Run potentially sketchy apps in the Windows Sandbox
Install questionable or untrusted apps and open suspicious attachments in Microsoft’s new virtualized container: Windows Sandbox.
Microsoft announced Windows Sandbox right before the holidays, so there’s a chance some people may have missed this announcement. We wanted to provide an easy overview of what we currently know about it, alongside some of our thoughts.
Need to test an app out? Try Windows Sandbox
At it’s very basic, Windows Sandbox is designed to be a lightweight virtual machine that users can spin up to install untrusted executables in isolation. This way, you can test potentially questionable apps and without worrying about allowing it access anything on your main desktop or VM. You could also use it to open attachments, too.
Windows Sandbox comes included for free with a Windows 10 Pro or Enterprise license. It’s currently only available as part of Windows 10 Insider Preview Build 18305, which went live a day after Microsoft’s initial announcement. It’s expected to be included in the Windows 10 April 2019 update.
Mary Jo Foley noted back when Windows Sandbox was announced that it was likely the new name for the rumored “InPrivate Desktop,” which there had been chatter around earlier in 2018. Her description of it as a “throwaway sandbox” to try out untrusted apps sure fits what Windows Sandbox ended up becoming.
The system requirements for Windows Sandbox aren’t too taxing, which isn’t a surprise given they want people to be able to run it on their everyday work desktops and laptops.
- AMD64 architecture
- BIOS-enabled virtualization capability
- 4GB RAM (8GB recommended)
- 1GB space (solid-state drive recommended)
- 2 CPU cores (4 cores with hyperthreading recommended)
- Microsoft Hyper-V
Microsoft worked on making sure Windows Sandbox doesn’t consume too much system resources. The dynamically generated image only takes up 100MB when installed, and only 25MB if not. Microsoft refers to Windows Sandbox as a “dynamic base image” that is a lightweight desktop environment that provides a clean instance of Windows 10. From there, it provides access to copies of files on the main desktop, but you cannot alter them in any way from inside Windows Sandbox.
If memory use for Windows Sandbox becomes too much for your desktop or VM, you can reallocate it (they used the term “reclaim”). Additionally, this lightweight VM is treated more like an app on your desktop; this allows host PC tasks to take precedence for system resources through Microsoft’s newly created “integrated scheduler.”
The name makes enough sense given its purpose, though they already use the term to describe an area of their documentation site based around experimenting with Azure and other products. A little confusing.
For those interested in trying out Windows Sandbox, it’s surprisingly easy enough to get it up and running. Microsoft provides a quick start guide in the blog announcement for Windows Insiders raring to try it.
Nice little add-on but will people use it?
Overall, I think Windows Sandbox is a neat little app. Conceptually, I like the idea of a disposable place that business users who are suspicious about new apps and attachments can open them without the chance they harm their desktop. Microsoft made it part of Windows 10 Pro/Enterprise, and it’s easy enough to run.
I spoke with Rachel Berry, who told me that at the recent Citrix User Group event in the U.K. that some CTPs showed interest in the Windows Sandbox, but she isn’t so sure herself. It requires users to be aware enough to open up Windows Sandbox to test out the app or attachment. Some vendors (Bromium is one such company) offer VMs that can be spun up automatically when trying to open an attachment. So, if Microsoft developed a group policy that untrusted apps and attachments open in Sandbox then I could see wider acceptance.
Rachel also noted that some more sophisticated malicious apps can actually recognize when they’re opened in a virtual environment and remain dormant. Not sure how often the average user will come across those, though; unless it’s a targeted attack.
Lastly, while Windows Sandbox is a new tool for users, you could technically already get a lot of the same functionality through Windows Containers, especially if run with Hyper-V Isolation.
Will be curious to see once it’s in GA how often people use it.