Microsoft Windows Sandbox not a fit for all enterprise playgrounds

Windows Sandbox integrates directly into Windows 10, which makes it easy for IT and users to work with, but could spell trouble for organizations.

Microsoft Windows Sandbox is catching the attention of IT professionals as an easy-to-use sandboxing tool, but its usefulness might not be universal.

Sandboxes provide an instance of a desktop where IT professionals and end users can safely run certain untrusted files or programs without worrying about damaging the applications or operating systems on which they run. Windows Sandbox, which Microsoft launched at the end of 2018, is a feature within Windows 10 Enterprise and Pro.

There are a few cases where IT could take advantage of this tool in the enterprise, but experts said more robust sandboxing options may still reign supreme.

"It's going to have some good overall impact, but I'm skeptical," said William Rials, an IT professor at Tulane University in New Orleans. "It may be helpful for tech-savvy enterprises that don't have the resources to set up a full sandbox, [but] I don't see it being rolled out across the enterprise."

Where Sandbox could be useful

Every time someone opens a Windows Sandbox, he or she gets a clean slate. And when they close the sandbox, everything they did within it is deleted. Most enterprise-level sandbox tools, such as VirtualBox, Sophos Sandstorm and Unity Security Sandbox, require a large investment in infrastructure to run the isolated files. Small organizations might not be able to afford those options, but supporting Microsoft Windows Sandbox is simpler (see sidebar).

System requirements for Windows Sandbox

  • Windows 10 Pro or Enterprise with Insider Build 18305 or higher;
  • AMD64 architecture;
  • 4 GB of RAM;
  • 1 GB of disk capacity;
  • 2 CPU cores; and
  • virtualization capabilities enabled through BIOS.

IT does not need to create a virtual hard disk to run the sandbox. Once IT enables virtualization through BIOS, any user can enable Windows Sandbox in the Windows Features settings. The feature is then accessible through the Start menu, and the user simply drags an executable file into the Windows Sandbox window to put it to the test.

The availability of Microsoft Windows Sandbox directly in Windows 10 makes it simpler to set up and use. For instance, a developer can quickly check a line of code by right-clicking on it and running it in Windows Sandbox -- an action that can be very complicated with other sandbox tools.

"To take a quick application or code change to your sandbox -- create it, set it up -- it's too much sugar for a dime," Rials said. "Developers won't go through that effort. But if it's quick, it's integrated, you have more testing."

Douglas Grosfield, president and CEO of Five Nines IT SolutionsDouglas Grosfield

IT can also work with tech-savvy employees, such as power users, to test changes to code or applications without risking issues with those users' production desktops, said Douglas Grosfield, president and CEO of Five Nines IT Solutions, a consultancy in Kitchener, Ont.

Microsoft Windows Sandbox is particularly helpful in protecting against potentially dangerous executable files.

"Sandboxing technology in your operating system adds another layer of protection against malicious code running that will encrypt your files in the case of a ransomware attack," Grosfield said. "It gives you a plan A."

Sandbox puts potential damper on security

Despite the benefits of Microsoft Windows Sandbox, other sandboxing tools can offer better protection in several ways. First, they allow the user to air gap the device or network. This means that not only is the sandbox isolated from the operating system or application, but the device or network is isolated from any unsecure networks, such as public Wi-Fi.

How many enterprises are going to use it as part of their normal procedures or processes if it can't test Windows updates?
William RialsIT professor at Tulane University

To make matters worse, end users might not fully understand the difference between the sandbox and their production desktops. They might make changes to settings or data within an app they installed in Windows Sandbox, thinking those changes will persist the next time they open the app.

The availability of Windows Sandbox directly in the OS also takes some control away from administrators. Although the ability to isolate apps is useful for IT admins, it could be risky for users to run untrusted applications not approved by IT on their desktops.

"It increases the likelihood and risk of shadow IT," Grosfield said. "It adds to IT's burden of responsibility in terms of monitoring and controlling users' environments."

Sandboxing doesn't guarantee that a user's system is fully protected.

Windows Sandbox is like a virtual machine, so it is designed to allow untrusted apps, said Hari Pulapaka, principal group program manager at Microsoft. However, Sandbox uses a dynamic image, so it has to access the host's binaries to work, according to Pulapaka.

This interaction between the sandbox and the host OS raises concerns if a vulnerability appears within Microsoft Windows Sandbox, Rials said. 

William Rials, professor at Tulane UniversityWilliam Rials

"Windows Sandbox does interact with the system memory; they share some things," Rials said. "How long before a vulnerability comes out inside the underlying operating system that allows a breakout of the sandbox?"

This host interaction also means Microsoft Windows Sandbox does not allow IT to test OS updates before rolling them out, which is a common use for sandboxes. Windows Update testing isn't possible, because the sandbox interacts directly with system files on the host OS to run, so it can't make changes to those files.

"It's going to be very limiting," Rials said. "How many enterprises are going to use it as part of their normal procedures or processes if it can't test Windows updates?"

Sandboxing is only one piece of a larger cybersecurity strategy. IT pros shouldn't think it safeguards them completely, Grosfield said.

"There's no magic bullet," he said. "Sandboxing built into the operating system [doesn't] mean you no longer need to invest in proper endpoint protection."

Dig Deeper on Windows OS and management

Virtual Desktop