Sandboxing with Hyper-V and Windows Containers: A Practical Guide

Sandboxing is a technique commonly used in security, software development, and IT resource provisioning. It involves granting each application, process, or user its own isolated environment. Read this post for an excellent background to sandboxing technology.

 

In this article I’ll discuss how to perform sandboxing in a Windows environment using Hyper-V, Windows Containers, and the Windows Sandbox environment built into Windows 10.

What Is Hyper-V?

Microsoft Hyper-V offers hardware virtualization. You can use Hyper-V to create and run a virtual machine (VM), a virtual computer running its own operating system and applications.

Instead of running a single operating system on physical hardware, you can use Hyper-V and run each VM inside its own isolated space. Hyper-V enables you to run multiple VMs simultaneously, on the same hardware. 

Hyper-V can help you prevent crashes from affecting other workloads. It also enables you to provide different people, services and groups access to different resources and systems.

 

What Is Windows Sandbox?

Windows Sandbox is built into Windows 10 (Pro/Enterprise). It is based on Windows Containers technology, and supports use cases like troubleshooting, demos or isolation of untrusted or malicious software. Behind the scenes, Windows Containers uses Hyper-V, but you do not control Hyper-V or directly work with VMs.

Windows Sandbox starts clean on each run and does not have a persistent state. The sandbox provides a dedicated configuration file format, called .WSB, which you can use to configure a wide range of options, including mapped folders, vGPU, networking and an automated script that can run at user login.

Once you initiate the sandbox, it launches a Windows 10 VM. The sandbox employs the strict virtualization security of Hyper-V and also contains features that enable resource sharing with your host machine. This allows you to reduce memory and CPU consumption. Once you shut down the sandbox, all software, files and state are deleted permanently. 

 

What is the Difference Between Windows Sandbox and a Windows 10 VM?

Windows Sandbox is similar to a Hyper-V virtual machine, but there are a few key differences:

You do not access Windows Sandbox through Hyper-V Manager or an RDP session. Windows Sandbox has its own interface.

Windows Sandbox does not require any installation—it is built into Windows 10. 

Windows Sandbox is based on Windows Containers technology, which is more lightweight than traditional Hyper-V. This is why Sandbox loads much faster than a Windows 10 environment that runs on a Hyper-V VM.

Windows Sandbox uses a dynamic base image, which contains clean copies of operating system files that can get modified, while referencing back to existing operating system files if they do not change. 

A Windows Sandbox typically takes up around 100MB of space vs. several GBs for a full Windows 10 VM using Hyper-V.

When you first launch a sandbox, Windows writes to the disk its memory and CPU state. The following times you run the same sandbox, Windows loads this saved state instead of booting it from scratch.

 

Windows Sandbox Installation and Configurations

The following is a brief tutorial showing you how to install and use Windows Sandbox.

Installation

To run Windows Sandbox, you will need the following:

  • Windows 10 Pro, Enterprise or Education. The Sandbox is included in builds 18305 onwards. Note that Windows Sandbox is not currently supported on Home SKUs.
  • Enable virtualization capabilities in BIOS
  • AMD64 architecture
  • At least 1 GB disk space, 4 GB of RAM, preferably 4 CPU cores (2 minimum)

 

To install Sandbox, follow these steps:

  1. Enable virtualization on your machine. Here are the two main options:
  • On a physical machine, you’ll need to configure the BIOS to turn on virtualization.
  • When using a VM, you must run a PowerShell command to enable nested virtualization. Use the following command, replacing NAME with the VM name:

Set-VMProcessor -NAME \<NAME> -ExposeVirtualizationExtensions $true

 

  1. In the taskbar search box, search for the Turn Windows Features on and off screen. Locate the Windows Sandbox option, turn on this feature, and click OK. If you are prompted, restart your computer.
  2. Go to the Start menu and choose the Windows Sandbox option, to run your sandbox for the first time.

Usage

To use Windows Sandbox with Hyper-V:

  1. On the host machine, copy the Hyper-V executable, and other files or libraries needed to run your target application. Copy these into the sandbox environment, and run the installer inside the sandbox. 
  2. Once you finish experimenting, close your sandbox. You’ll see a dialog box saying that sandbox content is discarded - choose OK.
  3. Confirm that your host machine does not exhibit any modifications you have made in Windows Sandbox.

 

Configuration

Windows Sandbox uses configuration files that let you customize how it works. These configuration files come in XML format and get associated with a sandbox via the .wsb file extension. Note that sandbox customization is only available from build 18342 onwards. 

 

Here are several aspects you can control by using configuration files:

 

  • vGPU (virtualized GPU)—lets you enable or disable virtualized GPU (vGPU). If you disable the GPU, windows will use WARP, its software-based acceleration engine.
  • Networking—allows you specify if the sandbox should have access to the network.
  • Mapped folders—lets you make host folders accessible to the sandbox. You can permit the sandbox to write to the folders, or make them read only. Note that exposing host directories might allow malicious software (malware) to steal data or affect the system.
  • Logon command—this command is executed once Windows Sandbox starts.
  • Audio input—can share the microphone input of the host with the sandbox.
  • Video input—can share the webcam input of the host with the sandbox.
  • Protected client—provides additional security features when Remote Desktop Protocol (RDP) is used to connect remotely to the sandbox.
  • Printer redirection—can share printers from the host with the sandbox.
  • Clipboard redirection—makes it possible for the sandbox to access the host Windows clipboard, enabling copy paste between the host and the sandbox. This can also have negative security implications and should be enabled with care.
  • Memory in MB—lets you limit the system memory available to the sandbox.

 

Creating a Configuration File for Windows Sandbox

Here is how to create a simple XML configuration file for a sandbox:

  1. Open a source code editor or plain text editor, such as Notepad or Visual Studio Code.
  2. Insert the following lines:

          <Configuration>

         </Configuration>

    3. Add the relevant configuration text between the two lines. 
    4. Save your file with a descriptive name. Use the .wsb filename extension. In Notepad, you must enclose the filename and extension inside double quotation               marks. For example: "My configuration file.wsb".

You can use a configuration file by double-clicking it to start Windows Sandbox. You can also invoke the file via the following command: MyConfigFile.wsb 

Below is an example provided in the Windows Sandbox documentation. You can use it to test suspicious downloaded files inside a sandbox. To do this, you must disable networking and vGPU and enable read-only access to the shared downloads folder. The logon command opens the downloads folder inside the sandbox once it is started.

 

Conclusion

In this article I discussed how to create a sandbox environment using Windows Sandbox, a feature built into Windows 10. 

I explained the differences between a traditional Hyper-V VM and a Windows Sandbox environment—mainly that Windows Sandbox loads much faster and uses less system resources, because it is based on Windows Containers and stores a cache of CPU and memory state in the file system. 

Finally, I showed how to get started with Windows Sandboxing—enabling Windows Sandbox in Windows 10, using it, and creating your own sandbox XML configuration.

I hope this will be of help as you evaluate the use of Windows sandboxing for your organization.

Disqus Comments