[SOLVED] Restrict qemu-agent

[MaPf]

Hi all,

with the default installation of the qemu guest agent it's possible to reset user passwords (even root or administrator) from the commandline of the hypervisor.

I'd like to prevent that.
With linux guests that is quite easy with dumping the current config, add "block-rpcs=guest-set-user-password" and write it to /etc/qemu/qemu.conf

I'd like to do the same with Windows... the config looks quite similar, but I don't know where to place the file and how to name it.... if possible at all.

I couldn't find relevant documentation, maybe someone could point me there.

 

[fba]

Hi,

my guess is, that there is no file, but you have to edit the service entry in the registry (HKLM\System\CurrentControlSet\Services\QEMU-GA) and append -b <rpcs to block> to the ImagePath-Entry instead.

 

[MaPf]

You guessed right, that works mighty fine
And is even better to roll out via GPO than by files
Thanks!

 

[MaPf]

Just in case anyone wants to rebuild that for Windows Domain Machines:
Create a WMI filter "ProxmoxVM" with Query

SELECT * FROM Win32_ComputerSystem  WHERE Manufacturer LIKE '%QEMU%'

to target VMs only.
Create a new GPO "QEMUGuestAgentSettings" on "Computer Configuration/Preferences/Windows Settings/Registry"

Hive: HKEY_LOCAL_MACHINE
Key path: SYSTEM\CurrentControlSet\Services\QEMU-GA
Value name: ImagePath
Value type: REG_EXPAND_SZ
Value data: "C:\Program Files\Qemu-ga\qemu-ga.exe" -d --retry-path -b guest-set-user-password

and set the WMI filter to it