Microsoft is thrilled to announce the public preview of Win32 app isolation, a security feature designed to be the default isolation standard on Windows clients. It is based on AppContainers and offers several added security features to help protect against zero-day attacks and safeguard user privacy. Developers can update their apps using the tools provided by Microsoft to take advantage of this new security feature.
Win32 App Isolation: Improve Security for Windows Clients
Win32 App Isolation is a new security feature designed to be the default isolation standard on Windows clients. It is built on AppContainers and offers several added security features to help Windows platform defend against attacks that leverage vulnerabilities in the application. To isolate their apps, application developers can update their applications using the tools provided by Microsoft.
Win32 app isolation achieves its goal of limiting impact (in the event apps are compromised) by running apps with low privilege, which requires a multi-step attack to break out of the container. Attackers must target a specific capability or vulnerability, compared to having broad access. Since the attack must be directed at one particular vulnerability, mitigation patches can be quickly applied, reducing the shelf life of the attack.
Reduce Developer Effort
To reduce the effort required for developers to update their apps, Microsoft provides developer tools and experiences, focusing on the MSIX packaging tool and the Application Capability Profiler. The Application Capability Profiler (ACP) simplifies the entire process by allowing the application to run in “learn mode” with low privileges.
Seamless User Experience
To create a smooth user experience that aligns with non-isolated/native Win32 applications, two key factors should be taken into consideration. Access to a user’s private data, such as camera, microphone, location, images, files, or folders, is not permitted without the user’s permission. However, the app may require access to certain program files, such as .NET libraries or protected registry keys. To help prevent unauthorized access, several instrumentations have been built. Win32 apps need to explicitly include the “isolatedWin32-promptForAccess” capability and declare their intent to support prompting.
“The protection offered by Win32 App isolation follows a two-step process. In the first step, the Win32 application is launched as a low integrity process using AppContainer, which is recognized as a security boundary by Microsoft.”
To help ensure that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. Furthermore, capabilities included in the application manifest enable interactions with other Windows components, such as shell notifications and system tray icons. This ensures that these functionalities can be utilized without compromising the security of these applications.
Win32 App Isolation is currently available for public preview. To learn more about isolating your existing or new Win32 Apps, visit the GitHub page at: microsoft/win32-app-isolation (github.com). We look forward to your participation!
Key points from the article:
- Public preview of Win32 app isolation to improve security on Windows clients
- Built on AppContainers and offers several added security features
- Helps protect against zero-day attacks and safeguard user privacy
- Enforces least privilege through added capabilities and employs various strategies to help prevent unauthorized access
- Minimizes developer effort and maintains application compatibility
From the Windows Blog