Blocking Microsoft

Here wizards, magicians, sorcerers and everybody can rest a bit and talk about anything they like.

Just remember to respect the rules.

Blocking Microsoft

Postby jiml8 » Jul 28th, '16, 19:46

I am sure that some people here do the same thing I do, which is run various versions of Microsoft Windows in virtual machines on a Linux host.

Starting with Windows 7, Windows talks A LOT to Microsoft, giving it all kinds of information...and I don't know what information is being passed; I simply know that a lot of information appears to be flowing back and forth.

Windows 10, of course, takes this to a whole new level and, if you don't turn off all the settings in the OS, it will basically give full details of your entire computing life (including your emails and your messaging) to Microsoft - who is very explicit about telling you they will keep the information, analyze it, release it to 3rd parties, and do whatever they choose with it. Even if you do opt out of everything, Windows 10 continues to send information to Microsoft, ostensibly for diagnostic purposes.

Also, you may not be aware of it, but Microsoft has responded to the large number of people who refused to update Win7 and Win8 to Win10 because of all the spying by pushing updates to those older OS's that basically enables the same kind of data collection in them. I blocked these updates on my Win7 VM, but I am sure that many people had their VM modified without realizing it.

Well, I have found this to be unacceptable. So I have fixed it. I use VMware Workstation, so these directions are for that. Should work with Virtualbox, with appropriate modifications.

To prevent your Windows VMs from talking to Microsoft (except Windows Update...you need that...), do these things.

First, set your virtual machines to talk on the built-in VMware host only network. This will permit them to talk to each other, while blocking them from any internet access. The default host-only network in VMware is vmnet1, and its default IP range is 172.16.187.0/24.

Of course, you need internet access for your VMs, so do this through iptables. I wrote a script to do this, and I run that script manually whenever I want my Windows VM subnet to be able to communicate on the internet:
Code: Select all
sudo iptables -t nat -A POSTROUTING -s 172.16.187.0/24 -j SNAT --to-source 192.168.0.2
sudo iptables -I FORWARD -s 192.168.0.0/24 -d 172.16.187.0/24 -j ACCEPT

I keep this script in ~/bin with the name bindnet. Note that 192.168.0.2 is the local address of my workstation, on the subnet (192.168.0.0) that is directly connected to my router/firewall. You would put the address of your computer here, not the address of my computer.

When you run this script, you convert your host-only network into a NAT network (like vmnet8) but you have control over the connection and can immediately block internet access for all VMs on the subnet by removing the two iptables rules (I do this with the script unbindnet, which is left as an exercise for the reader to write :D ).

Now, this script is not enough to provide full connectivity; you may want to set up a route in each Windows VM so that it can access your local network. In each VM, open as Administrator a command shell, and enter the following (again, use your lan's address, not mine):
Code: Select all
route ADD 192.168.0.0 MASK 255.255.255.0 GATEWAY 172.16.187.1 -p


Having done this, you have now provided all the capability you had before you changed to a host-only network, with the exception that you can now monitor and control what comes and goes from your Windows VM by using your host computer as a firewall.

I have found these iptables rules to be effective at blocking connections to Microsoft, while allowing Microsoft Update to work, and optionally allowing Skype to work:
Code: Select all
sudo iptables -I FORWARD -s 172.16.187.0/24 -d activation.sls.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d www.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d spynet2.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d content.windows.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d logging.windows.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d windows.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d logging.windows.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d www.msftncsi.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d wwwco1vip.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d crl.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d watson.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d watson2.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d vortex-win.data.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d settings-win.data.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d ssw.live.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d 64.4.0.0/16 -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d 65.52.0.0/16 -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d time.windows.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d 66.55.0.0/16 -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d 40.69.86.0/24 -p all -j DROP
#enabling these subsequent rules will block skype
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 157.56.52.0/24 -p all -j DROP
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 157.55.0.0/16 -p all -j DROP
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 23.99.209.0/24 -p all -j DROP
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 65.55.223.0/24 -p all -j DROP
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 111.221.77.0/24 -p all -j DROP
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 52.169.24.0/24 -p all -j DROP
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 91.190.217.0/24 -p all -j DROP
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 13.69.184.0/24 -p all -j DROP

#this next one is a russian telecom, apparently connected with comodo firewall
sudo iptables -I FORWARD -s 172.16.187.0/24 -d 5.165.204.0/24 -p all -j DROP

I keep this script as ~/bin/blockmsft.

Make sure your copy of Windows is validated before setting these rules: these rules WILL block microsoft activation.

Once these rules are in place, you will find that Windows does not give you away to Microsoft. Of course, features such as Cortana also will not work, but if you are as determined to protect your privacy as I am, that probably does not matter to you.

edit 7/29 . I keep working on this thing, and I have updated the rules to block microsoft. I did this because Skype proved to be much more difficult to control than I thought it would be. There are several IPs that have to remain available, if skype is to work correctly. This latest information is reflected in this latest set of rules
Last edited by jiml8 on Jul 29th, '16, 21:26, edited 1 time in total.
jiml8
 
Posts: 971
Joined: Jul 7th, '13, 18:09

Re: Blocking Microsoft

Postby doktor5000 » Jul 28th, '16, 20:17

What is also interesting, for files you put in the "My Documents" folder, those are also automatically uploaded to Onedrive (Microsoft cloud storage) and then synced to with all your other devices, same as e.g. dropbox.

jiml8 wrote:Also, you may not be aware of it, but Microsoft has responded to the large number of people who refused to update Win7 and Win8 to Win10 because of all the spying by pushing updates to those older OS's that basically enables the same kind of data collection in them. I blocked these updates on my Win7 VM, but I am sure that many people had their VM modified without realizing it.

FWIW, mind to provide some KB numbers for such updates, and some sources regarding this topic?

EDIT: Seems I found a short overview, see http://news.softpedia.com/news/microsof ... 4236.shtml

Also on that matter, one might want to look at the well-known tool xp antispy which is not also available and updated for windows 10: https://xp-antispy.org/en/
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 14432
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Blocking Microsoft

Postby jiml8 » Jul 29th, '16, 00:23

I believe that the setup I describe will block OneDrive as well, though I am not certain of that because almost the first thing I did on my new Win10 VM was disable OneDrive functionality, before I even monitored the connections to see what I needed to block. I have used this system to block microsoft since deploying my Win7 VM in 2010. Hence, it already basically worked, and I did not immediately monitor traffic to update it.

It is easy enough to figure out though; when the setup is up and running just use tcpdump on vmnet1 and watch for connections to and from microsoft. You will see many on their way to microsoft, but all of those should get dropped in iptables due to the rules. If you see any coming back from microsoft, then you need to investigate and determine whether to block them or not.

I started by blocking everything, then figuring out what I had to re-enable to allow skype to work.

I sync all of my stuff to my Owncloud installation on my NAS.

As for providing the KB numbers for those noxious updates...sorry. I did not have that info in front of me and did not research it. You did, however, find the information. :) I guess you did not know about it.
jiml8
 
Posts: 971
Joined: Jul 7th, '13, 18:09

Re: Blocking Microsoft

Postby doktor5000 » Jul 29th, '16, 11:08

jiml8 wrote:I guess you did not know about it.

No, wasn't aware about the fact that microsoft backported data collection/telemetry stuff to win7, hence thanks for the pointer ;)
Cauldron is not for the faint of heart!
Caution: Hot, bubbling magic inside. May explode or cook your kittens!
----
Disclaimer: Beware of allergic reactions in answer to unconstructive complaint-type posts
User avatar
doktor5000
 
Posts: 14432
Joined: Jun 4th, '11, 10:10
Location: Leipzig, Germany

Re: Blocking Microsoft

Postby jiml8 » Jul 29th, '16, 19:08

Personally, I think it is outrageous of microsoft to make those changes to in-place installations. But, their license allows them to do it.

All the more reason to avoid them, to the extent it is possible.

I discovered another URI that Win10 wants to talk to. Not sure what this is about, but it looks like it has something to do with one drive. Anyway, I have added a new iptables rule. Here is the rule.

sudo iptables -I FORWARD -s 172.16.187.0/24 -d ssw.live.com -p all -j DROP
jiml8
 
Posts: 971
Joined: Jul 7th, '13, 18:09

Re: Blocking Microsoft

Postby jiml8 » Jul 29th, '16, 21:31

I am still working on this thing, because I just deployed a Win10 VM three days ago and I want control of it.

Accordingly, I have updated the firewall rules in the original post, to accommodate the fact that skype is more complicated than I originally thought to allow through.

I also found this tool: https://www.safer-networking.org/spybot-anti-beacon/ which has had a major effect on the desire of Win10 to talk to microsoft (and others).
jiml8
 
Posts: 971
Joined: Jul 7th, '13, 18:09

Re: Blocking Microsoft

Postby plspls » Aug 16th, '16, 13:57

what about microsoft uefi keys? is it blocked?
plspls
 
Posts: 97
Joined: Aug 14th, '16, 11:38

Re: Blocking Microsoft

Postby wintpe » Nov 8th, '16, 11:30

look at response policy zones, its a much better way of blocking both microsoft and android ad and spy services.

if you need any help on this, then just post, or pm me

regards peter
Redhat 6 Certified Engineer (RHCE)
Sometimes my posts will sound short, or snappy, however its realy not my intention to offend, so accept my apologies in advance.
wintpe
 
Posts: 1151
Joined: May 22nd, '11, 17:08
Location: Rayleigh,, Essex , UK

Re: Blocking Microsoft

Postby ozky » Nov 8th, '16, 12:42

I don't not care less about who spy and who don't they will do it anyway another way when you block one they will find always new one to do it.
Image
Just leave me alone i know what i'm drinking.
User avatar
ozky
 
Posts: 569
Joined: Jul 2nd, '11, 08:48
Location: Ulvila Finland

Re: Blocking Microsoft

Postby wintpe » Nov 10th, '16, 18:19

ozky

while i agree that you are probably right, my use of rpz means that we can use our PC's and tablets without
intrusive interruptions all the time.

it also means that the couple of windows PC's we have are not wasting our bandwidth, polling ms services all the time.

so it does work. but i dont wear a tin hat, as going that far is unnecessary.

regards peter
Redhat 6 Certified Engineer (RHCE)
Sometimes my posts will sound short, or snappy, however its realy not my intention to offend, so accept my apologies in advance.
wintpe
 
Posts: 1151
Joined: May 22nd, '11, 17:08
Location: Rayleigh,, Essex , UK

Re: Blocking Microsoft

Postby ozky » Nov 13th, '16, 00:05

Yeah that is just realistic comment that i have lot more better things to do in my life than try to block ms.
I know lot of people have limited bandwith network while i have fast 4g connection,
my phone have 3g to browse network but i have wlan at home to share 4g.
Image
Just leave me alone i know what i'm drinking.
User avatar
ozky
 
Posts: 569
Joined: Jul 2nd, '11, 08:48
Location: Ulvila Finland


Return to The Wizards Lair

Who is online

Users browsing this forum: No registered users and 1 guest