«

»

Sep 07

Fixing Windows 10: Security, Privacy, Usability.

As part of my career, I have to keep up to date on these things, even if that means using a new unproven operating system. Also, as some have to use Windows for certain software and games like I do. I can only hope more and more developer studios start supporting Linux.

There are a lot of scare articles out there about Windows 10. It really depends on how big of a tin foil hat you want to wear. Yes, we don’t know exactly what data is being sent to Microsoft. No, we definitely should never trust Microsoft. Yes, we can do some basic things to tame the data transfer a little. What it boils down to is what your habits are. There are a lot of very simple things that have been known forever that can go a long way in protecting yourself. Things like using multiple strong passwords, protecting your information with encryption or off site storage (like on a NAS instead of locally), keeping your browsing history and cookies cleared, and other such basic security browsing habits.

Anyway, Windows 10 does have some problems out of the box. Apparently Microsoft thinks that everyone has a ton of bandwidth to share and nobody cares much about privacy or security at all. So here are a collection of things that I have found to really help make Windows 10 a little bit better. However, if you can stick with Windows 7 or 8.1, just do that for now. If you have upgraded, read on.

Before you get started thinking about what to enable or disable, take a second to understand exactly what kind of information there is to collect. If you search, everything you search is collected. If you ask for directions, that is collected. Is that a good thing or bad? That’s up to you. Do you care that the world knows your hobbies? Or do you care that everyone knows your porn tastes? Remember though, if you already do this in Google, that information is already out there. Think of these features you use as public information. That perhaps is what is the most alienating to people, other than everything being opt-out instead of opt-in. The idea that everything you do now is public. This is why we really have to get into better habits, and decide what is OK to share. Another important thing to keep in mind is that if the product is free, YOU are the product. Your tastes, your browsing habits, your searches are all up for grabs for advertising. This is true for Google, Facebook, and anything else that’s free.

See: Why You Should Care About and Defend Your Privacy

 

Some of this will turn off features you might want to use. If you’re OK with Cortana getting to know you really well, then go for it. Just remember that these are the settings that were changed. Yes, this “disables” Cortana (but not completely, Cortana still runs to enable Start menu searching). Yes, this disables apps knowing where you are. Start as secure as possible, and just keep in mind what information you are freely giving out to a corporation that couldn’t possibly care less about you and your safety, privacy, and security.

Most of this is written with Windows 10 Home edition in mind. Enterprise and Pro might vary.

Note: A lot of this could just be false security. There is nothing to say that changing the random sliders to no will actually turn off the feature. There is also rumblings that now some applications ignore the hosts file, so that one of my suggestions below could be useless. Unfortunately it’s not easy to tell what does and doesn’t work, as all communications to Microsoft are encrypted from your machine. At least we have our personal information securely flowing from our machines.

 My security mantra: Disable everything, re-enable as needed.

 

First, fix the bandwidth sharing problem. Change Windows Updates:

Windows 10, by default, for some unfathomable reason thinks that you should help out the good of everyone by sharing your bandwidth to help distribute Windows updates. I won’t even go into the security implications of this since that could be an entire scary article on it’s own. The biggest up front problem with this of course is Windows doesn’t have a clue that you are probably are either on a very bad connection, or a metered connection (Until you tell it). As most of us here in the U.S. are about 20 years behind the rest of the world in bandwidth connections, this is pretty surprising. Then again I guess every Microsoft employee can afford a very expensive high speed connection. The rest of us however, can’t.

Anyway, the VERY first thing to do is disable this “feature” and get your bandwidth back:

  1. Go to Start
  2. Click Settings
  3. Click Update & Security
  4. Click Windows Update on the left column if not there already
  5. Click “Advanced options” on the right
  6. Click “Choose how updates are delivered”
  7. Now, either turn this off completely (recommended), or select “PCs on my local network”. I don’t have any other Windows 10 machines on my network, so I turned it off completely.
  8. Go back to the main Settings panel
  9. Click System
  10. Click Offline maps on the left
  11. Turn off Map updates.

While I was installing Windows 10, I was playing a Youtube video on my laptop. As soon as Windows 10 was up and running the video started buffering wildly. As soon as this feature was disabled, the video started playing perfectly normally again.

 

Second, figure out how much privacy you want:

It disturbs me that more people aren’t up in arms about all this constant draining of anything that’s yours and personal. Sure, this OS version was free, but as far as I know, we never asked for it. We should never be guilt into sharing our data so they can customize ads for us or turn over all the data possible to the government and highest bidder. Anyway, that’s yet another full article to write. The summary of the below section is to turn it all off unless you want a specific feature. Otherwise, below describes what each setting does.

  1. Go to Start.
  2. Click Settings.
  3. Click Privacy.
    1. General
      1. Let apps use my advertising ID for experiences…
        1. This lets apps share your advertising profile, so that ads can be customized more to what you do in each app. I turned this off, because I don’t want to see ads period.
      2. Turn on SmartScreen Filter…
        1. This uses the same SmartScreen filter that is ued to check to make sure URLs aren’t going to bad sites, but for Windows Store apps. I left this on.
      3. Send Microsoft info about how I write to help us…
        1. This directly tells Microsoft how your write and type. What this exactly means is unknown. The implications of this is also unknown. If this isn’t grayed out, I recommend setting this to off.
      4. Let websites provide locally relevant content by accessing my language list
        1. This is probably more for other languages than English so that websites can provide ads in your language. I use English, so I just left it off.
    2. Location
      1. The first button changes location capabilities for the OS. This means apps know basically where you are physically. This sounds scary, but the truth is your public IP address (the one you use to connect to the internet) already tells the world where you are. There is nothing you can really do about that, outside of fooling the OS into thinking you are somewhere else by using a VPN or proxy. Keep in mind though, this can and usually does significantly slows down the internet for you. This button is for the entire OS. If you turned that one, each user can still turn it off for them in the next option below.
        1. As described above, this turns on and off location sharing for apps, but the user only setting. This may be disabled if it is turned off for the whole machine.
      2. Location History
        1. Simply clears out where your device has been. Microsoft does store locations for a period of time, but it is unknown how long. This is less important on desktops.
    3. Camera
      1. Let apps use my camera
        1. This does just that, let apps use your camera. This only affects apps from the Windows store. Apps that it affects are listed below. If you turns this off, they won’t be able to use it. This does not affect third party applications. I even have Microsoft’s Skype for Desktop installed and doesn’t depend on these settings. Since I don’t plan on ever using camera related store apps, I have this turned off.
        2. Choose apps that can use your camera
          1. If you turn on the setting above, you can fine tune which apps have access. Turn them on or off as necessary. These will be grayed out if the above option is off.
    4. Microphone
      1. Let apps use my microphone
        1. This is basically the same as the camera settings above. It only affects Microsoft store apps and not other installed applications. The apps it can affect are listed below. This simply allows or denies apps usage of your microphone. Since I don’t ever plan on using microphone related store apps, I have this turned off.
      2. Choose apps that can use your microphone
        1. If you turn on the setting above, you can fine tune which apps have access. Turn them on or off as necessary. These will be grayed out if the above option is off.
    5. Speech, inking, & typing
      1. This is probably the most concerning settings. It is pretty vague about exactly what it is sending to Microsoft. This is also potentially the setting that will collect the most information out of them all. Be aware that this must be enabled for Cortana to work. According to what I have read from Microsoft, this is not sent to Microsoft unless you have the “Send Microsoft info about how I write…” option turned on in the General settings. This option is grayed out for me. I do not know if that is because I am using a local account or not. I personally am on the fence on this one. In reality, there is nothing I would be searching that I don’t care is public information. Never type passwords in the search of course. If you want to play with Cortana, enable it, otherwise, disable it for now and see how things go for you.
    6. Account Info
      1. Let apps access my name, picture, and other account info
        1. This setting just shares your name, picture, and other account information with other Microsoft Store apps. This setting seems harmless, except the “other account information”, which is too vague. It most likely is just other stuff that you have already told Microsoft about such as your e-mail address. If this is on, make sure you are downloading apps that you can trust (which you should be doing anyway). I left this off.
      2. Choose the apps that can access your account info
        1. If you turn on the setting above, you can fine tune which apps have access. Turn them on or off as necessary. These will be grayed out if the above option is off.
    7. Contacts
      1. Similar as above, but interestingly it doesn’t have an “overall” turn on/off option, it’s per app only. I turned all of the app access off, but this may not batter if you don’t store your contact information with Microsoft.
    8. Calendar
      1. Let apps access my calendar
        1. If you use Microsoft’s calendaring service, then you may want this on. If you don’t use their calendar, set to off.
      2. Choose apps that can access calendar
        1. If you turn on the setting above, you can fine tune which apps have access. Turn them on or off as necessary. These will be grayed out if the above option is off.
    9. Messaging
      1. Let apps read or send messages (text or MMS)
        1. If you want other Microsoft store apps to read or send messages, then turn this on. I’m not entirely sure how this integrates with your phone/phone service. I have this turned off as I keep my phone stuff separate.
      2. Choose apps that can read or send messages
        1. If you turn on the setting above, you can fine tune which apps have access. Turn them on or off as necessary. These will be grayed out if the above option is off. Be especially cautious of this setting as it could result in extra charges from your cell phone company.
    10. Radios
      1. Let apps control radios
        1. This lets Microsoft store apps control any radios that you might have connected to your machine, like Bluetooth. I recommend leaving this setting off for now and only turn it on if you want a store app to do this.
      2. Choose apps that can control radios
        1. If you turn on the setting above, you can fine tune which apps have access. Turn them on or off as necessary.
    11. Other devices
      1. Let your apps automatically share and sync info with wireless…
        1. Leave this setting off unless you have such devices that need to sync with your machine. Some TV’s, projectors, etc can make use of this. Remember this setting as you may need to come back later to it. Make sure you are trusting the device you are connecting to.
      2. Other devices
        1. If you turn on the setting above, you can fine tune which device has access.
    12. Feedback & diagnostics
      1. Feedback frequency
        1. I recommend setting this to “Never”. I’m not sure what Microsoft would do with millions of feedback pieces daily, but it is just going to be an annoyance for the average person anyway.
      2. Diagnostic and usage data
        1. This is the scariest setting in the bunch. In Windows 10 Home, you cannot disable this completely. Change it to Basic. This is probably my biggest gripe of these settings overall. I should be able to turn this completely off if I want to. If you are using other editions of Windows 10, there might be a Never option available. “Usage” data is way too vague. NEVER use full mode. Even in their FAQ as linked in that window admits that they receive memory snapshots, which means whatever text you have up on your screen is transmitted, even potentially passwords.
    13. Background apps
      1. This chooses what apps that are listed runs in the background. This is useful if you use it for alarms or calendar (Microsoft’s calendar) reminders. I recommend just turning everything off for now, and then turning back on individual ones as necessary for the functionality you want. This isn’t necessarily for security, but more for resource usage.

 

Third, turn off OneDrive:

Only do this if you don’t want to ever use OneDrive, which I recommend. I’m still personally 100% against storing your personal data on “the cloud”. Please realize that this “cloud” thing is really just someone elses sever with a fancy marketing name on it. On the flip side of things however, one drive could be useful for sharing information to the public. Just be diligent and learn how it works.

In Windows 10, OneDrive is shoved in your face and then down your throat. It automatically runs, it sits in the tray, and is in Explorer with no options to remove it.

First, uninstall OneDrive:

  1. Click Start and type “cmd” (without the quotes).
  2. Right click on “Command Prompt” and click “Run as administrator”
  3. For some insane reason you can’t right click in the command prompt window anymore, but simply right clicking will automatically paste what’s in the clipboard.
  4. Run: taskkill /f /im OneDrive.exe
  5. Then run:
    1. "%SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall" or
    2. "%SystemRoot%\System32\OneDriveSetup.exe /uninstall” if 32bit.

Next, change the next 2 registry settings:

  1. Click start, type in “regedit” without the quotes, right click what matches under Best match and click “Run as administrator”. It should have an icon with a bunch of cubes in a cube with a couple flying off.
  2. Go to the following paths and change the key System.IsPinnedToNameSpaceTree to say “0” by double clicking on them and replacing the one with a zero.
    1. HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\
    2. HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6\

Finally, delete a couple left over folders (copy and paste the % variables into Windows Explorer):

  • %LOCALAPPDATA%\Microsoft\OneDrive
  • %PROGRAMDATA%\Microsoft OneDrive

 

Fourth, CHANGE YOUR HABITS!

This is probably the most important of all. You have to stop letting everything happen and start thinking securely. This includes clearing browsing history and cookies on close. Don’t worry, there are things like Keepass and Lastpass (yes, I know, personal information on the cloud, but better than nothing) to save your passwords and automatically log you in. Set Firefox to always use Private mode, or at least go through and change settings to delete as much as you can stand when you close the browser. It’s not that bad, you will get used to browsing safer.

There are other things you can do, such as not storing your documents on your local computer. All of my stuff is on a NAS. You can also look at using TrueCrypt to keep your documents encrypted. What’s nice about the program is that you can mount your encrypted files as a drive, so it’s unencrypted when you need them simply by drive access. You can still download the program here: GRC.

Be really careful and diligent about what you store “in the cloud” (is anyone sick of this cloud crap yet?). While the cloud service companies do have security in their interest, they aren’t some magical internet safe that can’t get hacked. Even Amazon’s E2 cloud has been hacked before. Don’t store information that identifies you, passwords, usernames, etc in the cloud unencrypted, or preferably at all.

 

Fifth, don’t use an administrator account!

It’s so important, I made it a bigger bolder heading. Now is the time to convert your normal account to a user account, and make a new administrator account. By default, Windows sets you up as administrator. Convenient, but VERY insecure. This is a holdout since the early Windows days, when Microsoft was completely clueless about multi-user systems and anything about security. This problem exists to this day.  As Windows software programmers got used to this and got incredibly lazy about it, it has come to be expected that you are administrator. You should always question applications that need administrative access to your system.

Be aware, this DOES greatly affect how you use Windows. Now whenever there is a system change, it will prompt you for the administrator account credentials. This is a GOOD thing. This way, nothing can normally modify the system unless YOU let it. This means you should be double checking and asking WHY it needs administrator rights.

  1. Go to start, type run. Click the “Run” item that shows up (If you have Windows 10 Pro or Enterprise, navigate to Computer Management Users area instead of below).
  2. Type “control userpasswords2” (Yes, this is seriously and laughably the ONLY way to create new local accounts in Windows 10 Home).
  3. Click “Add”.
  4. Click “Sign in without a Microsoft account (not recommended)”.
  5. Click “Local account”.
  6. Type in the user name that the Administrator account will be. Don’t use the word “Administrator” though.
  7. Type in a GOOD longer password. You can even use a pass phrase. REMEMBER THIS PASSWORD! You will need it from here on out a LOT.
  8. Type in a password hint. Make it as vague as possible, or just the letter “a” or something. That’s another baffling thing, the requirement to make guessing your password easier by providing a plain text hint. Smart.
  9. Click Next, then Finish.
  10. The newly created account will be part of the Users group, no system rights. Highlight the account created and click “Properties”.
  11. Click the “Group Membership” tab.
  12. Select “Administrator”.
  13. Click “Ok”.
  14. Now select your normal user account, do the same thing, except select “Users”.
  15. Click “Ok” again to close everything out. It will ask you if you want to log out to apply the new settings. You don’t have to do this right away, but do it soon.

 

Advanced

From here on down, the tin foil hat gets really big. Honestly, until we find out more about what is going on, you are perfectly fine stopping here. If you are really paranoid though, you can keep going.

 

Add Microsoft related hosts to your hosts file:

This is going to be the best defense against the CONSTANT communication to Microsoft’s mother ship servers. The communications are encrypted, which is a good thing if you look at it that way. The other way that I look at it is that means we have NO IDEA what sort of information is being pumped over to Microsoft. Go ahead, load up Wire Shark and run it on your Windows 10 box, MOST of the packets going out are going to Microsoft servers (and Akamai, which is a service Microsoft uses). This does not disable Windows Update communications.

First, run Notepad as administrator:

  1. Click Start, type in: Notepad.
  2. Right click on the “Notepad” that shows up and click “Run as administrator”
  3. Go to File, Open.
  4. Navigate to: c:\windows\system32\drivers\etc\.
  5. Change the file filter from “Text Documents (*.txt)” on the bottom right to “All Files”
  6. Double click or open “hosts” that shows up.
  7. At the bottom, copy and paste the following in:

Save and quit Notepad.

Huge thanks to “Byte My Bits” on YouTube for pointing me to most of these entries, and this thread for more.

Keep in mind, this will disable a LOT of services, like Cortana and OneDrive. It’s a tradeoff. If you want security or fancy features that you don’t really need. You can go through and comment entries out if you want certain services to work, but you will have to Google for what you need.

 

Delete a couple services:

Run a command prompt as Administrator:

Click Start, type CMD, and right click the result and click “Run as administrator”, then type the following in:

These are part of the diagnostics that are sent to Microsoft.

 

Disable WiFi Sense:

WiFi Sense is another of the many controversial topics of Windows 10. It automatically shares your WiFi network key to your friends. When looking at it, it might actually be more secure than giving out your password which may be then given out again to their friends. This way they never see the password. I personally don’t have friends over that I don’t trust (does anyone?), so I disabled this.

Alternatively, just disable WiFi Sense:

  1. Click start, type in “regedit” without the quotes, right click what matches under Best match and click “Run as administrator”. It should have an icon with a bunch of cubes in a cube with a couple flying off.
  2. Navigate to: HKEY_LOCAL_MACHINE\Software\Microsoft\WcmSvc\wifinetworkmanager
  3. Right click on the right pane of that key, and go to New, DWORD (32-bit value). It will create a new line, type “WiFiSenseCredShared” (without the quotes) and press enter or click in the empty space of the window to set the name. Repeat this step again but type “WiFiSenseOpen”. You should now have 2 new REG_DWORD entries that say 0x00000000 (0).

 

Start playing with and getting to know Linux

Yes, I’m dead serious about this. It’s time to let vendors know what we want choices and alternatives. Linux has come an exceedingly long way in usability, and I HIGHLY recommend starting with Linux Mint. Linux is inherently more secure, as it was designed to be a secure multi-user system from the beginning. It also has no reason to phone home to the mothership at all. I also recommend doing this in a VirtualBox Virtual Machine first, before wiping Windows. See what works for you and what doesn’t. At some point, you can do the reverse, Use Linux as your main OS and run Windows as a virtual machine. That will be infinitely better. I am a fan of the Cinnamon release version, but all of their releases are fantastic. They use Ubuntu in the back end, which means most, if not all Ubuntu fixes/support work the same in Mint. This is a very good thing as that means there is a massive community out there to help. When was the last time Microsoft Support was actually useful?

 

Keep an eye on this post. I plan to add more in the future!

Leave a Reply