Stats and Conclusions for Windows Server 2016

In this article we present statistics and conclusions about privacy implications of Windows Server 2016. This report is based on traffic recording of virtual machine running Windows Server 2016, which was run continuously for 505 days, from 2018-02-03 to 2019-07-20. After the installation, Windows Server 2016 was switched to zero (Security) level of telemetry via Group Policy Editor (gpedit.msc). Then OS was left alone. It had default settings and was running without any third party software installed. In total, we have recorded and analyzed 39,921,165,760 bytes of received and transmitted data.

 

Outgoing traffic

Bytes transmitted   
Ratio
   Traffic type
1,198,884,996   61.73%   Unencrypted traffic (http)
659,067,954   33.93%   Encrypted traffic (https)
48,544,205   2.50%   Unencrypted traffic (dns)
35,806,172   1.84%   Other traffic (dhcp, icmp, LAN broadcasts)
1,942,303,327   100%   Total

Outgoing traffic pie chart

 

Incoming traffic

Bytes received   
Ratio
   Traffic type
36,428,643,464   97.91%   Unencrypted traffic (http)
732,594,839   1.97%   Encrypted traffic (https)
39,525,093   0.11%   Unencrypted traffic (dns)
5,645,192   0.01%   Other traffic (dhcp, icmp, LAN broadcasts)
37,206,408,588   100%   Total

Incoming traffic pie chart

Conclusion: most part of incoming data (such as updated Windows binary files) is not encrypted. This is probably to reduce the load on Microsoft cloud infrastructure.

 

IP addresses

Outgoing HTTPS connections

Number of connections
   IP address
20251   40.67.254.36
19361   40.67.251.132
12138   40.67.255.199
9875   40.67.252.206
9674   40.67.254.97
9607   40.67.253.249
9562   40.67.251.134
9505   40.67.248.104
6701   52.139.250.253
6465   40.90.189.152
5162   40.77.229.141
4901   204.79.197.200
3447   13.92.209.232
3397   52.179.84.19
3387   13.92.210.230
3386   52.179.13.204
3368   13.92.229.58
3325   52.170.194.77
3291   13.92.211.253
3247   13.92.211.120
3237   13.92.210.83
3185   40.90.190.179
1658   13.74.179.117
1604   13.68.93.109
1602   40.77.226.246

Full list — 369 IP addresses

Outgoing HTTP connections

Number of connections
   IP address
9827   13.107.4.50
7563   104.103.90.39
2188   23.52.22.175
1659   93.184.221.240
1189   93.184.220.29
809   104.123.123.147
795   13.107.4.52
734   205.185.216.10
658   23.43.139.146
649   104.81.229.106
556   23.61.218.119
546   205.185.216.42
407   91.223.19.232
383   104.102.4.56
364   91.223.19.233
304   91.223.19.243
239   2.21.89.57
228   104.94.106.116
224   91.223.19.235
221   2.21.89.24
168   8.251.101.254
168   104.90.156.189
147   68.232.34.240
126   104.94.183.45
125   8.253.143.121

Full list — 358 IP addresses


Conclusion: blacklisting of so many IP addresses on the firewall seems impractical. They belong to many different subnets all over the globe, and probably some of them depend on geographical location or identity of the end user.

 

Domain names

Outgoing HTTPS connections

Number of connections
   Domain name
151305   client.wns.windows.com.
6916   tsfe.trafficshaping.dsp.mp.microsoft.com.
4901   ieonline.microsoft.com.
4112   sls.update.microsoft.com.
3980   login.live.com.
3097   fe2.update.microsoft.com.
1058   settings-win.data.microsoft.com.
943   licensing.mp.microsoft.com.
939   wdcp.microsoft.com.
161   wdcpalt.microsoft.com.
159   db5p.wns.windows.com.
140   ieonlinews.microsoft.com.
108   go.microsoft.com.
75   www.microsoft.com.
67   storecatalogrevocation.storequality.microsoft.com.
52   bl2p.wns.windows.com.
37   DB5SCH103102310.wns.windows.com.
26   DB6SCH102090208.wns.windows.com.
24   sg2p.wns.windows.com.
22   DB6SCH102090905.wns.windows.com.
22   DB6SCH102090603.wns.windows.com.
22   DB6SCH102090305.wns.windows.com.
20   DB5SCH101110821.wns.windows.com.
20   DB5SCH101110713.wns.windows.com.
20   DB5SCH101101740.wns.windows.com.

Full list — 336 domain names

Outgoing HTTP connections

Number of connections
   Domain name
14981   go.microsoft.com.
9667   au.download.windowsupdate.com.
2768   ctldl.windowsupdate.com.
2349   7.au.download.windowsupdate.com.
1902   download.windowsupdate.com.
1185   ocsp.digicert.com.
795   www.msftconnecttest.com.
708   3.au.download.windowsupdate.com.
430   2.au.download.windowsupdate.com.
365   11.au.download.windowsupdate.com.
288   9.au.download.windowsupdate.com.
68   dmd.metaservices.microsoft.com.
64   4.au.download.windowsupdate.com.
44   001513-1.l.windowsupdate.com.
39   000e86-1.l.windowsupdate.com.
35   000507-1.l.windowsupdate.com.
34   0004dc-1.l.windowsupdate.com.
24   ocsp.msocsp.com.
18   0005d6-1.l.windowsupdate.com.
17   www.microsoft.com.
17   00000d-1.l.windowsupdate.com.
13   mscrl.microsoft.com.
13   00113c-1.l.windowsupdate.com.
8   0016be-1.l.windowsupdate.com.
4   crl3.digicert.com.

Full list — 31 domain name


Conclusion: Unlike Windows 10, for Windows Server 2016 telemetry traffic blocking is practical on the DNS level, at least while level of telemetry is set to zero (Security). This requires some generalization (wildcard domain names in blocking rules), as domain names may vary depending on geographical location or identity of the end user, current time, Windows Server build number, etc.

 

Autonomous systems

Outgoing traffic breakdown by AS

Bytes transmitted
   
Ratio
   
AS Number
   Organization
593,822,751   38.43%   AS8075   MICROSOFT-CORP-MSN-AS-BLOCK – Microsoft Corporation, US
339,797,523   21.99%   AS8068   MICROSOFT-CORP-MSN-AS-BLOCK – Microsoft Corporation, US
210,290,726   13.61%   AS3356   LEVEL3 – Level 3 Communications, Inc., US
146,731,160   9.50%   AS15133   EDGECAST – MCI Communications Services, Inc. d/b/a Verizon Business, US
71,170,466   4.61%   AS20940   AKAMAI-ASN1, US
66,945,670   4.33%   AS20446   HIGHWINDS3 – Highwinds Network Group, Inc., US
52,340,110   3.39%   AS21343   ALLIED – Allied Standart Limited LLC, UA
34,425,103   2.23%   AS50952   DATAIX-AS – Peering Ltd., RU
16,639,254   1.08%   AS22822   LLNW – Limelight Networks, Inc., US
7,157,259   0.46%   AS16625   AKAMAI-AS – Akamai Technologies, Inc., US
5,829,418   0.38%      other

Outgoing traffic breakdown by AS

Incoming traffic breakdown by AS

Bytes received
   
Ratio
   
AS Number
   Organization
10,934,939,834   30.88%   AS8068   MICROSOFT-CORP-MSN-AS-BLOCK – Microsoft Corporation, US
8,314,353,265   23.48%   AS3356   LEVEL3 – Level 3 Communications, Inc., US
5,896,117,091   16.65%   AS15133   EDGECAST – MCI Communications Services, Inc. d/b/a Verizon Business, US
3,124,783,119   8.83%   AS20940   AKAMAI-ASN1, US
2,202,774,948   6.22%   AS21343   ALLIED – Allied Standart Limited LLC, UA
2,186,811,262   6.18%   AS20446   HIGHWINDS3 – Highwinds Network Group, Inc., US
1,618,390,659   4.57%   AS50952   DATAIX-AS – Peering Ltd., RU
600,642,763   1.70%   AS8075   MICROSOFT-CORP-MSN-AS-BLOCK – Microsoft Corporation, US
333,859,670   0.94%   AS22822   LLNW – Limelight Networks, Inc., US
148,296,651   0.42%   AS1299   TELIANET – Telia Carrier, SE
47,124,951   0.13%      other

Incoming traffic breakdown by AS

Conclusion: two Microsoft autonomous systems clearly dominate, but there are others as well. Autonomous systems of AKAMAI, LEVEL3 and other cloud providers can’t be blocked on the firewall level, because normal operation of too many systems will be broken — stable connectivity to these servers is required not only by Microsoft’s products.