deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 07:47:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates per M doc

Browse Source
This commit is contained in:
jborsecnik 2020-03-12 16:55:16 -07:00
parent 3d91ce3d27
commit 3c04fbfa3d
3 changed files with 99 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
View File

@ -15,71 +15,47 @@ ms.reviewer:
# Windows Sandbox architecture # Windows Sandbox architecture
This article describes the Windows Sandbox basics. Windows Sandbox benefits from new container technology in Windows in order to achieve a combination of security, density, and performance that is not available in traditional VMs.
## Dynamically generated image ## Dynamically generated image
At its core, Windows Sandbox is a lightweight virtual machine, so it needs an operating system image to boot from. Instead of giving the sandbox a separate copy of Windows to boot from, our Dynamic Base Image technology lets us use the copy of Windows that's already installed on the host. Containers requires an operating system image to boot from. Rather than providing a separate copy of Windows to boot from, Dynamic Base Image technology leverages the copy of Windows that's already installed on the host.
Most OS files are immutable and can be freely shared with Windows Sandbox. A small portion of the OS files are mutable and we can't be shared. Windows Sandbox contains pristine copies of these files. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of mutable files. By using this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an additional copy of Windows. Most OS files are immutable and can be freely shared with Windows Sandbox. A small portion of the OS files are mutable and we can't be shared. But the container base image contains pristine copies of these files. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of mutable files. By using this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an additional copy of Windows.
Before Windows Sandbox is installed, the dynamic base image is stored in a compressed 25-MB package. Once it's installed, the dynamic base package occupies about 500 MB of disk space. Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once it's installed, the dynamic base image occupies about 500 MB of disk space.
![A chart compares scale of dynamic image of files and links with the host file system.](images/1-dynamic-host.png) ![A chart compares scale of dynamic image of files and links with the host file system.](images/1-dynamic-host.png)
## Memory management ## Memory management
For traditional virtual machines (VMs), a portion of host memory is dedicated for exclusive use by the VM. If the host later comes under resource pressure, it can't use the memory that was dedicated to the VM. Nor can it provide more memory, if available, to the VM. Windows Sandbox treats memory more like how memory is allocated to applications. All apps on the machine can request the amount of memory that they need. The amount that they get will be a function of what other apps are running and how much memory they need. And the amount of memory available for use by an application can change over time. Traditional VM's apportion statically sized allocations of host memory. When resource needs change, classic VM's have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host in order to dynamically determine how host resources are allocated. This is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it is able to reclaim memory from the container much like it would with a process.
## Dynamic working set
When using a VM, the user is effectively partitioning their machine. If the host is under memory pressure, it can't use the memory already allocated to the VM. But applications in the sandbox are treated as equal to apps running on the host, so when apps in sandbox are under memory pressure, you can give more memory to the sandbox (and the same applies to the host). Guest physical pages provided are virtualized.
![A chart compares memory sharing in Windows Sandbox versus a traditional VM.](images/2-dynamic-working.png) ![A chart compares memory sharing in Windows Sandbox versus a traditional VM.](images/2-dynamic-working.png)
## Memory sharing ## Memory sharing
Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same executable pages as those of the binary when loaded on the host. Memory sharing between the host and sandbox results in a smaller memory footprint when compared to traditional VMs without compromising valuable host secrets. Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those of the binary when loaded on the host. Memory sharing between the host and sandbox results in a smaller memory footprint when compared to traditional VMs without compromising valuable host secrets.
![A chart compares the memory footprint in Windows Sandbox versus a traditional VM.](images/3-memory-sharing.png) ![A chart compares the memory footprint in Windows Sandbox versus a traditional VM.](images/3-memory-sharing.png)
## Integrated kernel scheduler ## Integrated kernel scheduler
With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses a new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles. With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
![A chart compares the scheduling in Windows Sandbox versus a traditional VM.](images/4-integrated-kernal.png) ![A chart compares the scheduling in Windows Sandbox versus a traditional VM.](images/4-integrated-kernal.png)
Windows Sandbox employs a unique scheduling policy that allows the virtual processors of the sandbox to be scheduled in the same way as threads would be scheduled for a process. High-priority tasks on the host can preempt less important work in the sandbox. The benefit of the integrated scheduler is that the host manages Windows Sandbox as a process rather than a virtual machine, which results in a much more responsive host, similar to Linux KVM. Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This means that the most important work will be prioritized, whether it is on the host or in the container.
The goal is to treat Windows Sandbox like an app but with the security guarantees of a virtual machine.
## Snapshot and clone
As we noted earlier, Windows Sandbox uses the Microsoft hypervisor. It essentially runs another copy of Windows that needs to be booted, and this can take some time. Rather than paying the full cost of booting the Windows Sandbox operating system every time Sandbox starts, two other technologies are utilized: *snapshot* and *clone.*
*Snapshot* allows us to boot the Windows Sandbox environment once and preserve the memory, CPU, and device state to disk. Then we can restore the Sandbox environment from disk and put it in memory, rather than booting it when we need a new instance of Sandbox. By cloning the in-memory snapshot of Windows Sandbox, start time is significantly improved.
## WDDM GPU virtualization ## WDDM GPU virtualization
Hardware-accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intense or media-heavy uses. But virtual machines are isolated from their hosts and can't access advanced devices like GPUs. The role of graphics virtualization technologies is to bridge this gap and provide hardware acceleration in virtualized environments. Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft has worked with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and WDDM, the driver model used by display drivers on Windows.
Microsoft is working with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model that's used for Windows. This allows programs running inside of the Sandbox to compete for GPU resources with applications running on the host.
![A chart illustrates graphics kernel use in Sandbox managed alongside apps on the host.](images/5-wddm-gpu-virtualization.png) ![A chart illustrates graphics kernel use in Sandbox managed alongside apps on the host.](images/5-wddm-gpu-virtualization.png)
At a high level, this form of graphics virtualization works as follows: To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems will render apps in Windows Sandbox with Microsoft's CPU-based rendering technology (WARP).
- Apps running in a Hyper-V VM use graphics APIs as normal.
- Graphics components in the VM, which have been enlightened to support virtualization, coordinate across the VM boundary with the host to execute graphics workloads.
- The host allocates and schedules graphics resources among apps in the VM alongside the apps that are running natively. Conceptually, they behave as one pool of graphics clients.
This process is illustrated here:
![A chart illustrates graphics resource use on the host and guest.](images/6-wddm-gpu-virtualization-2.png)
This enables the Windows Sandbox VM to benefit from hardware-accelerated rendering, with Windows dynamically allocating graphics resources where they're needed across the host and guest. The result is improved performance and responsiveness for apps running in Windows Sandbox, as well as improved battery life for graphics-heavy uses.
To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems will render apps in Windows Sandbox with the Microsoft CPU-based rendering technology, Windows Advanced Rasterization Platform (WARP).
## Battery pass-through ## Battery pass-through

168
windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
View File

@ -15,7 +15,7 @@ ms.reviewer:
# Use a .wsb file to configure Windows Sandbox # Use a .wsb file to configure Windows Sandbox
Windows Sandbox supports simple configuration files (that have a .wsb file extension), which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or later. Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or later.
Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension. To use a configuration file, double-click it to open it in the sandbox. You can also invoke it via the command line as shown here: Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension. To use a configuration file, double-click it to open it in the sandbox. You can also invoke it via the command line as shown here:
@ -25,7 +25,7 @@ Windows Sandbox configuration files are formatted as XML and are associated with
- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use WARP (software rasterizer). - **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use WARP (software rasterizer).
- **Networking**: Enable or disable network access within the sandbox. - **Networking**: Enable or disable network access within the sandbox.
- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Note that exposing host directories may allow malicious software to affect the system or steal data. - **Mapped folders**: Share folders from the host with *read* or *write* permissions. Note that exposing host directories may allow malicious software to affect the system or steal data.
- **Logon command**: A command that's executed when Windows Sandbox starts. <LogonCommand> - **Logon command**: A command that's executed when Windows Sandbox starts.
- **Audio input**: Shares the host's microphone input into the sandbox. - **Audio input**: Shares the host's microphone input into the sandbox.
- **Video input**: Shares the host's webcam input into the sandbox. - **Video input**: Shares the host's webcam input into the sandbox.
- **Protected client**: Places increased security settings on the RDP session to the sandbox. - **Protected client**: Places increased security settings on the RDP session to the sandbox.
@ -58,37 +58,33 @@ Supported values:
> [!NOTE] > [!NOTE]
> Enabling networking can expose untrusted applications to the internal network. > Enabling networking can expose untrusted applications to the internal network.
**MappedFolders**: Wraps a list of MappedFolder objects. **Mapped Folders**: An array of folders, each representing a location on the host machine which will be shared into the sandbox at the specified path. If no path is specified, the folder will be mapped to the container user's desktop.
`<MappedFolders>` `<MappedFolders>`
list of MappedFolder objects list of MappedFolder objects <MappedFolder>
`</MappedFolders>`
> [!NOTE]
> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
**MappedFolder**: Specifies a single folder on the host machine that will be shared on the container desktop. Apps in the sandbox are run under the user account *WDAGUtilityAccount*. If no sandbox path is specified, a folder is mapped to the following path:<br/>`C:\Users\WDAGUtilityAccount\Desktop`
Example: "C:\Test" will be mapped as "C:\users\WDAGUtilityAccount\Desktop\Test by default.
```
<MappedFolder>
<HostFolder>path to the host folder</HostFolder> <HostFolder>path to the host folder</HostFolder>
<SandboxFolder>path to the sandbox folder</SandboxFolder> <SandboxFolder>path to the sandbox folder</SandboxFolder>
<ReadOnly>value</ReadOnly> <ReadOnly>value</ReadOnly>
</MappedFolder> </MappedFolder>
<MappedFolder>
...
</MappedFolder>
`</MappedFolders>`
``` ```
*HostFolder*: Specifies the folder on the host machine to share to the sandbox. The folder must already exist on the host, or the container will fail to start if the folder isn't found. *HostFolder*: Specifies the folder on the host machine to share into the sandbox. Note that the folder must already exist on the host or the container will fail to start.
*SandboxFolder*: Specifies the destination in the Sandbox to map the folder to. If the folder doesn't exist, it will be created. *SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder does not exist, it will be created. If no sandbox folder is specified, the folder will be mapped to the container desktop.
*ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: true/false. Defaults to false.
*ReadOnly*: If *true*, enforces *read-only* access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
> [!NOTE] > [!NOTE]
> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host. > Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
**LogonCommand**: Specifies a single command that will be invoked automatically after the sandbox logs on. **Logon Command**: Specifies a single command which will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account.
``` ```
<LogonCommand> <LogonCommand>
@ -99,11 +95,69 @@ Example: "C:\Test" will be mapped as "C:\users\WDAGUtilityAccount\Desktop\Test b
*Command*: A path to an executable or script inside the container that will be executed after login. *Command*: A path to an executable or script inside the container that will be executed after login.
> [!NOTE] > [!NOTE]
> Although very simple commands work (such as launching an executable or script), more-complicated scenarios that have multiple steps should be placed in a script file. This script file can be mapped to the container via a shared folder and then executed via the *LogonCommand* directive. > Although very simple commands will work (launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive.
**AudioInput**: Enables or disables audio input to the sandbox.
`<AudioInput>value</AudioInput>`
Supported values:
- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may need this setting.
- *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
- *Default*: This is the default value for audio input support. Currently this means audio input is enabled.
> [!NOTE]
> There may be security implications of exposing host audio input to the container.
**VideoInput**: Enables or disables video input to the sandbox.
`<VideoInput>value</VideoInput>`
Supported values:
- *Enable*: Enables video input in the sandbox.
- *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox.
- *Default*: This is the default value for video input support. Currently this means video input is disabled. Applications that use video input may not function properly in the sandbox.
> [!NOTE]
> There may be security implications of exposing host video input to the container.
**Protected Client**: Implements increased-security settings on the sandbox RDP session. These settings decrease the attack surface of the sandbox.
`<ProtectedClient>value</ProtectedClient>`
Supported values:
- *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled.
- *Disable*: Runs the sandbox in standard mode without extra security mitigations.
- *Default*: This is the default value for Protected Client mode. Currently, this means the sandbox doesn't run in Protected Client mode.
> [!NOTE]
> This setting may restrict the user's ability to copy/paste files in and out of the sandbox.
**Printer Redirection**: Enables or disables printer sharing from the host into the sandbox.
`<PrinterRedirection>value</PrinterRedirection>`
Supported values:
- *Enable*: Enables sharing of host printers into the sandbox.
- *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
- *Default*: This is the default value for printer redirection support. Currently this means printer redirection is disabled.
**ClipboardRedirection**: Enables or disables sharing of the host clipboard with the sandbox.
`<ClipboardRedirection>value</ClipboardRedirection>`
Supported values:
- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted.
- *Default*: This is the default value for clipboard redirection. Currently copy/paste between the host and sandbox are permitted under *Default*.
**MemoryInMB**: Specifies the amount of memory that the sandbox can use in megabytes (MB).
`<MemoryInMB>value</MemoryInMB>`
If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount.
***Example 1*** ***Example 1***
The following config file can be used to easily test downloaded files inside of the sandbox. To achieve this, the script disables networking and vGPU, and restricts the shared downloads folder to read-only access in the container. For convenience, the logon command opens the downloads folder inside of the container when it is started.
The following config file can be used to easily test downloaded files inside the sandbox. To do this, the script disables networking and vGPU and restricts the shared downloads folder to *read-only* access in the container. For convenience, the logon command opens the downloads folder inside the container when it's started.
*Downloads.wsb* *Downloads.wsb*
@ -114,34 +168,33 @@ The following config file can be used to easily test downloaded files inside the
<MappedFolders> <MappedFolders>
<MappedFolder> <MappedFolder>
<HostFolder>C:\Users\Public\Downloads</HostFolder> <HostFolder>C:\Users\Public\Downloads</HostFolder>
<SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads</SandboxFolder>
<ReadOnly>true</ReadOnly> <ReadOnly>true</ReadOnly>
</MappedFolder> </MappedFolder>
</MappedFolders> </MappedFolders>
<LogonCommand> <LogonCommand>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads</Command> <Command>explorer.exe C:\users\WDAGUtilityAccount\Downloads</Command>
</LogonCommand> </LogonCommand>
</Configuration> </```Configuration>
``` ```
***Example 2*** ***Example 2***
The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup. The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.
Two folders are mapped into the sandbox. The first folder (SandboxScripts) contains VSCodeInstall.cmd, which installs and runs Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify by using Visual Studio Code. Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which will install and run VSCode. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using VSCode.
With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it. With the VSCode installer script already mapped into the sandbox, the LogonCommand can reference it.
*VSCodeInstall.cmd* *VSCodeInstall.cmd*
``` ```
REM Download Visual Studio Code REM Download VSCode
curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe
REM Install and run Visual Studio Code REM Install and run VSCode
C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes
``` ```
VSCode.wsb 8VSCode.wsb*
``` ```
<Configuration> <Configuration>
@ -161,59 +214,6 @@ VSCode.wsb
</Configuration> </Configuration>
``` ```
**AudioInput**: Enables or disables audio input to the sandbox.
`<AudioInput>value</AudioInput>`
Supported values:
- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may need this setting.
- *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
- *Default*: This is the default value for audio input support. Currently this means audio input is enabled.
**VideoInput**: Enables or disables video input to the sandbox.
`<VideoInput>value</VideoInput>`
Supported values:
- *Enable*: Enables video input in the sandbox.
- *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox.
- *Default*: This is the default value for video input support. Currently this means video input is disabled. Applications that use video input may not function properly in the sandbox.
**ProtectedClient**: Implements increased-security settings on the sandbox RDP session. These settings decrease the attack surface of the sandbox.
`<ProtectedClient>value</ProtectedClient>`
Supported values:
- *Enable*: Runs Windows Sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled.
- *Disable*: Runs the sandbox in standard mode without extra security mitigations.
- *Default*: This is the default value for Protected Client mode. Currently, this means the sandbox doesn't run in Protected Client mode.
> [!NOTE]
> This setting may restrict the user's ability to copy/paste files in and out of the sandbox.
**PrinterRedirection**: Enables or disables printer sharing from the host into the sandbox.
`<PrinterRedirection>value</PrinterRedirection>`
Supported values:
- *Enable*: Enables sharing of host printers into the sandbox.
- *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
- *Default*: This is the default value for printer redirection support. Currently this means printer redirection is disabled.
**ClipboardRedirection**: Enables or disables clipboard sharing with the sandbox.
`<ClipboardRedirection>value</ClipboardRedirection>`
Supported values:
- *Disable*: Disables clipboard redirection in Sandbox. If this value is set, copy/paste in and out of Sandbox will be restricted.
- *Default*: This is the default value for clipboard redirection. Currently copy/paste between the host and Sandbox are permitted under *Default*.
**MemoryInMB**: Specifies the amount of memory that the sandbox can use in megabytes (MB).
`<MemoryInMB>value</MemoryInMB>`
Supported values: An integer greater than 2048 (2 GB).
<!-- <!--
FAQ (future) FAQ (future)

2
windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
View File

@ -44,7 +44,7 @@ The following video provides an overview of Windows Sandbox.
## Installation ## Installation
1. Make sure your machine is using Windows 10 Pro or Enterprise build version 18305 or later. 1. Ensure that your machine is using Windows 10 Pro or Enterprise build version 18305 or later.
2. Enable virtualization on the machine. 2. Enable virtualization on the machine.
- If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS. - If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.