local strategy editor. It looks exactly like the GPO editor on Windows servers, but the Setting s you set are only applied to your computer. Pretty nice when you just want to protect your PC !

In order to find the editor, two ways:

  • Use the Windows search bar and type “Group Policy” or “Group Strategies”. It is necessary to run the program as an administrator (right click on it and then “run as administrator”);
  • Use the Windows application to launch a program. To do this, use the “Windows” keys (the key with the Windows icon) + “R” then enter “gpedit.msc”.

gpo_2.PNG

When done, you end up with the same editor. And we can start searching :).

gpo_3.PNG

Application Case - GPO Configuration

In accordance with ANSSI documents and the parameters that @Gouzou has extracted from their documents, there are several categories of parameters that are interesting to look at for personal protection purposes. You should note, however, that everything shouldn’t be taken as done. Indeed, recommendations presented here can guide you in the configuration of your system but it is up to you to define what you want to protect. I strongly encourage you to read the description of each parameter to find out what it is about.

Path explanations

During the post, each parameter will be accessible via a “path”. For example:

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds

It corresponds to the different categories and sub-categories you can see in the editor.

gpo_4.PNG

Once you have reached a parameter, simply click on it and then choose whether to enable it, disable it and add any options.

Telemetry, Search and Integrated Tools

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds
Setting State Options
Allow telemetry Enabled 0 (Disabled) ou 1 (Basic)
Do not show feedback notifications Disabled -
Toggle user control over Insider Build Disabled -

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/Windows Defender Antivirus/MAPS
Setting State Options
Configure local Setting override … MAPS Disabled 0 (Disabled) ou 1 (Basic)
Send file samples whe further analysis is required Disabled -
Join Microsoft MAPS Disabled -

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/Search
Setting State Options
Allow Cortana Disabled -
Allow Cortana above lockscreen Disabled -
Allow indexing of encrypted files Disabled -
Do not allow web search Enabled -
Set what information is shared in Search Enabled Anonymous infos
Don’t search the web or display web results in Search Enabled -
Allow Cloud Search Disabled -
Allow Cortana Page in OOBE on an AAD account Disabled -

User Experience

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/Location and Sensors
Setting State Options
Turn off location Disabled -

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/Windows Error reporting
Setting State Options
Disable Windows error reporting Enabled -
Automatically send memory dumps for OS-generated error reports Disabled -
Do not send additional data Enable -

Local Computer Policy/Computer configuration/Administrative Templates/Control Panel/Regional and Language Options
Setting State Options
Allow input personalization Disabled -

Local Computer Policy/Computer configuration/Administrative Templates/Control Panel/Regional and Language Options/Handwriting personalization
Setting State Options
Turn off automatic learning Enabled -

Local Computer Policy/Computer configuration/Administrative Templates/System/Internet Communication Management/Internet Communication Setting  s
Setting State Options
Turn off Help and Support Center “Did you know ?” content Enabled -
Turn off handwriting personalization data sharing Enabled -
Turn off Windows Customer Experience Improvement Program Enabled -
Turn off hanwriting recognition error reporting Enabled -
Turn off access to the Store Enabled -
Turn off Windows Error reporting Enabled -

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/Cloud Content
Setting State Options
Turn off Microsoft consumer experiences Enabled -
Do not Windows tips Enabled -

Universal Apps

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/App Privacy
Setting State Options
Let Windows apps access […all…] Enabled Ne jamais autoriser

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/Store
Setting State Options
Only display the private store within the Windows Store App Enabled -
Turn off the Store application Enabled -
Disable all apps from Windows Store Enabled -

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/System/User Profiles
Setting State Options
Turn off advertising ID Enabled -
Do not log users with temporary profiles Enabled -

Local Computer Policy/Computer configuration/Windows Setting  s/Security Setting  s/Local Policies/Security Options
Setting State Options
Accounts : Block Microsoft accounts Enabled Users can’t add or log on with Microsoft Accounts

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/OneDrive
Setting State Options
Prevent the usage of OneDrive for files storage Enabled -

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/Text Input
Setting State Options
Improve inking and typing recognition Disabled -

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/Windows Defender Application Guard
Setting State Options
Turn on Windows Defender Application Guard in Enterprise Enabled -

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/Push To Install
Setting State Options
Turn off Push to Install service Enabled -

Local Computer Policy/Computer configuration/Administrative Templates/System/OS Policies
Setting State Options
Allow publishing of User Activities Disabled -
Allow upload of User Activities Disabled -
Enable activity feeds Disabled -

Local Computer Policy/Computer configuration/Administrative Templates/Windows Components/Windows Game Recordings and Broadcasting
Setting State Options
Enables or disables Windows Game Recordings and Broadcasting Disabled -

Bonus - Set hard times for pre-installed Microsoft Apps

You probably already had to deal with it, when you buy a new computer, many applications are installed by default. Even if some of them are useful, you’ll likely want to delete some of them. However, Windows doesn’t let us do it so easily! Indeed, the “uninstall” option is not available….

But it is still possible to delete some of them ! Unfortunately, it will not be possible to uninstall them all (Cortana, for example). Once again, it is up to you to judge what you’ll need or not :).

The next few lines may scare the least technicals among you. Nevertheless, don’t panic, don’t leave at the slightest line of code, everything is explained !

We’ll start by opening a Powershell interpreter. Roughly speaking, it is a terminal in which we can enter commands. Look for the “Powershell” program and launch it as administrator (right click > Run as administrator). A blue terminal, like this one, should appear.

gpo_5.PNG

Thereafter, 3 commands will be necessary.

First, we will list the installed applications. This is done using the following command. It will list applications and display a lot of information about them.

Get-AppxPackage

For readability reasons, we likely would list applications and display only their full name. This can be done with the command below.

Get-AppxPackage | Select Name, PackageFullName

Then, simply tell the computer to get an application and a second “Remove-AppxPackage” command is added to tell it to delete the application.

Get-AppxPackage -allusers *3dbuilder* | Remove-AppxPackage

Command description :

  • GetAppxPackage = List of installed applications ;
  • -allusers = Indicates that the command will cover all computer users;
  • *zunevideo* = Name of the application. We use two “*” to indicate that we are simply looking for the expression between the two symbols in the result of the list, in order to select the right application. In our case, we will uninstall all applications containing “zunevideo” in their name;
  • | = Allows to link the first command to a second one;
  • Remove-AppxPackage = Indicates that you want to delete the selected application.

Using that, you can delete many applications. I invite you to consult this link for more information and a list of applications that can be deleted.

Conclusion

In conclusion of this post, I would like to remind you that many things are possible in order to personalize your computer and limit information leaks, but that you do not necessarily have to take everything like that. Indeed, more than implementing recommendations (even those in this article), it is important to be informed, aware and to try to understand at least the overall behavior. Each person or company has different security and privacy needs, leaving a multitude of possible configurations. It’s up to you to find the right one!

As always, if you have any questions, feel free to contact me by e-mail or via Twitter ! ;)

Web containers - Stop data sharing between websites