How to use Windows 10 and handle sensitive data without going to jail in 10 easy steps.
Why on Earth do you expose sensitive data to Windows ?!?, you might ask.
Because I work in a Microsoft – dominated setting and the world in general is full of legacy applications. If you want to behave professionally in a not completely autistic capacity, you will have to touch Word and Excel files once in a while. The fragility and volatility of these formats demand that they only be handled with the latest and fanciest Original Microsoft-Office Products ®. No, LibreOffice is not an option.
Also, in many settings you can only function with Microsoft Outlook ® at your fingertips. Else you can’t put appointments on other people’s agendas, can’t place reservations for boats (yes, we have boats), or organize your mail. No, the OWA webinterface is not an option.
Run Windows in a VM on your Linux box. That works amazingly well with VMware Workstation Pro and some people also seem to be happy with VirtualBox.
As a data manager, you (and by proxy programs running on your Windows box) will have read access to researchers’ sensitive data (in particular personal data) that is stored on the shared infrastructure of your company’s Windows Domain, which your Windows box joins automatically. In case you have also write-access to other people’s data, the risk is not only data exfiltration but also malware such as crypto-trojans.
Observing the network-traffic of a Windows 10 installation, you will notice that even having switched off the most hidden “telemetry” settings will do pretty much nothing to stop the unasked-for blaring of your Windows box. Various executables, system-ones and third party ones that you did not install (or installed under the assumption that a PDF reader doesn’t need to communicate with shady servers around the world) talk without pause and obvious reasons to computers in places you never heard of. There are even programs that will download and re-install other programs that you just uninstalled. You can find that out by using Windows “firewall” tools such as WFN. This is an interesting, yet by no means stable experience, but at this stage the Windows box is unusable for work anyway
(This refers to Debian Stretch on the host with VMware Workstation Pro 14.1. or VirtualBox)
Goal: The VM can talk to the company network (Outlook, updates, …) but is completely cut off from the rest of the world.
Strategy: Use iptables on your host-system to gag and shackle the VM running Windows.
1. Have the virtualization software create virtual “host-only” interfaces on the host.
VirtualBox: VirtualBox Manger -> File -> Host Network Manager -> Create. Leave the defaults, don’t enable DHCP Server. Let’s assume in the following that the name of the adapter is vboxnet0 .
VMware Workstation: Edit -> Virtual Network Editor -> Add Network. Let’s assume in the following its name is vmnet1. Select “Host-only” and “Conect a host virtual adapater (vmnet1) to this network.” Don’t “Use a local DHCP service …”.
2. Associate the VM’s Ethernet adapter with the virtual host adapter.
(The VM has to be down to do that)
VirtualBox: Machine -> Settings -> Network. Select “Host-only Adapter”, select Name: vboxnet0.
VMware Workstation: Virtual Machine Setting -> Network adapter -> “Custom: Specify virtual network” -> Select vmnet1. In case your Windows machine gets a fixed IP from the company’s DHCP server, you might want to set the proper (old) MAC address under “Advanced”.
3. Make sure your host has the following packages installed:
4. Load the module br_netfilter. That is necessary for iptables to be able to filter on a bridge:
sudo echo br_netfilter >>/etc/modules-load.d/modules.conf
sudo systemctl restart systemd-modules-load
5. Modify /etc/interfaces so that the host’s primary interface and the virtual host adapter are slaves to a newly created bridge br0:
(In the following we use vboxnet0 and eth0 for virtual host interface and physical interface, respectively. Replace with their real names if necessary.)
# define the slave interfaces (possibly redundant)
iface eth0 inet manual
iface vboxnet0 inet manual
# set up the bridge
iface br0 inet dhcp
bridge_ports eth0 vboxnet0
# set bridge's MAC address. Useful if your host gets a fixed IP from the company's DHCP server.
post-up ip link set br0 address 08:62:66:2c:6e:66
# loopback interface (unchanged)
iface lo inet loopback
6. Restart the host’s network
sudo systemctl stop networking
For good measure, remove IP addresses from slave interfaces:
sudo ip address flush dev eth0
sudo ip address flush dev vboxnet0
sudo systemctl start networking
7. Check host settings
sudo ifconfig should show eth0 and vboxnet0 up, but without addresses. br0 should look like your primary interface (eth0) looked before.
sudo brctl show should show the bridge and the two enslaved interfaces.
8. Set the firewall rules
(Replace 184.108.40.206/16 with your company network)
sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -m physdev --physdev-in vboxnet0 -d 220.127.116.11/16,255.255.255.255 -j ACCEPT
sudo iptables -A FORWARD -m physdev --physdev-out vboxnet0 -s 18.104.22.168/16 -j ACCEPT
In case your company network is IPv6, repeat with
ip6tables. Otherwise just DROP IPv6 traffic across the bridge:
sudo ipv6tables -A FORWARD -j DROP
9. Make the firewall rules persistent:
sudo netfilter-persistent save
10. Check it
Fire up the Windows VM and check whether you can reach (e.g. in the browser) your company homepage (should work) and an external website (should not work).