I am making a 1 page reference sheet on how to secure Windows 7 VM with Whonix

Support
1

Hi. I have gone through the documentation the last couple of weeks and I am looking at making a 1 page printable reference sheet without fluff on how to secure as much as possible a virtual windows 7 machine going through a whonix gateway. I may have missed something because there is so much stuff and it is extremely confusing for me with all the pages on things like transparent proxies, isolating proxies and stream isolation, can someone confirm if this is correct? I know for sure I am missing how to “Secure Distributed Network Time Synchronization”, there is no documentation.

-Download Whonix Gateway from: Download Whonix ™ (FREE)

-Import Whonix gateway into VirtualBox. Do not change any settings when importing!

-Boot into Whonix Gateway and change password:
The default username is: user
The default password is: changeme
Login as root:
sudo su
Change root and user password:
passwd
passwd user
and follow the instructions.

-Make Windows 7 VirtualBox: VirtualBox → Machine → New → Next → Enter Name “Windows 7” → Enter Operating System and Version → Next → define RAM → Next → create a new hdd → Next → disk format doesn’t matter, VDI works fine however → Next → dynamically or fixed size is a matter of preference → Next hdd size and location is a matter of preference → Next → Create.

-Choose the newly created VM and change these settings:
Settings → System → Motherboard → Hardware Clock in UTC
System → Processor → Enable PAE/NX if available
Network → Adapter 1 → attached to Internal Network (Important!)
Network → Adapter 1 → Name (of Internal Network) (Important!): Whonix
(Note: It’s Whonix, not whonix. Case sensitive. Capital W.)
USB → uncheck Enable USB controller → OK.
Disable Audio
Do not enable Shared Folders
Do not enable video acceleration
Do not enable Serial Port
Do not install VirtualBox Guest Additions
Remove Floppy drive
Remove CD/DVD drive
Do not attach USB devices
Do not enable Remote Display server
Do not enable IO APIC, EFI?

-Install Windows 7 with the following settings:
username: user
computer name: host
Network in Control Panel → Network and Sharing Center: click on “Change adapter settings” Right-click on local area connection > properties In property window: double-click Internet Protocol Version 4, use the following settings:
IP address 192.168.0.50
Subnet netmask 255.255.255.0
Default gateway 192.168.0.10
Preferred DNS server 192.168.0.10

-Disable Windows 7 from synchronizing time with microsoft time servers.

-Disable Virtualbox clipboard sharing and Drag and Drop.

-Install Tor Browser in Windows.

2

These steps are just basic security. Secure as much as possible isn’t easy. It’s difficult because no one has implemented the features a Whonix-Default-Workstation implements for a Whonix-Windows-Workstation. So you’re left with either doing the stuff manually, implementing yourself or not using benefiting from those features.

I know for sure I am missing how to "Secure Distributed Network Time Synchronization", there is no documentation.

There is no software to automate this - because no one has written it or ported sdwdate to Windows. There is also no specific stop gap documentation, except reading between the lines:

Maybe Whonix gets sponsoring to improve this situation:
https://www.whonix.org/wiki/Dev/Sponsor/A#Other_Operating_System_Support

3

Ok, do I have to do anything with transparent proxies, isolating proxies and stream isolation?

4

For use case “secure as much as possible”, these concepts are worth understanding. It is up to you if you’re trading your valuable time learning this stuff for better security or not. I can understand either choice.

5

I am sorry that I was actually trying to help you guys. Your documentation is a mess that even people with a tech background don’t understand what you are talking about. I was actually trying to make a 1 page summary of things that need to be done for people to secure a windows VM and was asking for help on things I don’t understand. I don’t know what it is about linux communities that don’t want to help one another, I can see why linux will never be able to compete against Microsoft and Apple. The Devs don’t give a damn about users.

6

Thank you for your opinion! Linux is what the whole community makes out of it. As thought as you did before I became a Linux distribution developer. Now, that I am one, I understand better why things are as they are. And that there is no quick fix. In summary, the main issues probably are:

  • lack of frustration tolerance
  • failure of communication
  • failure of understanding users (the more knowledgeable you become, the more far away you get from understanding users)
  • lack of skill (writing usable software and documentation is a hard challenge)
  • lack of feedback
  • lack of time (users who would be able to give feedback don’t have the time to do so; devs lack of time for empiric survey users)
  • lack of money (no money for running empiric user experiences surveys)
7

Well, I hope things will turn around. I was only trying to help. Keep in mind that the target people that would use whonix in the future aren’t all technically savvy and can’t go through hundreds of pages of documentation. I was trying to save them time.