I know that (as of 4.2.4) the QWT is in a precarious state being that you have to enable test signatures in Windows, creating a quite large vulnerability. Does this hold for older versions of Windows, like Win7? Is QWT in Win7 full-feature (with the per-application windows etc.)?
@GWeck, if you don’t mind giving me a moment I’d love to hear how you have your W7 setup now.
For those concerned I want an outdated OS
I’m wanting to set up a W7 template VM for software that needs Windows. I’d prefer W7 since W10 is now outdated and it crossed the line for me with all the bloatware and extra “helpful” stuff. W11 is a dumpster fire, sympathies to anyone forced to use it (or who just likes it), you poor souls.
It won’t be connected to the internet. Data infil and exfil will be controlled per-file, and the main threat is just publication of data (tampering really isn’t likely). I’d be happy to hear caveats I should be aware of if you have them.
The version 4.1.69-1 of QWT, which was used under Qubes R4.1, will work under R4.2.4, and that’s what I’ve been using there. Now, I switched to R4.3-rc3, which is quite stable and, with respect to Windows VMs, behaves identically.
This version of QWT also needs testsigning, but only if the Qubes GUI agent of QWT is installed. QWT 4.1.69-1 will run okay without testsignbing, if the GUI agent is not installed, but then you will have no seamless mode; the rest of QWT works as it should.
My W7 installation consists of a template and an AppVM, which are both quite restricted:
The template has no netVM, and, after initial installation and configuration, is never started again. So, there should be no possibility of an attacker using the testsigning feature, which I use because of having QWT installed with its GUI agent.
-The AppVM has networking, but, by its firewall rules, is restricted to accessing the local network. Furthermore, possibly dangerous operations, like Email or working with documents, are not done there but in Linux VMs. So, the possibility of attacks using testsingning is minimized, and, anyhow, is restricted to an AppVM which is cleaned at every restart.
For my threat assessment, this may be well enough. But, anyhow, I have my doubts if any installation of Windows 10 or 11 will be more secure, regarding the vulnerability statistics of these systems and their horrible update history.