←back to thread

Qubes OS: A reasonably secure operating system

(www.qubes-os.org)
441 points ploggingdev | 1 comments | 19 Nov 17 16:06 UTC | HN request time: 0.202s | source
Show context
AaronFriel ◴[19 Nov 17 18:55 UTC] No.15735264[source]
I'm very excited that Microsoft is moving in the same direction. The feature Windows Defender Application Guard (WDAG) runs Windows applications, right now only the Edge browser, in a virtualization isolated container[1]. Under the hood it's using what Microsoft calls "Hyper-V Containers", which are lightweight virtual machines that share some host resources such as a read-only filesystem. The closest open source analogues to that are Intel(R) Clear Containers[2] and Qubes.

The closest you can get to Qubes on Windows would be to follow Microsoft's Privileged Access Workstation (PAW) guide, but it requires a lot of additional infrastructure[3]. That infrastructure allows you to do remote attestation of the virtual machines, but makes it costly to deploy in a SMB or homelab environment.

I don't expect it'll be very long before PAW and WDAG are usable at the same time, with colored window borders indicating the origin virtual machine. I hope this is on Microsoft's roadmap.

Video on privileged access workstation use, starting at a demo: https://youtu.be/3v8yQz2GWZw?t=41m48s

Video on privileged access workstation setup: https://www.youtube.com/watch?v=aPhfRTLXk_k

[1] https://docs.microsoft.com/en-us/windows/threat-protection/w...

[2] https://clearlinux.org/features/intel®-clear-containers

[3] https://docs.microsoft.com/en-us/windows-server/identity/sec...

replies(5): >>15735496 #>>15735635 #>>15736061 #>>15736174 #>>15736189 #
1. bearbearbear ◴[19 Nov 17 21:33 UTC] No.15736061[source]
> right now only the Edge browser

Did you know if you force remove Edge from Windows 10 it will forever after ignore the "always use this" checkbox and prompt you to choose your default browser every time the browser is called from a link in an application?