How can I prevent Windows Server 2008 R2 from phoning home?

2

I have a Windows 2008 R2 server which is to contain sensitive documents on a small LAN. The two users who use the server do so via RDP so no documents are transferred to client workstations. During a due diligence operation, I determined that numerous services and scheduled tasks built into Windows can phone home and potentially leak data.

I would like to prevent any of these built in services from doing so if possible at a server level.

I do not have control of the firewall on the LAN unfortunately as it's a canned remotely maintained one with a lengthy contract. Control of this would be no use either as outbound HTTP is required for two RDP users on the machine.

Patches are pushed to the machine via PowerShell from a workstation. Windows update is turned off already.

I have considered Windows Firewall but I do not 100% trust its configuration tooling and I know that some services can add exceptions to the rules at runtime.

What solutions are there available to resolve this problem and is there any documentation on what potentially goes over the wire or is this a reverse engineering job?

Any help appreciated!

Chris Smith

Posted 2013-06-07T19:22:08.307

Reputation: 31

3

If you don't trust Microsoft and/or their operating system, you shouldn't use it. That being said, if you don't have any control over the network the machine is connected to, your best bet might be something like NetLimiter which enables fine-grained control over which processes can connect to the internet.

– Der Hochstapler – 2013-06-07T19:27:01.667

1Thanks for your reply. I'm a Linux guy who has unfortunately inherited this. I'd switch it over in a heartbeat, but there are two specialist applications that run only on IIS + SQL Server. Will take a look at NetLimiter. – Chris Smith – 2013-06-07T19:30:51.297

There might be more "professional" solutions to a problem like this, but I really only have experience with NL. I would have suggested the Windows firewall otherwise, but your concerns regarding services adding exceptions are founded. If something like this is actually happening, I can't say. The only "phoning home" I'm aware of is Windows Error Reporting and the Windows Customer Experience Improvement Program (both of which can be disabled easily). If anything else is happening beyond that, I don't know. – Der Hochstapler – 2013-06-07T19:35:40.697

Answers

3

The simplest way to do this is do this through Group Policy. Using Group Policy you can set non-overrideable firewall rules to block all outgoing connections unless they are added on a explicit allow list that only Domain Administrator users can add to. If all the software on the server is running as Local Administrator or lower they can't override the Group Policy rules (and even if they did get a way to change it, reviewing the resultant firewall rules is something that is very easy to audit on Windows).

If you need more information on how to set up firewall rules via group policy I can try and add more information.

I said that is the easiest way, there are more fine grained controls where you can turn off each of the windows specific features that use internet access.

Scott Chamberlain

Posted 2013-06-07T19:22:08.307

Reputation: 28 923

Thanks for this. I was unaware you could manage firewall rules with group policy. I've found a TechNet article which appears to cover it: http://technet.microsoft.com/en-us/library/cc753955(v=ws.10).aspx

– Chris Smith – 2013-06-07T19:46:28.477

Asked: 2013-06-07T19:22:08.307

Viewed: 314 times

Active: 2013-08-18T11:41:51.230