[Tech Talk] Windows Sandbox: The newest attraction to the PenTester’s Playground


(Jeff Gelinas) #1

With the newest release of the Windows 10 Insider Build, a previously rumored Windows feature has come to light: Windows Sandbox. This tool is highly welcome in the age of increasing threats including malicious links, documents, and software. Windows Sandbox fulfills the modern need for a secure environment to test the validity of what reaches us in the inbox and from downloads on the web.

Not a new idea to most in the field, the sandbox sets aside a clean restricted access area where you can open what may be a malicious file or link in a controlled environment without risking the main system to the executable or link. In the case of Windows Sandbox, the underlying technology utilizes the principle of containerization which has taken the DevOps and SecOps communities by storm since the debut of Docker in June of 2014.

Windows containerization provides resource controlled, portable application run time that allows use of the hardware resources allocated to the container itself, completely unaware of other resources and applications running on the host machine. Once you finish, Sandbox’s non-persistent design will remove session installations and set the system back to the original snapshot of the core Windows OS with default settings.

(Photo: Microsoft Kernel Internals Blog)

The Sandbox is not large (sorry kids) coming in at only 100MB on disk due to immutable files from the dynamic snapshot image to the host system. The snapshot storage also allows for the device state to be persistent and stored on disk skipping a majority of the boot process, fully taking advantage of the underlying Microsoft Hypervisor.

Despite its smaller size, Windows Sandbox innovates cybersecurity by giving the modern masses access to secure, high-quality testing tools. How do you foresee incorporating this tool into your workflow?

What applications and links would you open in your Sandbox? Are there any feature enhancements that you would suggest Redmond add? Personally, a chronological timeline of changes made to the file system and other critical elements like the Windows Registry would assist greatly in behavior analysis.