Hi all. I would like to get some feedback from the community on how I currently deal with telemetry on Windows.
I am using simplewall which leverages Windows Filtering Platform (WFP) and essentially blocks all connections on the application level. As a user you then whitelist applications that you want to have internet/network access. I also make the Group Policy changes that Privacy Guides suggests.
Most guides I’ve come across make some Group Policy changes and/or add hundreds of domains to the Windows hosts file. It seems to me that having all connections blocked by default is more straightforward and probably more comprehensive as well.
But since I don’t see this approach suggested, I wonder if it is maybe flawed in any way. Are there any downsides I haven’t considered? (I hope to focus this discussion on the approach of using firewall whitelisting rather than simplewall itself. There are other firewalls that work like this. And I also understand the dangers of using third-party software.)
I look forward to your input. Thanks!
I am doing the same on Linux with Opensnicth and it’s quite useful, especially to discover useless connections (the calculator fetching exchanges rates that I do not need for example).
Not sure why this isn’t recommended, but it’s quite heavy.
This isn’t the same, you are only blocking known trackers, but you do not have protections against unknown/niche ones or other connections that aren’t necessary but aren’t trackers.
Windows Firewall cannot be trusted to block Microsoft domains or IP addresses.
As a Linux user, perhaps I should have simply said, Windows cannot be trusted. Sorry to be the bearer of bad news.
Consider using Privoxy on a different machine to whitelist only the traffic that Windows should be allowed to reach. Use a ‘hardware’ firewall to block all egress that is not allowed through Privoxy.
Perhaps I have gone a little overboard with this, but I have very little remaining use for Windows, and my Windows traffic looks like the following:
Windows → Privoxy in whitelist mode → Tor client → pfSense with default drop egress filters allowing only Tor → Internet
Each one of the above is either separate real hardware or QEMU-KVM guests. Each part of the puzzle is segregated. As a loose comparison, think Whonix scaled out.
This seems like a lot of added complexity (and cost). Why not just have Windows in a VM, route that traffic through Tor, and then only allow the traffic from the Windows VM that is routed through Tor in pfSense?
As Encounter5729 already pointed out, DNS level blocking will only deal with know trackers available in the block lists that you choose. It servers a different purpose.
As for having to maintain a lot of stuff, I might not have described it so well in my OP, but by default any and all connections are blocked. (With the exception of some essential services that are whitelisted by default such as NTP) When an application tries to make a connection for the first time, you are then prompted to approve or deny this. Theoretically there is no risk of an undesired first-time-connection for any program which is the purpose.
Great to hear someone else had the same idea I use Opensnitch as well on my Linux hosts and LuLu on MacOS.
Your setup seems quite advanced and elaborate. But I am certainly interested in reading more into Privoxy and especially tunneling traffic over Tor in this way.
The benefit of an application firewall such as simplewall in this case though, is that you can whitelist the application rather than the connections it makes. Or what I like to do for some applications, only allowing traffic to and from my LAN. I imagine it’s not as intuitive figure out which connections belong to which applications if you are trying to whitelist them on separated hardware firewall like in your case.
I am doing as you say, but Privoxy whitelisting provides the telemetry blocking.
Without Privoxy whitelisting there are several concerns. Windows has an advertising ID which could be used to deanonymize. Windows uses OneDrive that could be used to exfiltrate local data and then delete the local copy. Microsoft is determined that user credentials and BitLocker keys are stored in Azure. I have spent decades using and supporting Microsoft products and services, but modern Windows is little more than a spyware platform.
Application firewalls certainly have their place. For example, I use netfilter/iptables on a Linux Tor relay to allow all traffic on the LAN, but only allow WAN traffic from Tor.
With that being said, I would consider Windows Filtering Platform to be untrustworthy and liable to leak data. If there exists an application firewall that does not require WFP, then go for it, but I was under the impression that those had been deprecated.
I use Opensnitch as well on my Linux hosts and LuLu on MacOS.