this post was submitted on 15 Aug 2024
25 points (96.3% liked)

Ask Lemmy

26890 readers
1695 users here now

A Fediverse community for open-ended, thought provoking questions

Please don't post about US Politics. If you need to do this, try !politicaldiscussion@lemmy.world


Rules: (interactive)


1) Be nice and; have funDoxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them


2) All posts must end with a '?'This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?


3) No spamPlease do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.


4) NSFW is okay, within reasonJust remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com. NSFW comments should be restricted to posts tagged [NSFW].


5) This is not a support community.
It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.


Reminder: The terms of service apply here too.

Partnered Communities:

Tech Support

No Stupid Questions

You Should Know

Reddit

Jokes

Ask Ouija


Logo design credit goes to: tubbadu


founded 1 year ago
MODERATORS
 

I've been issued a work laptop with Windows 11, running the Sophos Endpoint Agent, which monitors all web traffic and processes running on the PC and blocks malicious stuff.
If I install a Linux VM on it and access the web from inside it, will the Endpoint Agent see what I'm doing and be able to block access the same way as it does on the host?

I guess what I'm asking is, how does accessing a website from inside a VM work, actually? Does all the traffic get routed through the host OS unencrypted?

The purpose isn't to try to circumvent any security measures or go over the heads of the IT department, but rather to find out if I can make a case for using my favorite OS on this thing without compromising security.

top 8 comments
sorted by: hot top controversial new old
[–] eating3645@lemmy.world 36 points 3 months ago

Keep your work and personal software separated. If you don't need it to do your job, don't install it on your work machine. If you don't need to access a site for work, don't access it on your work machine.

At the end of the day, it's not your computer and you shouldn't treat it like it is.

[–] user224@lemmy.sdf.org 18 points 3 months ago

Consider it non-secure for personal stuff. Consider the possibility of full monitoring. They may not see the contents of encrypted traffic from the VM, sure, but there's still a possibility of keylogging and even screen monitoring, possibly something else.

To answer your question, the guest OS should reject the security software's certificates, should it attempt MITM. Otherwise there wouldn't be much of a reason to use HTTPS over plain HTTP.
It can still do blocking I guess.

Secondly, it's a work device, and that software is there for a reason. Trying to get around it may have different results. Your employer might not care much, or they could assume something malicious on your side, and fired you are.
So don't use it past work-related use cases, don't borrow it to kids nor anyone else. That bit of hardware is most likely not worth the risk.

[–] stoy@lemmy.zip 11 points 3 months ago

IT Guy here - we have been ordered by management to operate a computer system to setup and maintain a usable and secure computer environment for the work the management needs to be done.

To do this, your IT team and selected Windows 11 as the plattform, this is due go several factors.

  1. Compabillity - Windows is the de-facto standard, if you want to do buisniss with other companies, Windows is a safe bet.
  2. Familiarity - Windows is the de-facto standard, people know how to use it with little training.
  3. Managabillity - Windows has excellent tools for central management, so IT policies can easily be implmented centrally.

With your Linux VM you will introduce new security holes, remove central management and throw familiarity out the window.

In any sane company, and unauthorized VM would at minimum be grounds for immediate termination.

If you want to do a proof of concept for your idea, you need management buy in, speak with the CTO and ask about migrating your proccesses to Linux ant do it above board.

[–] savvywolf@pawb.social 3 points 3 months ago (1 children)

I don't know for sure, but I don't think they'd be able to read https traffic. That would be encrypted on the vm itself before being sent to the host, so the host couldn't see it.

If they're scanning your system remotely for unapproved software, I imagine they won't let you use a vm at all, since it kinda breaks that requirement.

[–] Tar_alcaran@sh.itjust.works 6 points 3 months ago (1 children)

I don't know for sure, but I don't think they'd be able to read https traffic. That would be encrypted on the vm itself before being sent to the host, so the host couldn't see it.

But they're able to access your screen, keylog you and read your HD. No need to read https if you can access what the user sees and does

[–] Quazatron@lemmy.world 6 points 3 months ago (1 children)

Also your DNS traffic will leak what you are doing.

Just follow the most upvoted answer and keep personal stuff on your personal PC or mobile if you want to avoid trouble.

[–] user224@lemmy.sdf.org 1 points 3 months ago

You can use DoT or DoH.

But you will still leak SNI.

[–] MajorHavoc@programming.dev 2 points 3 months ago

I've faced this decision.

As long as the stuff I'm doing on the Linux VM is legitimate work, I find that no one cares.

Every so often someone asks questions about how the underlying concerns are being addressed - most critically backups.

As long as I have reasonable answers, or I express willingness to collaborate on solutions, it tends to work out.

That said, I'm a manager of software development, so I receive a lot of leeway to tell people what tools I need.