Search Results
7/12/2025, 12:26:20 PM
>>105878531
>Hello everything running inside hypervisor
Might as well install Qubes OS, OP. Windows Server makes for a better Windows TemplateVM.
Use gpedit.msc to change Windows Firewall settings. Set everything to Block or Block All by default. Make sure the setting is set to ignore "local rules" as Windows adds exceptions to your firewall automatically, visible in wf.msc console. Remove all rules in gpedit.msc Windows Firewall area, except for Core Networking DNS rule for outbound, and get rid of all inbound rules. You need to keep the DNS rule disabled, you're just going to make a new custom rule and copy all settings (port/protocol, program/service/app-package tabs, etc) you find in the builtin DNS rule with one difference: scope will be limited to 10.139.1.1-10.139.1.2 and this new DNS rule you made will be the one you enable. This is because MS may be using DNS port comms to exfiltrate telemetry and we know the Qubes DNS handler isn't going to help leak telemetry for Windows.
Then create rules for each program in the template you expect to use, and make sure they are all disabled (by default). The idea here is you will open gpedit when running a daughter AppVM of this template, and enable each rule you need in gpedit.msc at AppVM runtime. I like this because I have Windows behind a VPN qube, and I am using Windows Firewall to block all connections except the slim few I want. The TemplateVM has updates handled occasionally, and TemplateVM is blind to AppVM's state and so can't pass it on up during updating.
I then wrote a powershell script to handle IP address assignment from qubesdb in Windows; you may need to as well unless you manually configure your IP information in each Windows qube. It's pretty simple, AI wrote it for me.
QWT is a minor risk (very minor), because the version blessed by Microsoft driver signing was built on a build server which at the time had a zeroday exposing it possibly.
>Hello everything running inside hypervisor
Might as well install Qubes OS, OP. Windows Server makes for a better Windows TemplateVM.
Use gpedit.msc to change Windows Firewall settings. Set everything to Block or Block All by default. Make sure the setting is set to ignore "local rules" as Windows adds exceptions to your firewall automatically, visible in wf.msc console. Remove all rules in gpedit.msc Windows Firewall area, except for Core Networking DNS rule for outbound, and get rid of all inbound rules. You need to keep the DNS rule disabled, you're just going to make a new custom rule and copy all settings (port/protocol, program/service/app-package tabs, etc) you find in the builtin DNS rule with one difference: scope will be limited to 10.139.1.1-10.139.1.2 and this new DNS rule you made will be the one you enable. This is because MS may be using DNS port comms to exfiltrate telemetry and we know the Qubes DNS handler isn't going to help leak telemetry for Windows.
Then create rules for each program in the template you expect to use, and make sure they are all disabled (by default). The idea here is you will open gpedit when running a daughter AppVM of this template, and enable each rule you need in gpedit.msc at AppVM runtime. I like this because I have Windows behind a VPN qube, and I am using Windows Firewall to block all connections except the slim few I want. The TemplateVM has updates handled occasionally, and TemplateVM is blind to AppVM's state and so can't pass it on up during updating.
I then wrote a powershell script to handle IP address assignment from qubesdb in Windows; you may need to as well unless you manually configure your IP information in each Windows qube. It's pretty simple, AI wrote it for me.
QWT is a minor risk (very minor), because the version blessed by Microsoft driver signing was built on a build server which at the time had a zeroday exposing it possibly.
Page 1