Insider Preview Builds

Installing New Windows 10 Sandbox Feature Networking Resources Browsers Security

A look at Installing New Windows 10 Sandbox Feature Networking Resources Browsers Security for observations on the new security technology from Microsoft

One of the most intriguing new features in recent Windows 10 Insider Preview Builds for me personally has been the introduction of the new Windows Sandbox feature that allows having a totally isolated environment that allows for safely testing executables and other potentially dangerous file types before executing on the host machine. In downloading and playing around with the latest Windows Insider Preview Build 18317 release, I wanted to take a deeper dive into the new Windows 10 sandbox feature, taking a look at networking, users, security, etc. Let’s look at Installing New Windows 10 Sandbox Feature Networking Resources Browsers Security.

New Windows 10 Sandbox Feature

The new Windows 10 Sandbox Feature hopes to solve many of the longstanding issues with keeping a workstation free from unwanted or malicious executables and file types and being able to safely “detonate” these in a walled off area away from the host machine.

Typically, many solve this issue by having a “browsing VM” that is used to browse the Internet with an underprivileged account, execute potentially dangerous files and such. A snapshot can be taken of the workstation at the beginning of the day and then rolled back as needed to return this browsing VM back to a pristine state. This ensures you have no malware or unwanted code running on the machine.

The problem with this is that it is not very efficient. You have to run a hypervisor, install a full copy of Windows running in a virtual machine, license, etc. The resources required to run a full copy of Windows 10 in a virtual machine is certainly not insignificant.

The new Windows 10 Sandbox Feature melds together Hyper-V and container technology to create an isolated Windows 10 environment that utilizes files from the host operating system so that these are not reproduced or duplicated. The sandbox then runs a snapshot of sorts that is only used during the working session. Once the Windows sandbox application is closed, these changes are discarded.

Installing New Windows 10 Sandbox Feature Networking Resources Browsers Security

Let’s take a look at the process to get the Windows 10 Sandbox feature installed and how it is accessed. The installation or enabling of the Windows Sandbox is a simple process. Open Programs and Features or get there by typing appwiz.cpl and you will see the Windows Sandbox feature ready for/to installation/enable. ***Note*** if you don’t have virtualization features in your CPU you will see this greyed out. Additionally, like me, if you are running this inside a VM without the “nested virtualization” functionality/CPU features exposed to the guest, it will also be greyed out.

Installing-the-new-Windows-Sandbox-feature-in-Windows-10-Insider-Preview-Build-18317
Installing the new Windows Sandbox feature in Windows 10 Insider Preview Build 18317

After enabling, you will see the prompt to restart Windows.

Restart-after-installing-the-new-Windows-10-Sandbox
Restart after installing the new Windows 10 Sandbox

The feature will be configured on the restart.

Windows-features-are-updated-during-the-reboot-of-Windows-10-Insider-Preview-for-Windows-10-Sandbox
Windows features are updated during the reboot of Windows 10 Insider Preview for Windows 10 Sandbox

After rebooting and signing in, you can launch the Windows Sandbox from the Start menu.

Launching-the-new-Windows-10-sandbox
Launching the new Windows 10 sandbox

You will see a security prompt once you launch the app. Click Yes to verify.

Security-prompt-for-launch-of-Windows-10-sandbox
Security prompt for launch of Windows 10 sandbox

The Windows 10 Sandbox Windows app launches.

New-Windows-10-Sandbox-Windows-app-launching
New Windows 10 Sandbox Windows app launching

As you can see below, the new Windows 10 Sandbox looks like a VM running, or another instance of Windows running.

New-Windows-10-Sandbox-app-launched-in-Windows-10-Insider-Preview-Build-18317
New Windows 10 Sandbox app launched in Windows 10 Insider Preview Build 18317

Maximizing the window looks like the Hyper-V virtual machine connection console.

Windows-10-Sandbox-maximized-window-looks-like-Hyper-V-console
Windows 10 Sandbox maximized window looks like Hyper-V console

You may wonder, can you install Chrome and other apps? Yes you can as you can see below!

Can-you-install-Chrome-in-the-Windows-10-Sandbox-Yes
Can you install Chrome in the Windows 10 Sandbox – Yes

Chrome installation completes successfully.

Chrome-installation-completes-inside-the-Windows-10-Sandbox-app
Chrome installation completes inside the Windows 10 Sandbox app

You can see the isolation from the Windows 10 Sandbox and the host operating system. Chrome is installed in the Windows 10 Sandbox, but not in the host Windows 10 operating system.

Chrome-installation-does-not-cross-over-to-the-host
Chrome installation does not cross over to the host

Chrome launched in the Windows 10 Sandbox.

Chrome-installed-and-launched-inside-the-Windows-10-Sandbox-app
Chrome installed and launched inside the Windows 10 Sandbox app

What about the networking configuration? I was curious how this was configured in the Windows 10 Sandbox app. It is a NAT’ed IP that has as its gateway the host Windows 10 OS that now has a vEthernet (Default Switch) installed and configured.

Windows-10-Sandbox-host-has-a-vEthernet-Switch-installed
Windows 10 Sandbox host has a vEthernet Switch installed

You can see the NAT’ed IP address with a .240 subnet. The gateway is the IP bound to the vEthernet adapter on the host.

A-look-at-how-the-Windows-10-Sandbox-app-container-or-VM-networking-is-setup
A look at how the Windows 10 Sandbox app container or VM networking is setup

When you attempt to close the new Windows 10 Sandbox app, you will see a warning prompting you “are you sure you want to close Windows Sandbox? Once Windows Sandbox is closed all of its content will be discarded and permanently lost.” So the changes you make do not persist in the Windows 10 Sandbox environment.

Closing-the-Windows-10-Sandbox-app-warning-message
Closing the Windows 10 Sandbox app warning message

Sure enough, after a relaunch, we no longer see Chrome installed.

After-a-quick-close-and-reopen-Chrome-is-no-longer-installed
After a quick close and reopen Chrome is no longer installed

What about resources? This is the awesome part when comparing to running a full Windows 10 VM. As you can see below, the new Windows 10 Sandbox environment is only consuming roughly 128 MB of memory!

New-Windows-10-Sandbox-app-extremely-low-resource-utilization
New Windows 10 Sandbox app extremely low resource utilization

What about a test of isolation going the other way? I installed Chrome on the Window Sandbox app host. As you can see, Chrome does not appear in the new Windows 10 Sandbox app environment.

Installing-Chrome-on-the-host-does-not-affect-the-Windows-10-Sandbox-app-environment
Installing Chrome on the host does not affect the Windows 10 Sandbox app environment

The user account the new Windows 10 Sandbox app is ran under is called WDAGUtilityAccount. What is WDAGUtilityAccount? This account is part of the Windows Defender Application Guard which came with the Fall Creators Update (version 1709).  This account is left disabled unless it (Windows Defender Application Guard) is enabled on your device. Obviously it is utilized with the new Windows 10 Sandbox environment.

The-New-Windows-10-Sandbox-app-is-run-under-the-WDAGUtilityAccount-user-account
The New Windows 10 Sandbox app is ran under the WDAGUtilityAccount user account

Back to networking for a moment. I wanted to run some tests on pinging between Windows 10 Sandbox and the host and then beyond. At first I could not ping the host/gateway address.

Cant-ping-the-NATed-interface-by-default-but-can-after-enabling-file-and-printer-sharing
Can’t ping the NAT’ed interface by default but can after enabling file and printer sharing

After enabling File and Printer Sharing, I can ping the NAT’ed IP.

Pinging-the-host-NATed-IP-after-enabling-File-and-Printer-Sharing-from-Windows-10-Sandbox-app
Pinging the host NAT’ed IP after enabling File and Printer Sharing from Windows 10 Sandbox app

What about the LAN IP address of the Windows 10 Sandbox host? Yes, you can ping it as well after enabling the File and Printer Sharing service on the host.

Windows-10-Sandbox-app-can-ping-the-public-IP-of-the-host-once-File-and-Printer-Sharing-is-enabled
Windows 10 Sandbox app can ping the public IP of the host once File and Printer Sharing is enabled

Can you change your DNS inside the new Windows 10 Sandbox app and ping other hosts on the local network? Yes you can. However, in testing actually mapping a drive, even though the share was enabled, I was not able to map network drives out. This is a good thing, thinking about isolation and the intended purpose of the new Windows 10 sandbox.

Also, a note here is that I could not map a drive to the host of the new Windows 10 Sandbox app.

Once-DNS-is-updated-can-ping-LAN-DNS-addresses-but-cant-map-drives
Once DNS is updated can ping LAN DNS addresses but can’t map drives

I have not had time to dig deeper into the specific network settings that are enabled on the new Windows 10 sandbox environment as of yet, but I suspect there is isolated containerized networking at play here that is preventing the drive maps, NETBIOS type traffic, etc. Look for a future post digging a bit deeper into this one.

Takeaways

For me this was a fun exercise – Installing New Windows 10 Sandbox Feature Networking Resources Browsers Security. This is a really killer new feature that from a security perspective is going to be a great new tool. There is no doubt in my mind that security vendors will be able to use this and have hooks into this functionality to perform even more security testing, detonation, etc.

The awesome thing with the new Windows 10 sandbox app is the resource utilization. Thinking about the fact that you no longer have to run a full Windows 10 VM to do basic things such as browsing, downloading files, etc, is going to be a great benefit! What would make this better?

One of the things I think immediately that will be asked and on everyone’s mind is whether or not the “base” Windows 10 Sandbox VM/container can be customized so the default “image” can contain custom applications, i.e. Chrome, etc. There is no doubt going to be great features added to the new Windows 10 sandbox with upcoming builds.

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.