Windows 10 Privacy Hardening

Windows 10 Privacy Hardening

This covers removing the default trackers and data collection methods included with a default installation of Windows 10 across all versions.

I've been asked by colleagues to write down my process for hardening windows systems and share. Many of these people have extensive backgrounds in UNIX, but aren't familiar with Windows environments. This post isn't for any reason other than to make you aware of what you're being mined for. It's important to realize switches and what's listening in the background at any given time. The distribution tested in this guide is Windows 10 Enterprise build 17134. This OS mocks server 2016, so the same concepts can be applied. I'm gonna cover a couple different privacy focused solutions. This is a three step process no matter how you go about it. I'm also not a native Windows App Store user. Decrapifier will strip out all preinstalled store apps.

When installing 10, it's important to use a local account in order to keep connections as private as possible. Also make sure to disable all privacy settings when installing the OS and not agreeing to enable Cortana. Upon first logging in you should disable the default Administrator account. This is done by opening computer management and checking for user accounts. In addition to this go the privacy settings pane and disable things to your liking. This is found by simply searching using the start menu.

As you can see, there are quite a few connections that aren't needed. Even with every last "Privacy Setting" disabled this number doesn't change. We'll resolve this by using a couple methods listed below. ;)

Next we take a look at "decrapifying" windows apps/registry. These are those pesky utilities installed with every fresh install. For this I tend to lean on the following:

I've tested within 1803 and it works just as it always has with 10. It's also very well commented and breaks down each section effectively. This should be ran in addition to the following tools.

I took a look at a grip of what's out there for security endpoints and this is the winner by a landslide:

VT Scan:

This is my favorite tool I've come across in the windows privacy space. And the simplicity of it's over the top.

Out of the box here's what happens:

With this you're obviously cutting out a ton of active traffic. I also want to break down the host file so you can take a look at all these amazing trackers:

Each entry routes to from the machine now. This means a dead end if data is tried or attempted to be collected from any of the addresses listed above. As you can tell, you are the product just like any other service you choose to use. It's important to hide what you can and not contribute to the problem. I'll be going over Windows domain privacy in the near future.