Starting with Windows 7, Windows talks A LOT to Microsoft, giving it all kinds of information...and I don't know what information is being passed; I simply know that a lot of information appears to be flowing back and forth.
Windows 10, of course, takes this to a whole new level and, if you don't turn off all the settings in the OS, it will basically give full details of your entire computing life (including your emails and your messaging) to Microsoft - who is very explicit about telling you they will keep the information, analyze it, release it to 3rd parties, and do whatever they choose with it. Even if you do opt out of everything, Windows 10 continues to send information to Microsoft, ostensibly for diagnostic purposes.
Also, you may not be aware of it, but Microsoft has responded to the large number of people who refused to update Win7 and Win8 to Win10 because of all the spying by pushing updates to those older OS's that basically enables the same kind of data collection in them. I blocked these updates on my Win7 VM, but I am sure that many people had their VM modified without realizing it.
Well, I have found this to be unacceptable. So I have fixed it. I use VMware Workstation, so these directions are for that. Should work with Virtualbox, with appropriate modifications.
To prevent your Windows VMs from talking to Microsoft (except Windows Update...you need that...), do these things.
First, set your virtual machines to talk on the built-in VMware host only network. This will permit them to talk to each other, while blocking them from any internet access. The default host-only network in VMware is vmnet1, and its default IP range is 172.16.187.0/24.
Of course, you need internet access for your VMs, so do this through iptables. I wrote a script to do this, and I run that script manually whenever I want my Windows VM subnet to be able to communicate on the internet:
- Code: Select all
sudo iptables -t nat -A POSTROUTING -s 172.16.187.0/24 -j SNAT --to-source 192.168.0.2
sudo iptables -I FORWARD -s 192.168.0.0/24 -d 172.16.187.0/24 -j ACCEPT
I keep this script in ~/bin with the name bindnet. Note that 192.168.0.2 is the local address of my workstation, on the subnet (192.168.0.0) that is directly connected to my router/firewall. You would put the address of your computer here, not the address of my computer.
When you run this script, you convert your host-only network into a NAT network (like vmnet8) but you have control over the connection and can immediately block internet access for all VMs on the subnet by removing the two iptables rules (I do this with the script unbindnet, which is left as an exercise for the reader to write ).
Now, this script is not enough to provide full connectivity; you may want to set up a route in each Windows VM so that it can access your local network. In each VM, open as Administrator a command shell, and enter the following (again, use your lan's address, not mine):
- Code: Select all
route ADD 192.168.0.0 MASK 255.255.255.0 GATEWAY 172.16.187.1 -p
Having done this, you have now provided all the capability you had before you changed to a host-only network, with the exception that you can now monitor and control what comes and goes from your Windows VM by using your host computer as a firewall.
I have found these iptables rules to be effective at blocking connections to Microsoft, while allowing Microsoft Update to work, and optionally allowing Skype to work:
- Code: Select all
sudo iptables -I FORWARD -s 172.16.187.0/24 -d activation.sls.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d www.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d spynet2.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d content.windows.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d logging.windows.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d windows.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d logging.windows.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d www.msftncsi.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d wwwco1vip.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d crl.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d watson.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d watson2.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d vortex-win.data.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d settings-win.data.microsoft.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d ssw.live.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d 64.4.0.0/16 -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d 65.52.0.0/16 -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d time.windows.com -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d 66.55.0.0/16 -p all -j DROP
sudo iptables -I FORWARD -s 172.16.187.0/24 -d 40.69.86.0/24 -p all -j DROP
#enabling these subsequent rules will block skype
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 157.56.52.0/24 -p all -j DROP
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 157.55.0.0/16 -p all -j DROP
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 23.99.209.0/24 -p all -j DROP
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 65.55.223.0/24 -p all -j DROP
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 111.221.77.0/24 -p all -j DROP
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 52.169.24.0/24 -p all -j DROP
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 91.190.217.0/24 -p all -j DROP
#sudo iptables -I FORWARD -s 172.16.187.0/24 -d 13.69.184.0/24 -p all -j DROP
#this next one is a russian telecom, apparently connected with comodo firewall
sudo iptables -I FORWARD -s 172.16.187.0/24 -d 5.165.204.0/24 -p all -j DROP
I keep this script as ~/bin/blockmsft.
Make sure your copy of Windows is validated before setting these rules: these rules WILL block microsoft activation.
Once these rules are in place, you will find that Windows does not give you away to Microsoft. Of course, features such as Cortana also will not work, but if you are as determined to protect your privacy as I am, that probably does not matter to you.
edit 7/29 . I keep working on this thing, and I have updated the rules to block microsoft. I did this because Skype proved to be much more difficult to control than I thought it would be. There are several IPs that have to remain available, if skype is to work correctly. This latest information is reflected in this latest set of rules