privacyguides
/
privacyguides.org
mirror of https://github.com/privacyguides/privacyguides.org.git
1
0
Fork 0
Code Issues Activity
privacyguides.org/docs/os/windows/sandboxing.md

10 KiB
Raw Blame History

title icon
Application Sandboxing octicons/apps-16

Native Application Sandboxing

Application Packaging by Windows

Windows has two types of application packaging such as .exe/.msi (Win32) and .appx/.msix (UWA).

Universal Windows Application (UWA)

UWAs are processes that operate within the AppContainer is an application sandbox environment, which implements mechanisms for the restriction of AppContainer processes in terms of what system resources they can access. Basically, Application that is fully isolated and only given access to certain resources.

Win32 Apps

Win32 is the application platform of choice for developing and running classic Windows applications, that is, Win32 applications, that require direct access to Windows and hardware.

The core of Win32 is the Win32 API implemented in the Windows SubDLLs (DLLs) and the ntdll.dll library file. With the combination of SubDLLs and ntdll.dll, the Win32 application has direct access to full system resources.

A comparison between UWA and Win32

UWAs Windows
UWAs run as restricted, containerized AppContainer processes that run by accessing the WinRT API, a subset of COM functionalities and the Win32 API. They have specific properties that define process restrictions in terms of the system resources that processes can access. Win32 applications run as Windows native, traditional processes that run by accessing the Win32 API and COM functionalities to their full extent and a subset of the WinRT API to directly access all system resources. They do not run as restricted processes, all system functionalities are by design directly available to them.
Only a single instance of a given UWA may run at a given time. Any number of instances of a given Win32 application may run simultaneously.
UWAs are distributed as application packages, archive files with a pre-defined format and required content that is necessary for the deployment and operation of UWAs The way in which Win32 applications are distributed is not restricted by the operating system. It is defined by the application vendors.

The above comparison gives a clear cut that UWA/UWP apps are the best ones to use in terms of sandboxing the app.

Choosing the way to install software

UWA apps are primarily distributed through Microsoft store and are counter-signed by Microsoft while as third party UWA's are signed by the vendor without Microsoft's signature.

It is recommended to use the UWA apps as they are sandboxed into their own containers.

And for Win32 apps. If you are required to use Win32 apps. Install the application in the host and run it using Windows Sandbox.

It is recommended to install in host and use in Sandbox to reduce your time installing the software again and again in Windows Sandbox.

Finding Win32 and UWP apps in Windows Store

Generally, apps available in Microsoft store was UWP only before Windows 11 was launched but after the launch both Win32 and UWP apps co-exist in the store.

At this point, it is difficult to differentiate between Win32 and UWP apps. To find which is UWP or Win32. Read below:

When you see an app in store and scroll down to Additional Information section and see if it asks for certain permissions like in the image below:

UWP in store

If the Win32 App, Microsoft store will explicitly state that it isProvided and Updated by **** and Uses all System resources as in the image below:

Win32 in store

!!! note "Un-sandboxed UWP apps" Some UWP apps in the store due to the lift of restrictions in Microsoft store developers can submit the app with a property named runFullTrust which disables sandboxing of that UWP application and shows that Uses all System Resources in Additional Information section such as Firefox. By this you can know if a UWP app is sandboxed or not.

If it is sandboxed, it will show only certain permissions in *Additional Information* section.

!!! abstract "Note" Most apps will ask that if the app needs to be used for all users or just for your user account. It is best you keep the app to your user Account. So, We achieve better sandboxing between different user accounts.

Another way to find

rg-adguard.net is a third party Microsoft store app which can be used to download .appx files (Installer for UWP) and install UWP apps. You can use this site to download Age Restricted apps in store and Install it. Note that paid apps don't work unless you connect a Microsoft Account.

Using Winget to Install Sofware

Windows Package Manager winget command-line tool is bundled with Windows 11 and modern versions of Windows 10 by default as the App Installer.

The winget command line tool enables users to discover, install, upgrade, remove and configure applications on Windows 10 and Windows 11 computers. This tool is the client interface to the Windows Package Manager service.

More information here : https://learn.microsoft.com/en-us/windows/package-manager/winget/

The Winget tool is a powerful tool to install apps that are safe, trusted and official ones. This should be used to avoid sketchy installers.

Even you have apps installed via the traditional installer setup. You can continue using winget

A Quick demo by ThioJoe - https://youtu.be/uxr7m8wDeGA

Detailed info about the tool by Microsoft - https://youtu.be/Lk1gbe_JTpY

If you understood about Winget, then this tool - https://winstall.app/ is suggested to bulk install apps.

Note : Be sure to install via Winget or using MSI installer to upgrade the app easily.

Benefits of winget

There are general advantages in having a package manager regardless of the operating system.

  • Security : The packages that the package manager includes are usually safe because theyre verified by maintainers.
  • Automation : Its easier to install or uninstall N applications using a package manager. No need to do it manually.
  • Maintenance : With a package manager usually you can update all your applications, including configurations. Exploration. Instead of searching manually in a browser for an application you can use the package manager. Since its centralized it should be easier to find what you want.

Windows Sandbox

Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.

The sandbox is temporary like TailsOS running on a USB drive. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open it.

You can know more from the Official Documentation.

Use case of Sandbox: The Windows Sandbox can be used to run unknown software or if you want to isolate your Workspace from the host with only Specific set of apps, etc.

Using Sandbox

To use Sandbox, you can create a configuration file as per the official Microsoft Documentation for your needs.

So, when opening the file, sandbox opens with the Configurations you had set up in your file.

If you do not understand the documentation, you can use Windows Sandbox Editor instead. It is a GUI application that can be used to create configuration files easily.

??? note "Regarding Windows Sandbox Editor" The repository doesn't provide a package. So, you need to download the whole codebase. After, extracting the zip Windows Defender or other Antivirus software may flag the exe file as a malware. So, it is recommended to install it via the Powershell Script they provide.

By default, You cannot execute Scripts in Powershell and it is restricted to commands only. It is recommend you allow the Terminal to `Unrestricted` mode and use it to install the editor via Script after that change it back to `Restricted` [execution policy](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.2) to prevent accidental execution of malicious scripts in the future.

Run programs instantly in Sandbox

Run in Sandbox is a tool to quickly run files in Windows Sandbox with a right click.

We recommend you to use this software as it is convenient and easy to use and even credited by Microsoft.

A full guide on How to use it can be found here: https://www.systanddeploy.com/2021/11/run-in-sandbox-quick-way-to-runextract.html

Note: The same note of installing sandbox editor via PowerShell also applies here except this doesn't provide an exe at all.

This page is based on the German BSI project - SiSyPHuS Win10's Work Package 9 Dcoument.

For Advanced Users :

Sandboxie Plus, is a Sandboxing tool which uses File system and registry Virtualization techniques to sandbox every apps and at the same data not being lost like Windows Sandbox.

Use this at your own Risk !

*[UWA]:Universal Windows Applications *[UWP]:Universal Windows Platform *[SubDLLs]: Subsystem Dynamic link libraries *[ntdll.dll]: A core Windows library file that implements functions for interaction with the kernel. *[WinRT]: Windows Runtime *[COM]: Component Object Model