Opinion about these two kinds of setup

johnrabbit · April 25, 2016, 4:02pm

Hello
I would have Windows as OS at the end, now my question is about these setup (I know the problem of firgerprint, but I want an answer about the most secure)
1)whonix gateway—>workstation—>rdp with windows
or
2)whonix gateway—>vm with windows

Thank you

Ego · April 25, 2016, 4:03pm

Good day,

Because of the fact that you normally don’t have full control over a system accessed via RDP, the second one should be more secure.

Have a nice day,

Ego

johnrabbit · April 25, 2016, 4:05pm

Hi
Thank you for the fast answer
Do I have to setup an encrypted tunnel between gateway and Windows?

Regards

Patrick · April 25, 2016, 4:12pm

Secure from what? Exploiting your main system? Confidentiality of stuff within Windows VM?

johnrabbit · April 25, 2016, 4:15pm

Exploit my main OS
About rdp I mean vps

Ego · April 25, 2016, 4:18pm

Good day,

No, you host can’t be compromised. I was talking about tracking and usage analysis on the machine.

Have a nice day,

Ego

Patrick · April 25, 2016, 4:19pm

I guess not running Windows on your local machine which is a whole lot of closed source code, and not having Windows able to create connections from somewhere on your local computer is something worthwhile. Depending on how secure the rdp client is against exploitation, the game changes.

johnrabbit · April 25, 2016, 4:30pm

My main OS is debian with full encryption
With rdp in workstation I can use ssh access, tools like fail2ban, change port, disable root access but I don’t have the full control of the vps
About the tracking on VM I can always delete and reinstall right?

Ego · April 25, 2016, 4:38pm

Good day,

Actually no, at least not when talking about the VPS. Like I said before, as you don’t have control over what happens on a server hosted by a third party, you can never tell whether or not anything you do on there is tracked/saved and kept even after deleting. That’s why I’d vouch for keeping full control over what you use.

On your own Windows based Workstation, this obviously is possible

Have a nice day,

Ego

johnrabbit · April 25, 2016, 4:53pm

With the use of Windows workstation do I have to change my MAC address? (windows vm can see my mac or see just gateway mac?)
Can I connect gateway with more windows vm?
If windows vm is infected, is my debian OS doomed too?

Regards

entr0py · April 25, 2016, 7:30pm

No. Connections between Whonix-Gateway ™ and Whonix-Workstation ™

No. Computer Security Education - Whonix

Yes. Multiple Whonix-Workstation + Anonymize Other Operating Systems

Only if your attacker is able to “break out” of your virtualization platform.
Advanced Security Guide - Whonix
Security Guide - Whonix
Whonix for KVM
Advanced Security Guide - Whonix
(docs could use some re-organizing…)

VPS probably only makes sense if:

you have a reliable, secure, pseudonymous method for acquisition & maintenance and
you need a persistent net presence (for example, hosting servers) or
(3.?) you need a clearnet presence
(but the assumption should always be that it is compromised to some degree)

johnrabbit · April 26, 2016, 9:44am

Thank you, very useful answers
I use already KVM, it should be more secure although there are a lot of vulnerabilities explained here