SOLVED

PCI-DSS - can we make windows 10 only talk to WSUS or System Center?

%3CLINGO-SUB%20id%3D%22lingo-sub-132840%22%20slang%3D%22en-US%22%3EPCI-DSS%20-%20can%20we%20make%20windows%2010%20only%20talk%20to%20WSUS%20or%20System%20Center%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-132840%22%20slang%3D%22en-US%22%3E%3CP%3EI%20understand%20Microsoft's%20desire%20for%20consumer%20editions%20of%20windows%2010%20to%20send%20telemetry%20feedback%20home%20for%20QA%20purposes.%26nbsp%3B%20However%2C%20in%20regulated%20industries%20where%20PCI-DSS%20and%20HIPAA%20and%20the%20like%20apply%2C%20it's%20really%20hard%20to%20tell%20the%20difference%20between%20bad%20guys%20exfiltrating%20data%20to%20cloud%20services%20and%20OS%20telemetry%2C%20plus%20we%20have%20a%20lot%20of%20internal%20subnets%20with%20no%20internet%20access.%26nbsp%3B%20Some%20don't%20even%20get%20proxy%20access%2C%20and%20for%20the%20ones%20with%20proxy%20access%20the%20security%20stance%20is%20default%20deny%20with%20a%20pretty%20short%20whitelist.%26nbsp%3B%20How%20do%20we%20make%20a%20windows%2010%20box%20shut%20up%20and%20not%20talk%20to%20anything%20but%20WSUS%20or%20system%20center%3F%26nbsp%3B%20The%20noise%20in%20our%20firewall%20logs%20is%20insane.%3C%2FP%3E%0A%3CP%3E--%20Jim%20Leinweber%2C%20WI%20State%20Lab%20of%20Hygiene%2C%20U.%20of%20Wisconsin%20-%20Madison%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-194709%22%20slang%3D%22en-US%22%3ERe%3A%20PCI-DSS%20-%20can%20we%20make%20windows%2010%20only%20talk%20to%20WSUS%20or%20System%20Center%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-194709%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F63584%22%20target%3D%22_blank%22%3E%40Pieter%20Wigleven%20(WINDOWS)%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3EHi%20James%2C%26nbsp%3B%3C%2FP%3E%3CP%3E-%20With%20Windows%2010%20Enterprise%2C%20you%20can%20switch%20the%20diagnostic%20to%20Security%20level.%20If%20you%20want%20to%20eliminate%20network%20traffic%20any%20further%2C%20keep%20in%20mind%20that%20security%20of%20the%20OS%20can%20be%20impacted.%20There%20are%20certain%20security%20features%20that%20won't%20work%2C%20e.g.%20SmartScreen%20or%20Certificate%20Revocation%20List%20checks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20possible%20to%20reduce%20the%20traffic%20beyond%20the%20Security%20level.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20has%20documented%26nbsp%3Bhow%20to%3C%2FP%3E%3CP%3Edisable%20every%20component%20in%20the%20OS%20that%20requires%20some%20sort%20of%20network%2Finternet%20connectivity.%20Details%20on%20how%20to%20do%20that%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fconfiguration%2Fmanage-connections-from-windows-operating-system-components-to-microsoft-services%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20Keep%20in%20mind%20that%20disabling%20the%20security%20related%20components%20of%20the%20operating%20system%20means%20your%20organization%20takes%20that%20responsibility.%20Good%20luck!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%2C%3C%2FP%3E%3CP%3EPieter%26nbsp%3B%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EHello%2C%20SLI%20Overnight%20team%20here%20working%20on%20effecting%20best%20possible%20security%20for%20an%20updated%20Windows%2010%20image%20on%20our%20lab%20system%20for%20testing.%26nbsp%3B%20We're%20aware%20this%20is%20an%20older%20thread%2C%20but%20it%20is%20definitely%20one%20IOPO%20that%20deserves%20a%20lot%20more%20attention%20than%20it's%20received%20thus%20far.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20good%20suggestions%20were%20made%20in%20the%20reply%20given%3B%20however%20they're%20lacking%20in%20detail.%26nbsp%3B%20Group%20Policy%20Administration%20for%20example%3B%20is%20tricky%20business%20since%201709%20and%20the%20same%20can%20be%20said%20for%201803.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20our%20situation%2C%20we%20barely%20use%20Windows%2C%20but%20keep%20around%2010%20or%20less%20workstations%20in%20a%20WorkGroup%20(not%20HomeGroup%20%5BHomeGroups%20are%20disabled%5D%20)%20that%20we%20share%20when%20they're%20needed%20for%20programs%20that%20best%20run%20on%20the%20Windows'%20OS%20Platform.%26nbsp%3B%20Additionally%2C%20at%20this%20time%2C%20Microsoft%20only%20makes%20one%20product%20that%20is%20of%20any%20use%20to%20us%2C%20and%20that's%20Windows%2010%20Enterprise.%26nbsp%3B%20With%20exception%20to%20WEX%20(Windows%2010%20Enterprise)%20we%20do%20not%20use%20any%20other%20Microsoft%20Products%20unless%20MS%20Accounts%20that%20are%20not%20part%20of%20Office%20365%20are%20also%20considered%20to%20be%20%22products%22%20as%20opposed%20to%20%22services%22%20whereas%20the%20terminology%20can%20come%20down%20to%20matters%20of%20opinion%20(we'd%20not%20debate%20which%20term%20people%20choose%20to%20use%20either%20way%2C%20and%20consider%20it%20a%20matter%20of%20professional%20choice).%26nbsp%3B%20As%20to%20any%20other%20MS%20%22services%22%20those%20are%20not%20in%20use%20by%20our%20organization%20or%20its%20members%20either.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20above%20being%20said%2C%20our%20workstations%20are%20configured%20standalone%2C%20without%20Active%20Directory%20because%20we%20do%20not%20use%20Microsoft%20Server%20solutions%20at%20this%20time%20either%2C%20and%20most%20of%20our%20infrastructure%20is%20supported%20by%20Linux%20along%20with%20some%20implementations%20of%20our%20own%20proprietary%20designs%20that%20are%20not%20on%20Windows%20based%20platforms%2C%20but%20do%20support%20the%20regulation%20of%20traffic%20from%20Windows%2010%20workstations%20authorized%20to%20function%20on%20our%20essentially%20air%20gapped%20private%20cloud.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20of%20the%20reductions%20needing%20to%20be%20made%20to%20reduce%20traffic%20are%20rather%20extravagant%20with%20multiple%20points%20in%20Group%20Policy%20to%20implement%20the%20changes.%26nbsp%3B%20This%20article%20has%20been%20bookmarked%20by%20our%20team%2C%20and%20we're%20seeking%20permission%20from%20the%20daytime%20staff%20to%20post%20some%20screen%20shots%20of%20what%20we're%20talking%20about.%26nbsp%3B%20If%20we%20get%20permission%2C%20we'll%20follow%20up%20with%20some%20screen%20shots%2C%20but%20if%20we%20don't%2C%20we'll%20be%20unable%20to%20post%20examples%3B%20however%20we're%20confident%20there%20are%20those%20in%20the%20community%20that%20likely%20can%20post%20some%20screen%20shots%20of%20Group%20Policy%20in%20the%20kinds%20of%20areas%20we're%20speaking%20of%2C%20and%20were%20mentioned%20in%20the%20reply%20we've%20just%20quoted%20that%20also%20have%20additional%20options%20beyond%20%3CEM%3E%22%26nbsp%3BWith%20Windows%2010%20Enterprise%2C%20you%20can%20switch%20the%20diagnostic%20to%20%3CU%3ESecurity%3C%2FU%3E%20level.%22%3C%2FEM%3E%26nbsp%3B%20In%20fact%2C%20there%20are%20multiple%20points%20in%20Group%20Policy%20that%2C%20if%20used%20in%20combination%2C%20will%20eliminate%20such%20extraneous%20traffic%20as%20the%20OP%20was%20suggesting%20be%20eliminated.%26nbsp%3B%20In%20our%20case%2C%20such%20traffic%20registers%20as%20%22lost%20packets%22%20and%20while%20that's%20the%20desired%20behavior%20from%20our%20perspective%2C%20it's%20always%20better%20from%26nbsp%3Bboth%20throughput%20and%20system%20load%26nbsp%3Bstandpoints%2C%20to%20not%20have%20those%20packets%20sent%20out%20at%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EObviously%2C%20for%20any%20readers%20that%20just%20read%20the%20paragraph%20above%20that%20might%20be%20overthinking%20what%20we%20just%20said%2C%20%3CSTRONG%3E%3CEM%3EYes%2C%20we%20author%20the%20same%20Group%20Policy%20on%20all%20our%20Windows%2010%20Workstations%2C%20and%20%3CU%3ENo%3C%2FU%3E%20it's%20not%20our%20only%20security%20measure%20when%20using%20Windows%2010%2C%20it's%20one%20of%20many.%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe'll%20do%20what%20we%20can%20to%20provide%20further%20follow%20up%20on%20this%20thread%20to%20help%20out%3B%20however%20regardless%20of%20how%20Group%20Policy%20is%20administered%20such%20as%20%3CEM%3ELocal%20Machine%3C%2FEM%3E%20or%20%3CEM%3EActive%20Directory%3C%2FEM%3E%20%3CEM%3Evia%20a%20Windows%20Server%20and%20MS%20Domain%3C%2FEM%3E%20for%20%3CU%3EPropagation%20to%20all%20systems%20in%20the%20Domain%3C%2FU%3E%20instead%20of%20a%20WorkGroup%20for%20standalone%20and%20local%20operation%2C%20having%20an%26nbsp%3Beffective%20Group%20Policy%20in%20use%20is%20essential%20because%20a%20strong%20Group%20Policy%20can%20eliminate%20about%2095%25%20of%20the%20undesired%20traffic%20generated%20by%20Windows%2010.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20hoped%20that%20this%20post%20encourages%20others%20to%20take%20a%20heavy%20and%20scrutinous%20look%20at%20all%20of%20the%20available%20settings%20in%20Group%20Policy.%26nbsp%3B%20As%20always%2C%20test%20each%20setting%20in%20Group%20Policy%20prior%20to%20making%20regular%20use%20of%20each%20setting%20because%20some%20settings%20in%20Group%20Policy%20do%20%3CU%3ENOT%3C%2FU%3E%20function%20as%20they're%20described%20to%20within%20the%20details%20of%20each%2C%20and%20as%20always%2C%20%22Testing%2C%20testing%2C%201%2C%202%2C%203...%22%20is%20the%20only%20way%20to%20verify%20whether%20or%20not%20a%20given%20setting%20is%20functioning%20in%20the%20desired%20manner%20that%20is%20right%20for%20your%20organization.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20Regards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESLI%20Overnight%20Team%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EDISCLAIMER%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EPost%20is%20provided%20without%20warranty%20or%20guarantee.%26nbsp%3B%20Results%20may%20vary%20depending%20on%20hardware%20and%20environment.%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-132891%22%20slang%3D%22en-US%22%3ERe%3A%20PCI-DSS%20-%20can%20we%20make%20windows%2010%20only%20talk%20to%20WSUS%20or%20System%20Center%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-132891%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20James%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20your%20question.%20A%20few%20comments%20that%20might%20help%3A%3C%2FP%3E%0A%3CP%3E-%20HIPPA%20is%20currently%20working%20on%20an%20updated%20version%20of%20their%20%22HIPAA%20Compliance%20with%20Microsoft%20Windows%2010%20Enterprise%22%20which%20explains%20which%20features%20to%20enable%2Fdisable%20to%20improve%20compliancy.%20The%20version%20from%20February%202017%20can%20be%20find%20%3CA%20href%3D%22http%3A%2F%2Fwww.hipaaone.com%2Fwp-content%2Fuploads%2F2017%2F02%2FHIPAA-Compliance-with-Microsoft-Windows-10-Enterprise.pdf%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-%20With%20Windows%2010%20Enterprise%2C%20you%20can%20switch%20the%20diagnostic%20to%20Security%20level.%20If%20you%20want%20to%20eliminate%20network%20traffic%20any%20further%2C%20keep%20in%20mind%20that%20security%20of%20the%20OS%20can%20be%20impacted.%20There%20are%20certain%20security%20features%20that%20won't%20work%2C%20e.g.%20SmartScreen%20or%20Certificate%20Revocation%20List%20checks.%20It's%20possible%20to%20reduce%20the%20traffic%20beyond%20the%20Security%20level.%20Microsoft%20has%20documented%26nbsp%3Bhow%20to%20disable%20every%20component%20in%20the%20OS%20that%20requires%20some%20sort%20of%20network%2Finternet%20connectivity.%20Details%20on%20how%20to%20do%20that%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fconfiguration%2Fmanage-connections-from-windows-operating-system-components-to-microsoft-services%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20Keep%20in%20mind%20that%20disabling%20the%20security%20related%20components%20of%20the%20operating%20system%20means%20your%20organization%20takes%20that%20responsibility.%20Good%20luck!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EKind%20regards%2C%3C%2FP%3E%0A%3CP%3EPieter%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

I understand Microsoft's desire for consumer editions of windows 10 to send telemetry feedback home for QA purposes.  However, in regulated industries where PCI-DSS and HIPAA and the like apply, it's really hard to tell the difference between bad guys exfiltrating data to cloud services and OS telemetry, plus we have a lot of internal subnets with no internet access.  Some don't even get proxy access, and for the ones with proxy access the security stance is default deny with a pretty short whitelist.  How do we make a windows 10 box shut up and not talk to anything but WSUS or system center?  The noise in our firewall logs is insane.

-- Jim Leinweber, WI State Lab of Hygiene, U. of Wisconsin - Madison

2 Replies
Highlighted
Best Response confirmed by JAMES LEINWEBER (Occasional Visitor)
Solution

Hi James, 

 

Thanks for your question. A few comments that might help:

- HIPPA is currently working on an updated version of their "HIPAA Compliance with Microsoft Windows 10 Enterprise" which explains which features to enable/disable to improve compliancy. The version from February 2017 can be find here

- With Windows 10 Enterprise, you can switch the diagnostic to Security level. If you want to eliminate network traffic any further, keep in mind that security of the OS can be impacted. There are certain security features that won't work, e.g. SmartScreen or Certificate Revocation List checks. It's possible to reduce the traffic beyond the Security level. Microsoft has documented how to disable every component in the OS that requires some sort of network/internet connectivity. Details on how to do that can be found here. Keep in mind that disabling the security related components of the operating system means your organization takes that responsibility. Good luck!

 

Kind regards,

Pieter 

Highlighted

@Pieter Wigleven (WINDOWS) wrote:

Hi James, 

- With Windows 10 Enterprise, you can switch the diagnostic to Security level. If you want to eliminate network traffic any further, keep in mind that security of the OS can be impacted. There are certain security features that won't work, e.g. SmartScreen or Certificate Revocation List checks.

 

It's possible to reduce the traffic beyond the Security level.

 

Microsoft has documented how to

disable every component in the OS that requires some sort of network/internet connectivity. Details on how to do that can be found here. Keep in mind that disabling the security related components of the operating system means your organization takes that responsibility. Good luck!

 

Kind regards,

Pieter 


Hello, SLI Overnight team here working on effecting best possible security for an updated Windows 10 image on our lab system for testing.  We're aware this is an older thread, but it is definitely one IOPO that deserves a lot more attention than it's received thus far.

 

Some good suggestions were made in the reply given; however they're lacking in detail.  Group Policy Administration for example; is tricky business since 1709 and the same can be said for 1803.

 

In our situation, we barely use Windows, but keep around 10 or less workstations in a WorkGroup (not HomeGroup [HomeGroups are disabled] ) that we share when they're needed for programs that best run on the Windows' OS Platform.  Additionally, at this time, Microsoft only makes one product that is of any use to us, and that's Windows 10 Enterprise.  With exception to WEX (Windows 10 Enterprise) we do not use any other Microsoft Products unless MS Accounts that are not part of Office 365 are also considered to be "products" as opposed to "services" whereas the terminology can come down to matters of opinion (we'd not debate which term people choose to use either way, and consider it a matter of professional choice).  As to any other MS "services" those are not in use by our organization or its members either.

 

The above being said, our workstations are configured standalone, without Active Directory because we do not use Microsoft Server solutions at this time either, and most of our infrastructure is supported by Linux along with some implementations of our own proprietary designs that are not on Windows based platforms, but do support the regulation of traffic from Windows 10 workstations authorized to function on our essentially air gapped private cloud.

 

Some of the reductions needing to be made to reduce traffic are rather extravagant with multiple points in Group Policy to implement the changes.  This article has been bookmarked by our team, and we're seeking permission from the daytime staff to post some screen shots of what we're talking about.  If we get permission, we'll follow up with some screen shots, but if we don't, we'll be unable to post examples; however we're confident there are those in the community that likely can post some screen shots of Group Policy in the kinds of areas we're speaking of, and were mentioned in the reply we've just quoted that also have additional options beyond " With Windows 10 Enterprise, you can switch the diagnostic to Security level."  In fact, there are multiple points in Group Policy that, if used in combination, will eliminate such extraneous traffic as the OP was suggesting be eliminated.  In our case, such traffic registers as "lost packets" and while that's the desired behavior from our perspective, it's always better from both throughput and system load standpoints, to not have those packets sent out at all.

 

Obviously, for any readers that just read the paragraph above that might be overthinking what we just said, Yes, we author the same Group Policy on all our Windows 10 Workstations, and No it's not our only security measure when using Windows 10, it's one of many.

 

We'll do what we can to provide further follow up on this thread to help out; however regardless of how Group Policy is administered such as Local Machine or Active Directory via a Windows Server and MS Domain for Propagation to all systems in the Domain instead of a WorkGroup for standalone and local operation, having an effective Group Policy in use is essential because a strong Group Policy can eliminate about 95% of the undesired traffic generated by Windows 10.

 

It's hoped that this post encourages others to take a heavy and scrutinous look at all of the available settings in Group Policy.  As always, test each setting in Group Policy prior to making regular use of each setting because some settings in Group Policy do NOT function as they're described to within the details of each, and as always, "Testing, testing, 1, 2, 3..." is the only way to verify whether or not a given setting is functioning in the desired manner that is right for your organization.

 

Best Regards,

 

SLI Overnight Team

 

DISCLAIMER:

Post is provided without warranty or guarantee.  Results may vary depending on hardware and environment.