Level Up Your Security: Windows 11's Desktop App Sandbox
Windows 11 introduces a new security feature that will sandbox desktop apps for enhanced protection This move addresses concerns over unrestricted access to sensitive files and hardware, bringing Windows closer to the security models of mobile devices
Unlike iPhones or Android devices, Windows doesn't have a tightly restricted security model. This means that most software can access and modify system settings, files, and connected hardware. However, there are indications that this may change in the future.
Microsoft has recently announced a number of exciting updates and features that will be coming to Windows 11. One of the most notable additions is the Windows Copilot AI, which is built on the same technology as Bing Chat and ChatGPT. In addition to this, Microsoft has also unveiled a new security feature that will allow for the isolation of Windows applications within a sandbox environment. This means that these applications will not be able to access any data or settings that are not deemed necessary, helping to improve overall security and reduce the risk of breaches.
According to a recent blog post from Microsoft, this new feature will be available in public preview starting tomorrow. It will be available to both consumer and commercial audiences, and developers will be able to use new isolation technologies to significantly reduce the risk of security breaches. By running Win32 apps in isolation, these apps will no longer have unexpected or unauthorized access to critical internal Windows subsystems, which will help to minimize the damage in the event that an app is compromised.
Running applications in a sandboxed environment is becoming increasingly common in modern technology, including web apps, iPhone and Android applications, and macOS. Sandboxing ensures that each permission is explicitly granted, adding an extra layer of security. However, Microsoft's initial attempt at this, the Universal Windows Platform (UWP), was not successful due to various reasons. As a result, Microsoft merged UWP features and APIs into the regular Windows APIs (Win32) with Project Reunion. Unlike original UWP apps, Windows software can still run relatively unrestricted on PCs.
It is unclear whether the sandbox feature will be something that users can control or if it will be an opt-in feature for applications. If the ability to run any application in a sandbox is granted, it would be extremely beneficial. There are many apps on my PC that do not require access to my entire file system, and I would prefer to limit their permissions.
Despite being limited to software built for it, the sandbox feature has the potential to greatly benefit Windows. For instance, web browsers could utilize it to enhance their sandboxing capabilities, thus providing better protection against any zero-day vulnerabilities that may arise. Furthermore, some PC games currently employ anti-cheat measures that operate at the kernel level in Windows, which poses a significant security risk. As such, the built-in Windows feature could offer a viable alternative. While we will need to wait to see how sandboxing performs in practice, any progress in this area is certainly a positive development.
