GUIDE

How to protect your Windows crash reports from the NSA

At the beginning of this year Der Spiegel released a number of slides obtained from NSA whistleblower Edward Snowden, detailing some of the methods used by Tailored Access Operations (TAO)  – an elite department of the NSA, ‘akin to the wunderkind of the US intelligence community’, who specialise in providing ‘access to our very hardest targets.

One of the more (among many) surprising revelations was that TAO uses its XKeyscore spying tool to  collect data on Windows crash reports in order to discover vulnerabilities in target systems that can then exploited. As the Der Speigal report says,

Every user of the operating system is familiar with the annoying window that occasionally pops up on screen when an internal problem is detected, an automatic message that prompts the user to report the bug to the manufacturer and to restart the program. These crash reports offer TAO specialists a welcome opportunity to spy on computers.

nsa laugh
One internal slide NSA shows them laughing at Microsoft

Der Speigal goes on to explain that,

When TAO selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft.

All versions of Windows (up to Windows 8.1) are susceptible to this form of attack, as much of the information in the reports (including the initial crash report) is transmitted to Microsoft’s servers in clear text, or over standard HTTP connections,

Encryption: All report data that could include personally identifiable information is encrypted (HTTPS) during transmission. The software “parameters” information, which includes such information as the application name and version, module name and version, and exception code, is not encrypted.’ (Microsoft).

In addition to this, when a new device is plugged into Windows machine, unencrypted information about that machine is sent off to the Microsoft servers so that correct the driver automatically download.

For a detailed discussion of how Windows Error Reports leak your data, see here.

Stopping Error Report leaks

Although some reports require user consent before being sent to Microsoft, not all do, and even when they do, you may not wish family members or work colleagues on your network inadvertently hitting the ‘Send’ button.

Fortunately, it is possible to turn off Windows error reporting using the built-in Group Policy Editor, although the number of policy settings that need changing is quite alarming.

To open the Group Policy Editor click ‘Start’, then enter type ‘Enter group policy’ into the search box.

windows error reporting

Double-click a Setting entry to edit it.

windows error reporting 2

You need to change the following settings:

Local Computer policy

Setting

Change to

Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings Turn off Windows Error Reporting Enabled
Computer Configuration -> Administrative Templates -> System -> Device Installation Do not send a Windows error report when a generic driver is installed on a device Enabled
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Error Reporting Do not send additional data Enabled
Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communications settings Turn off handwriting recognition error reporting Enabled
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Error Reporting Disable Windows Error Reporting Enabled
Computer Configuration -> Administrative Templates -> System -> Device Installation Prevent Windows from sending an error report when a device driver requests additional software during installation Enabled
Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Microsoft Support Diagnostic Tool Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support Provider Disabled
Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via Windows Online Troubleshooting Service – WOTS) Disabled
Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Windows Performance PerfTrack Enable/Disable PerfTrack Disabled
Computer Configuration -> Administrative Templates -> Windows Components -> Application Compatibility Turn off Program Inventory Enabled
Computer Configuration -> Administrative Templates -> System -> Device Installation Specify Search Order for device driver source locations Enabled: Do not search Windows Update
Computer Configuration -> Administrative Templates -> System -> Device Installation Prevent device metadata retrieval from internet Enabled
Computer Configuration -> Administrative Templates -> Printers Extend Point and Print connection to search Windows Update Disabled

We would like to thank Ryan Ries for tracking down this information.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


Leave a Reply

Your email address will not be published. Required fields are marked *