Windows 10 has been available for just over a week and infosec pros who didn’t want to look at the operating system when it was under limited release are now giving it the once-over. They may not like what they see from a security standpoint.
As a number of reviewers have pointed out, an express install of Win10 will lead to the OS automatically collecting data that will be sent back to Microsoft, some of which will be used for sending targeted ads.
To avoid privacy concerns a site called Fix Windows 10 is urging a manual install and put together a list of things IT staff should consider turning off if and when they want to upgrade or add new PCs.
Separately, the Hacker News and ghacks.net report that a German company, has created a free utlity that will help IT check off these items on one screen. While the program page is in German, the program itself is in English as well. It also comes with adware.
As the Hacker News notes, Win10 on automatic collects PC location data, biometric and handwriting data, ads and tracking codes, access to personal information, and makes the user have a Microsoft rather than a local account.
Fix Windows 10 is a handy place for infosec pros to learn what Microsoft automatically grabs, showing screen shots of what they’ll encounter when going to Customize Settings, or, if a system has already been installed, where to go in the Settings to turn off unwanted services.
It advises users to turn off the controversial Wi-Fi Sense option, which offers the choice of sending an encrypted version of your password to people in your Outlook, Hotmail and Skype contact lists (under the assumption, I guess, they are trusted people) so if they are near your wireless network they can automatically log on. For more see this article.
Usually IT staff know better than to install an OS in express mode, but some smaller organizations may not have the time to carefully look at everything. For them these two resources are just a start.
Another useful source on this is lifehacker.com article on what can be turned off or left on in Win10 and the Microsoft Edge browser.
Usually IT staff know better than to install an OS in express mode, but some smaller organizations may not have the time to carefully look at everything. For them these resources are just a start. Of course, all decisions should conform to the organization’s security policy.
Finally, here’s Microsoft’s privacy statement on what Win10 collects.