Blocking Windows 10 spying/telemetry.

**Mayahana** · 08-25-2015, 05:48 PM

After lab analysis for a few days, I believe I have a definitive list of what to block in Web Filter relating to the ridiculous amount of telemetry MS is gathering with Windows 10. We've found that basically Windows 10 is a keylogger in some cases, and even sends camera/microphone data in 40Mb bundles!

Anyway, enter this into your customer block list, and you are good to go.

choice.microsoft.com
choice.microsoft.com.nstac.net
cs1.wpc.v0cdn.net
df.telemetry.microsoft.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
services.wes.df.telemetry.microsoft.com
settings-sandbox.data.microsoft.com
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
ssw.live.com
statsfe1.ws.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.microsoft.com
telemetry.urs.microsoft.com
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
vortex-sandbox.data.microsoft.com
vortex.data.microsoft.com
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net

**fasttech** · 08-26-2015, 11:19 AM

Were these results with the corresponding 'privacy' settings in win 10 turned off?

**Mayahana** · 08-27-2015, 03:56 PM

I found that even with privacy settings completely turned off, the telemetry was still being sent!

Also, even with use of the following tools;

DoNotSpy10
O&O ShutUp10
Spybot Anti-Beacon 10

Telemetry was STILL being sent in some cases. (although GREATLY reduced) Interestingly, in some cases Telemetry was being sent 'bypassing' VPN/Proxy on windows. So even with you used Peerblock it may not necessarily block it. Also note - MS seems to be 'turning back on' some telemetry. I recommend removal of telemetry activity in "Task Scheduler" and also GPEDIT.MSC of telemetry policies as a precaution. The best solution seems to be URL blocking in UTM/NGFW/Firewall in this case.

I've called Win10 the greatest spy tool ever released. I really like 10.. But I understand the risk of using it, and have taken measures to mitigate the vast majority of that risk. For the general unaware public, it's going to be a disaster. Also keep in mind, hackers could quite easily exploit all of this outbound telemetry. MITM, etc. Also businesses can peel it apart with their appliances and snoop on it. This won't end well.

**Mayahana** · 08-28-2015, 12:00 PM

Updated list;

65.55.108.23
65.39.117.230
23.218.212.69
134.170.30.202
137.116.81.24
204.79.197.200
23.218.212.69
a-0001.a-msedge.net
choice.microsoft.com
choice.microsoft.com.nstac.net
corpext.msitadfs.glbdns2.microsoft.com
corp.sts.microsoft.com
compatexchange.cloudapp.net
cs1.wpc.v0cdn.net
diagnostics.support.microsoft.com
df.telemetry.microsoft.com
feedback.windows.com
feedback.search.microsoft.com
fe2.update.microsoft.com.akadns.net
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
services.wes.df.telemetry.microsoft.com
settings-sandbox.data.microsoft.com
sls.update.microsoft.com.akadns.net
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
ssw.live.com
statsfe1.ws.microsoft.com
statsfe2.update.microsoft.com.akadns.net
survey.watson.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.microsoft.com
telemetry.urs.microsoft.com
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
vortex-sandbox.data.microsoft.com
vortex.data.microsoft.com
watson.live.com
watson.microsoft.com
watson.ppe.telemetry.microsoft.com
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net

**jcoehoorn** · 08-28-2015, 12:18 PM

I'd love to see these broken up by category. Some of this is okay to block, but as an institutional network with residential students it's not okay for me to block things that might, for example, break the Cortana voice service.

**Mayahana** · 08-28-2015, 01:25 PM

Originally Posted by jcoehoorn

I'd love to see these broken up by category. Some of this is okay to block, but as an institutional network with residential students it's not okay for me to block things that might, for example, break the Cortana voice service.

Good idea. I'd like to do it, but the time to do it would be exhausting.

However, MS also seems to bundle things in some cases. So if you block telemetry for one thing, there may be 'bits' of Cortana in there as well. For HIPPA and PCI compliancy, looks like many of us are going to have to cone up on this stuff. We can't have this data leaking out at sensitive firms!

**fasttech** · 08-28-2015, 01:37 PM

From what little I've seen, if you want Cortana to work then you aren't going to keep win10 from exfiltrating anything.
My biggest concern with win10 is it keylogging and exfiltrating authentication... just user names and passwords for every local and cloud service,...... shrug.
Reality is I don't have time to deal with Windows 10 data control so it's dead to me except for home users.

**sky-knight** · 08-28-2015, 02:27 PM

If you're doing all this have you done the GPO work to disable live logons? Most of this flat doesn't work if you can't merge the domain account with the web.

**Mayahana** · 08-28-2015, 05:50 PM

Originally Posted by fasttech

From what little I've seen, if you want Cortana to work then you aren't going to keep win10 from exfiltrating anything.
My biggest concern with win10 is it keylogging and exfiltrating authentication... just user names and passwords for every local and cloud service,...... shrug.
Reality is I don't have time to deal with Windows 10 data control so it's dead to me except for home users.

This is a can of worms.. Microsoft is sending out so much data, and it's readily intercepted. Hackers will at some point be able to exploit this. Businesses with appliances set in MITM mode will peel apart the data, even if their employees are home on the company VPN with BYOD - tons of personal telemetry. It's a treasure trove for the NSA. Interestingly, none of this seems to impact live logins so far.

Still testing of course.

**f1assistance** · 08-30-2015, 03:59 AM

Originally Posted by Mayahana

For HIPPA and PCI compliancy, looks like many of us are going to have to cone up on this stuff. We can't have this data leaking out at sensitive firms!

Isn't "very specific" data required to be protected for HIPAA and PCI compliance?
Just seems doubtful Microsoft's newest Windows would alienate themselves from the finance and healthcare industries...clearly the "general default" install would not be recommended, but this never was the case with earlier version either. No?
P.S. I again thank the bit gods for Untangle. BAM!

Thread: Blocking Windows 10 spying/telemetry.

LinkBack

Thread Tools

Blocking Windows 10 spying/telemetry.

Posting Permissions